Integration of Post-Quantum Cryptography in the Keylime Agent for Quantum-Safe Remote Attestation

In recent years, Post-Quantum Cryptography (PQC) has gained considerable interest. This is mainly driven by the rapid development of Quantum Computing technologies, that are continuously improving the performance. This rapid development is threatening most of the current security methodologies, because they are largely based on classical crypto systems. For this reason, the transition from classical cryptography to PQC is becoming paramount, as the threat of quantum computers is not yet present but is expected in the very near future. This is necessary for a wide range of devices, ranging from cloud to IoT scenarios. The latter has more criticalities in performing this transition, due to the resource-constrained nature of the deployed devices. Several standardisation organisations are publishing their guideline for the adoption of PQC, based on different parameters such as the scenario and the security level. A specific security aspect that is largely affected by the threat of quantumcomputers is integrity verification. This is a set of techniques that aim to verify and enforce that a specific device behaves as intended. Being largely based on cryptographic operations, especially the Remote Attestation process, the transition to PQC is crucial. In this paper, we present the integration of PQC, specifically the ML-DSA algorithm, into the Keylime framework for remote attestation. In particular, we present the integration of PQC in the Keylime Agent, which is the most crucial component, as it is deployed in untrusted environments and on various devices with differing computational resources. We also propose a deployment architecture based on the Arm TrustZone TEE technology, exploiting the OP-TEE framework as trusted operating system, integrating an ML-DSA-enabled firmware TPM implementation for PQ remote attestation