🤖 AI Summary
This work addresses the operational complexity and inflexibility of traditional zero-trust architectures, which rely on edge gateways to enforce authorization policies. The authors propose a novel paradigm that shifts policy evaluation to the client side using a zero-knowledge virtual machine (zkVM) to execute authorization logic and generate succinct cryptographic proofs. Edge devices then only need to verify these proofs efficiently, enabling zero-trust enforcement even in resource-constrained environments. This approach, the first to apply zkVMs to remote authorization, decouples policy and identity scheme evolution from edge infrastructure, eliminating the need for gateway updates or specialized deployments. Built on the RISC Zero zkVM, the system compiles XACML 3.0 policies into Rust code and optimizes JWT parsing and regular expression matching. The prototype supports 83% of XACML 3.0 use cases, with proof generation taking tens of seconds and verification completing in tens of milliseconds—meeting edge performance requirements.
📝 Abstract
Modernizing the security of operational technology systems that control critical infrastructure has become a pressing challenge. Because edge devices have limited capabilities, modernization has relied on application gateways that interface with identity management systems and enforce access policies. These gateways are powerful enough to perform complex authorization decisions and support zero-trust architectures, but they create major deployment and management burdens: they must be collocated with remote, distributed edge devices, kept up to date with security patches, and managed with minimal downtime.
We propose Provable Remote Execution of Zero-Trust Authorization (Prezta), an architecture that eliminates these gateways by evaluating policies within a zero-knowledge virtual machine (zkVM) running on the client. The zkVM produces a succinct proof of authorization that edge devices can verify efficiently, extending the zero-trust security envelope to the edge. Policies and identity management schemes can evolve without updating edge devices.
To demonstrate the feasibility of Prezta, we implement a prototype built using the RISC Zero zkVM that supports XACML 3.0 policies and JWT identity claims. While zkVMs introduce substantial proof overhead, we mitigate this overhead by compiling policies to Rust code and precompiling regular expressions. Combined with optimized signature verification and JWT parsing, these measures reduce prover time by more than an order of magnitude. Our compiler correctly implements 83\% of the XACML 3.0 conformance suite, with proof generation completing in tens of seconds on a desktop. Verification, by contrast, takes only tens of milliseconds, which is fast enough for resource-constrained edge devices.