Towards Stateless Post-Quantum Remote Attestation for IoT Using TPM and DICE

Remote attestation is a cornerstone of Trusted Computing, ensuring the integrity and trustworthiness of devices in diverse environments, ranging from resource-constrained IoT nodes to cloud-based virtual machines (VMs). The two predominant attestation technologies, the Trusted Platform Module (TPM) and the Device Identifier Composition Engine (DICE), provide strong security guarantees but often rely on stateful challenge-response models. These models introduce scalability challenges, particularly in large-scale Internet of Things (IoT) and smart metering deployments.This paper presents a powerful stateless post-quantum remote attestation approach for IoT devices, leveraging authenticated and encrypted (AEAD) challenges within TPM and DICE-based attestation. The stateless approach effectively limits replay attacks to a short validity window, even in environments where IoT devices lack real-time clocks, and enables robust integrity and trust verification across dynamic network topologies, by avoiding the downsides of other freshness concepts for remote attestation.Furthermore, this paper presents a performance evaluation of suitable post-quantum cryptography (PQC) algorithms across five heterogeneous hardware platforms, ranging from high-end laptops to constrained IoT devices, to present a recommendation to the reader, thereby illustrating the continued utility of remote attestation on IoT devices in the future.Our findings suggest that stateless post-quantum remote attestation can enhance security and scalability in IoT environments, by reducing overhead from storage of nonces making it a compelling alternative to traditional challenge-response models.