Subversion resilient attestation for trusted execution environments

What is claimed is: 1. A computer-implemented method comprising: receiving, with an intermediate processing system, an original message from a trusted execution environment, the original message comprising an original digital signature authored by the trusted execution environment; computing, with the intermediate processing system, a zero-knowledge proof of knowledge for the original digital signature without accessing a private key and without accessing a share of a private key; and modifying the original message by replacing the original digital signature with the proof of knowledge, wherein the method further comprises: receiving a request for remote attestation of a reference binary from a remote verifier; calculating, with the trusted execution environment and in response to the remote attestation request, the original digital signature based on the reference binary, wherein the original digital signature comprises an original revocation token and the modifying of the original message comprises replacing the original revocation token with a randomized revocation token; and transmitting, to the verifier, the modified original message comprising the proof of knowledge and the randomized revocation token. 2. The method of claim 1 , wherein the original message comprises the original revocation token prepared by the trusted execution environment and the method comprises: randomizing the original revocation token; modifying the original message by replacing the original revocation token with the randomized revocation token. 3. The method of claim 2 , wherein the original message comprises a destination address and the method comprises transmitting the modified message to the destination address. 4. The method of claim 3 , further comprising randomly selecting a parameter, wherein the original revocation token is randomized by modifying one or more fields of the original revocation token based on a randomly selected parameter. 5. The method of claim 4 , wherein the trusted execution environment locally stores a trusted private key, the trusted execution environment authors the original digital signature with the trusted private key, and the randomized revocation token includes parameters sufficient to revoke the trusted private key. 6. The method of claim 1 , wherein a host processing system comprises the intermediate processing system and the trusted execution environment, and the intermediate processing system performs the receiving, the computing, and the modifying. 7. The method of claim 1 , comprising: deploying the reference binary in the trusted execution environment based on the received request from the remote verifier. 8. The method of claim 7 , wherein the original message comprises a digest computed by the trusted execution environment based on the reference binary. 9. The method of claim 8 , wherein the digest comprises a hash of the reference binary. 10. The method of claim 1 , wherein the original digital signature cannot be derived from the proof of knowledge. 11. A processing system comprising: one or more hardware processors configured to: receive an original message from a trusted execution environment, the original message comprising an original digital signature authored by the trusted execution environment; compute a zero-knowledge proof of knowledge for the original digital signature such that the proof of knowledge is computed without accessing a private key and without accessing a share of a private key; and modify the original message by replacing the original digital signature with the proof of knowledge wherein the one or more processors are further configured to: receive a request for remote attestation of a reference binary from a remote verifier; calculate, within the trusted execution environment and in response to the remote attestation request, the original digital signature based on the reference binary, wherein the original digital signature comprises an original revocation token and the one or more processors are configured to modify the original message by replacing the original revocation token with a randomized revocation token; and transmit, to the verifier, the modified original message comprising the proof of knowledge and the randomized revocation token. 12. The processing system of claim 11 , comprising an intermediate processing system and the trusted execution environment, wherein at least one of the intermediate processing system and the trusted execution environment comprise the one or more processors. 13. A non-transitory computer-readable medium comprising code for configuring one or more processors to: receive an original message from a trusted execution environment, the original message comprising an original digital signature authored by the trusted execution environment; compute a zero-knowledge proof of knowledge for the original digital signature such that the proof of knowledge is computed without considering a private key and without considering a share of a private key; and modify the original message by replacing the original digital signature with the proof of knowledge, wherein the non-transitory computer-readable medium further comprises code for configuring the one or more processors to: receive a request for remote attestation of a reference binary from a remote verifier; calculate, within the trusted execution environment and in response to the remote attestation request, the original digital signature based on the reference binary, wherein the original digital signature comprises an original revocation token and the code for modifying the original message comprises code for configuring the one or more processors to replace the original revocation token with a randomized revocation token; and transmit, to the verifier, the modified original message comprising the proof of knowledge and the randomized revocation token. 14. The processing system of claim 11 , wherein the original digital signature cannot be derived from the proof of knowledge.