Remote attestation

1 . A method of verifying integrity of a remote device, the method comprising: generating a first nonce value; transmitting the first nonce value; receiving a message from the remote device, the message comprising measurements of a configuration of the remote device and a cryptographic signature based on a private key of a public-private key pair of the remote device and a second nonce value; determining that the second nonce value was generated based on the first nonce value; and verifying the cryptographic signature based on the second nonce value and a public key of the public-private key pair of the remote device. 2 . The method of claim 1 , further comprising determining whether the remote device can be trusted based on the measurements and successfully verifying the cryptographic signature. 3 . The method of claim 1 , wherein transmitting the first nonce value further comprises broadcasting the first nonce value to a plurality of verifying devices, the method further comprising: receiving a plurality of third nonce values from the plurality of verifying devices; generating a fourth nonce value based on the plurality of third nonce values and the first nonce value; and wherein determining the second nonce value was generated based on the first nonce value comprises determining that the second nonce value and the fourth nonce value are the same. 4 . The method of claim 3 , further comprising transmitting a request for measurements of the configuration of the remote device to the remote device, the request comprising the fourth nonce value. 5 . The method of claim 3 , wherein generating the fourth nonce value comprises calculating the fourth nonce value from the plurality of third nonce values and the first nonce value using a collision resistant cryptographic function. 6 . The method of claim 3 , further comprising: generating a first commitment value based on the first nonce value; prior to broadcasting the first nonce value: broadcasting the first commitment value to the plurality of verifying devices; and receiving a plurality of second commitment values from the plurality of verifying devices, each second commitment value based on one of the third nonce values; and the method further comprising verifying the second commitment values based on the received third nonce values. 7 . The method of claim 1 , wherein transmitting the first nonce value comprises transmitting the first nonce value to an accumulator manager and wherein receiving the message from the remote device comprises receiving the message from the remote device via the accumulator manager. 8 . The method of claim 7 , further comprising: receiving the second nonce value from the accumulator manager; receiving a witness value from the accumulator manager; and wherein determining that the second nonce value was generated based on the first nonce value further comprises verifying that the second nonce was generated based on the first nonce based on the witness value. 9 . A method of generating an integrity challenge, the method comprising: for each of a plurality of verifying devices, receiving a first nonce value; generating a second nonce value based on the first nonce values; generating a request for integrity measurements from an attestor device, the request comprising the second nonce value; and forwarding cryptographically signed integrity measurements provided by the attestor device to the plurality of verifying devices. 10 . The method of claim 9 , wherein the method is performed by the attestor device. 11 . The method of claim 9 , further comprising: for each of the plurality of verifying devices: generating a witness value based on the second nonce value and the first nonce value received from that verifying device; and providing the second nonce value and the witness value to the verifying device. 12 . A non-transitory computer readable medium comprising instructions that when executed on a computing device, cause the computing device to: generate a random number; transmit the random number; receive an attestation message from a remote device, the attestation message comprising integrity measurements of the remote device and a cryptographic signature based on a private key of a public-private key pair of the remote device and a challenge value; verify the cryptographic signature based on the challenge value and a public key of the public-private key pair of the remote device; determine that the challenge value was generated based on the random number; and in response to determining that the challenge value was generated based on the random number and successfully verifying the cryptographic signature, determine whether the remote device can be trusted based on the integrity measurements. 13 . The non-transitory machine readable medium of claim 12 , wherein the instructions are further to, when executed on the computing device, cause the computing device to: broadcast the random number to a plurality of verifying devices; for each of the plurality of verifying devices, receive a respective second random number from that verifying device; calculate a second challenge value using a deterministic function based on the random number and the received second random numbers; and wherein the determination that the challenge value was generated based on the random number comprises determining that the challenge value is equal to the second challenge value. 14 . The non-transitory machine readable medium of claim 13 , wherein the instructions are further to, when executed on the computing device, cause the computing device to: generate a first commitment value based on the random number; broadcast the first commitment value to the plurality of verifying devices prior to broadcasting the first random number; receive a plurality of second commitment values from the plurality of verifying devices, each second commitment value based on the respective second random number, prior to transmitting the random number; and determine for each verifying device that the second commitment value received from that verifying device is based on the second random number. 15 . The non-transitory machine readable medium of claim 12 , wherein the random number is transmitted to an accumulator manager and wherein the instructions are further to, when executed on the computing device, cause the computing device to: receive the challenge value from the accumulator manager; receive a witness value from the accumulator manager, the witness value based on the random number and the challenge value; and wherein the determination that the challenge value was generated based on the random number is further based on the received witness value.