English

Enforcing Attestable Workflows across Untrusted Networks

Cryptography and Security 2026-05-12 v1 Distributed, Parallel, and Cluster Computing

Abstract

Confidential high-performance computing orchestrates workloads across federated domains, yet existing frameworks rely on high-overhead user-space library operating systems or assume single-host execution. We propose \codename, an architecture federating Trusted Execution Environments via a split Trusted Computing Base (TCB) design. It couples a hardware-isolated Control Plane executing Mutually Attested Key Exchange (\make) with a measured guest-resident extended Berkeley Packet Filter (eBPF) Data Plane. By anchoring cryptographic key release to hardware measurements and executing enforcement in the kernel, \codename\ achieves native-speed encrypted routing. Empirical evaluation demonstrates a steady-state enforcement cost of 6μ6\,\mus per packet, imposing a 1313--15μ15\,\mus absolute latency overhead. On distributed pipelines, \codename\ incurs just a 6.1%6.1\% execution penalty over plaintext baselines, bypassing the 62%62\% penalty of user-space counterparts. The system initializes a 100-node cluster in under 1.5 seconds, providing an efficient confidential interconnect for long-running workflows.

Keywords

Cite

@article{arxiv.2605.09297,
  title  = {Enforcing Attestable Workflows across Untrusted Networks},
  author = {Hung Dang and Tue Nguyen},
  journal= {arXiv preprint arXiv:2605.09297},
  year   = {2026}
}
R2 v1 2026-07-01T13:01:10.328Z