Robotics / Platform
Platform

The RankShield Robotics Platform: Robot Identity, Pre-Actuation Authorization, and Attested Provenance

A robot attestation platform issues each robot a cryptographic identity, authorizes every high-consequence action before the actuator moves, and records a tamper-evident receipt of what happened. RankShield Robotics does this as a standards-native layer built on IETF RATS, it verifies robots and their actions; it does not replace your controller, ROS stack, or middleware.

RANKSHIELD NETWORK
ACTION AUTHORIZATIONsealed 0
arm.move · cell-7verified ✓
authorized · 0x9f2a4c1be
payload.actuateverified ✓
✕ denied · unsigned · 0x71c0e83a
firmware.stateverified ✓
attested · 0x3d77be21
DEMONSTRATION · PRE-ACTUATION GATE → SEALING → VERIFIED

Key takeaways

What are the components of a robot attestation platform?

A robot attestation platform answers three questions continuously: is this really the robot it claims to be, is this action allowed right now, and can we prove what it did? RankShield Robotics answers them with four interlocking components that sit in front of and alongside your existing robot stack.

  • Per-robot identity. Each robot receives a unique cryptographic identity rooted in a hardware element, not a shared factory key. This is the anchor everything else is bound to.
  • Pre-actuation authorization gate. A deny-by-default policy decision that runs at the perception-to-action boundary, after the model or operator decides, but before the actuator moves.
  • Firmware and policy attestation. Using the IETF RATS model, the robot proves its running build and policy match a signed reference, or it is quarantined.
  • Tamper-evident action provenance. Every action and its verdict is written to an append-only transparency log and returned as a verifiable receipt.

None of these require you to change how the robot perceives, plans, or moves. RankShield is an overlay: it consumes command and telemetry streams, issues identities, and enforces authorization. That is what makes it deployable across a mixed-vendor fleet rather than a single robot model.

How does per-robot cryptographic identity get issued?

Identity is issued during enrollment and bound to a hardware root of trust on the robot. Instead of a password or a shared key baked into a firmware image, the pattern that made the 2025 UniPwn humanoid exploit wormable, each robot generates or receives a private key it never exports, and RankShield registers the corresponding public key as that robot's verifiable identity.

Enrollment records the robot's model, its attestation evidence, and a post-quantum public key (composite ML-DSA). From that point, any command claiming to come from the robot must carry a signature only that robot could produce. Because no two robots share a key, a cloned or counterfeit robot is detectable the moment it tries to act: its signature will not verify against any enrolled identity, and the gate denies it. Identity survives firmware updates because it is anchored below the application layer, and it can be revoked instantly if a robot is lost, stolen, or compromised.

How does the pre-actuation authorization gate decide?

The gate evaluates every high-consequence command against a deny-by-default policy before the actuator moves, and it fails closed. A command is authorized only when four conditions hold: the robot's signature is valid, the robot is enrolled and active, its dead-man liveness is fresh, and the specific action is permitted by policy for that robot's role and context.

This ordering is the point. Detection tools watch for bad behavior after it happens; the gate prevents an unauthorized physical action from happening at all. It is also why attestation neutralizes prompt injection against vision-language-action models: even if an attacker fools the model with a doctored sign or object, the resulting actuation command still has to pass the gate. If the command is out of policy, say, a force or a region the robot is not authorized for, it is denied, and the denial is itself recorded. High-risk actions can additionally require human-in-the-loop confirmation or M-of-N authorization.

What is a tamper-evident action receipt?

A tamper-evident action receipt is a cryptographic record that a specific robot took (or was denied) a specific action at a specific time, sealed so it cannot be altered after the fact. Each action becomes a leaf in an append-only Merkle transparency log built on the RFC 6962 standard used for certificate transparency. The receipt includes an inclusion proof, mathematical evidence that the record exists at a fixed position in the log, which anyone can verify without trusting RankShield.

This is the difference between a log and a proof. A conventional robot log can be edited by whoever compromised the robot; a transparency-log receipt cannot be changed without breaking the chain, and independent witnesses can co-sign the log's state. That makes the receipt usable as forensic and compliance evidence, for incident reconstruction after a hijack, for regulators asking you to prove a robot acted within policy, and for insurers who want verifiable posture rather than a self-attested checklist.

How does the platform verify firmware with RATS and EAT?

RankShield acts as an IETF RATS verifier: the robot (the attester) presents signed evidence about its firmware and policy state, and the platform appraises it against known-good reference values before the robot is trusted. Evidence is conveyed as an Entity Attestation Token (EAT) and rooted in the robot's hardware. If the running build has been tampered with, downgraded to a vulnerable version, or its policy has drifted, appraisal fails and the robot is quarantined from privileged actions and, optionally, from the network.

Mapping the platform to the RATS attester / verifier / relying-party roles is deliberate. It means the trust decisions are expressed in a standards vocabulary auditors already recognize, and it lets RankShield interoperate with hardware roots of trust (TPM, DICE, secure elements) rather than reinventing them. See RATS firmware attestation for robots for the full flow.

How does it integrate without replacing my robot stack?

RankShield integrates as a layer above your middleware and below your actuators, it complements ROS 2, SROS2, DDS-Security, and any detection tooling you already run. SROS2 and DDS-Security authenticate participants and encrypt topics; they do not authorize individual physical actions or emit verifiable receipts. RankShield adds exactly that missing layer, so the two are complementary rather than competing.

A typical integration issues identities to the fleet, places the authorization gate in front of high-consequence actuation commands, and streams action receipts to the transparency log. For robot makers, the same capabilities are available as an embeddable SDK so security ships secure-by-design; for operators, it deploys as a fleet-wide identity and policy plane across vendors. A pilot typically covers identity, the gate, and provenance on a bounded set of robots within weeks.

Honest scope: RankShield authorizes the command path and proves what happened. It does not replace a functional-safety e-stop, it cannot see raw sensor truth (it can sign a reading's provenance, not certify a spoofed LiDAR return is fake), and it constrains the action a manipulated model produces rather than the model's internal reasoning. It works only when it sits in front of the actuator.

Frequently asked questions

Is a robot attestation platform the same as robot antivirus or EDR?

No. Endpoint detection watches a robot and raises alerts after suspicious behavior. An attestation platform is preventive: it authorizes each action before motion and produces a tamper-evident receipt. They are complementary, attestation adds the verifiable authorization and provenance layer that detection does not provide.

Does the authorization gate add latency to real-time control?

The gate targets high-consequence actuation commands, not every low-level control-loop tick. Signature verification and policy evaluation are fast, and the design keeps the gate off the tightest real-time paths so safety-rated control timing is preserved.

Which cryptography does the platform use?

Per-robot identity and action signing use post-quantum schemes (composite ML-DSA, with SLH-DSA available), so credentials on a robot with a 10-to-15-year service life are not exposed to harvest-now-decrypt-later attacks. Provenance uses an RFC 6962 Merkle transparency log.

Do I have to replace ROS 2 or my controller?

No. RankShield layers above ROS 2 / SROS2 / DDS and below the actuators. It complements middleware security and detection tools rather than replacing your robot stack.

Which standards does the platform align to?

IETF RATS (remote attestation), RFC 6962 (transparency log), NIST FIPS 204/205 (post-quantum signatures), and it generates evidence relevant to ISO 10218:2025, IEC 62443, and the EU Machinery Regulation 2023/1230.

Keep exploring

See the platform on your robots.

Identity, the authorization gate, and verifiable provenance, deployed on a bounded set of robots in weeks.

Request early access