Cyberspace is a fragile construct threatened by malicious cyber operations of different actors, with vulnerabilities in IT hardware and software forming the basis for such activities, thus also posing a threat to global IT security. Advancements in the field of artificial intelligence accelerate this development, either with artificial intelligence enabled cyber weapons, automated cyber defense measures, or artificial intelligence-based threat and vulnerability detection. Especially state actors, with their long-term strategic security interests, often stockpile such knowledge of vulnerabilities and exploits to enable their military or intelligence service cyberspace operations. While treaties and regulations to limit these developments and to enhance global IT security by disclosing vulnerabilities are currently being discussed on the international level, these efforts are hindered by state concerns about the disclosure of unique knowledge and about giving up tactical advantages. This leads to a situation where multiple states are likely to stockpile at least some identical exploits, with technical measures to enable a depletion process for these stockpiles that preserve state secrecy interests and consider the special constraints of interacting states as well as the requirements within such environments being non-existent. This paper proposes such a privacy-preserving approach that allows multiple state parties to privately compare their stock of vulnerabilities and exploits to check for items that occur in multiple stockpiles without revealing them so that their disclosure can be considered. We call our system ExTRUST and show that it is scalable and can withstand several attack scenarios. Beyond the intergovernmental setting, ExTRUST can also be used for other zero-trust use cases, such as bug-bounty programs.

翻译：网络空间是一个脆弱的构造，受到不同行为体恶意网络行动的威胁，而IT硬件与软件中的漏洞构成了此类活动的基础，从而也对全球IT安全构成威胁。人工智能领域的进步加速了这一发展——无论是通过人工智能赋能的网络武器、自动化网络防御措施，还是基于人工智能的威胁与漏洞检测。尤其是国家行为体，基于其长期战略安全利益，往往囤积此类漏洞与利用知识，以支撑其军事或情报部门的网络空间行动。尽管国际层面正在讨论通过披露漏洞来限制这些发展并增强全球IT安全的条约与法规，但这些努力因国家担忧其独特知识泄露及放弃战术优势而受阻。这导致多国可能至少囤积部分相同的利用手段，但当前尚不存在既能维护国家保密利益、又考虑交互国家特殊约束及此类环境要求的技术措施来推动这些库存的消减流程。本文提出一种隐私保护方法，使多方国家能够在私有状态下比对各自持有的漏洞与利用库存，以检测多库存中共同存在的项目，同时避免泄露具体内容，从而可考虑对这些项目进行披露。我们称该系统为ExTRUST，并证明其具有可扩展性且能抵御多种攻击场景。除政府间场景外，ExTRUST还可应用于其他零信任用例，例如漏洞奖励计划。