Aethyr Research Unveils Post-Quantum Encrypted IoT Firmware for ESP32-S3
Aethyr Research has unveiled cutting-edge post-quantum encrypted firmware for Internet of Things (IoT) edge nodes targeting the ESP32-S3 architecture.
This firmware is notable for its rapid boot time of merely 2.1 seconds, while facilitating comprehensive post-quantum cryptography (PQC) handshakes within a commendable 35 milliseconds.
The ascendancy of quantum computing necessitates a reevaluation of traditional public-key cryptographic algorithms, like RSA and ECC, as these can be dismantled within hours to days through Shor’s algorithm.
Recognizing the urgency of this transition, Google has proposed a timeline for migrating to post-quantum cryptography by 2029.
This proactive measure accounts for the potential for data to be compromised during the interim period before sufficiently powerful quantum computers become operational.
Furthermore, the NIST FIPS 203 standard (ML-KEM-768) mandates quantum-resistant security by 2035.
The Aethyr Edge Node firmware is grounded in formally verified ML-KEM-768 (FIPS 203) key exchange, utilizing BLAKE3 for integrity verification and employing XChaCha20-Poly1305 encryption.
This suite of technologies enables secure connections to servers via the AethyrWire Protocol (AWP). This architecture serves as a foundational element of the Aethyr distributed agent mesh, designed to deploy autonomous AI agents across a mesh network, thereby minimizing reliance on cloud computing.
Currently, the open-source aspect encompasses only the ESP32-S3 firmware, while other components of the Aethyr agent operating system remain proprietary.
Performance Insights
The incorporation of post-quantum resistant algorithms may introduce certain latencies; however, preliminary benchmarks conducted on the ESP32-S3-WROOM-1, powered by a 240 MHz CPU, indicate overall satisfactory performance. Below are highlighted operational metrics:
| Operation | Mean | StdDev | Min | Max |
|---|---|---|---|---|
| BLAKE3 (1KB) | 255µs | 102µs | 238µs | 969µs |
| ML-KEM keygen | 9,052µs | 164µs | 8,986µs | 9,558µs |
| ML-KEM encap | 10,070µs | 11µs | 10,058µs | 10,146µs |
| ML-KEM decap | 12,197µs | 11µs | 12,192µs | 12,275µs |
| XChaCha20 encrypt | 243µs | 46µs | 235µs | 564µs |
| BLAKE3 KDF | 49µs | 60µs | 40µs | 472µs |
| AWP frame enc+dec | 363µs | 95µs | 346µs | 1,030µs |
Firmware Specifications
With an operational footprint of 833KB, the firmware maintains a free heap of 157KB from a total of 512KB of SRAM during runtime.
Rigorous testing has been conducted, comprising 410,000 fuzz iterations (AddressSanitizer + UBSan) that resulted in no crashes, alongside 100,000 single-bit-flip tests — all successfully detected. Moreover, the firmware performs 13 self-checks upon each boot.
The implementation has been assessed on ESP32-S3-WROOM-1 modules integrated with 8MB PSRAM, functioning in conjunction with an NVIDIA Jetson Orin Nano Super operating as a 2.4 GHz WiFi access point.
The firmware is compatible with any ESP32-S3 boards, and developers can clone the code repository, configure settings, compile, and flash the firmware using the following commands (ESP-IDF v5.4+ required):
git clone https://github.com/aethyrai/esp32-awp-edge cd esp32-awp-edge # Configure WiFi and upstream node idf.py menuconfig # → AWP Edge Node Configuration # WiFi SSID / Password # Upstream host IP and port idf.py build idf.py -p /dev/ttyUSB0 flash monitor
Self-Test Outputs
The following results summarize the output from the self-test suite:
Crypto Self-Test Suite [1] BLAKE3: empty input... PASS [2] BLAKE3: 251 sequential bytes... PASS [3] BLAKE3: derive_key (KDF mode)... PASS [4] XChaCha20-Poly1305: encrypt/decrypt round-trip...PASS [5] XChaCha20-Poly1305: tamper detection... PASS [6] XChaCha20-Poly1305: wrong key rejection... PASS [7] XChaCha20-Poly1305: nonce uniqueness... PASS [8] ML-KEM-768: keygen + encap/decap round-trip... PASS [9] ML-KEM-768: wrong secret key rejection... PASS [10] INTEROP: BLAKE3 KDF matches Python... PASS [11] INTEROP: decrypt Python-produced ciphertext... PASS [12] AWP: frame encode/decode round-trip... PASS [13] AWP: BLAKE3 checksum tamper detection... PASS ALL 13 TESTS PASSED (226ms) ML-KEM-768 keypair ready WiFi connected TCP connected to upstream PQC session established
For those interested in the code and detailed instructions, the repository is available on GitHub. However, an operational system image or pertinent software for installation on the Jetson board appears to be absent, limiting immediate utility. Notably, the Jetson and Demo directories have yet to be uploaded to GitHub:
── jetson/ │ ├── setup-mesh-ap.sh Create dedicated WiFi AP on Jetson │ ├── stop-mesh-ap.sh Stop mesh AP │ └── aios-node.service systemd service for AWP node ├── demo/ │ └── run_demo.py Scripted 2-minute demo
Source link: Cnx-software.com.
