ESP32-S3 PQC/ML-KEM/BLAKE3 Open Source Edge Firmware

cnx-software.com · the_hermetist · 1 day ago · view on HN · tool
quality 7/10 · good
0 net
Tags
browser facebook google
ESP32-S3 gets post-quantum encryption with Aethyr Edge Node open-source firmware - CNX Software Skip to content Aethyr Research has released post-quantum encrypted IoT edge node firmware for ESP32-S3 targets that boots in 2.1 seconds and supports full PQC (Post Quantum Cryptography) handshakes in 35ms. Public-key cryptographic algorithms such as RSA and ECC will soon have to be replaced due to the advance of quantum computers that will be able to crack such encryption within a few hours to days using Shor’s algorithm . While there’s still time, Google recently updated its timeline for post-quantum cryptography migration to 2029, mostly because it’s possible to store data now for an attack once sufficiently powerful quantum computers become available, and the NIST FIPS 203 standard (ML-KEM-768) mandates quantum-resistant security by 2035. The Aethyr Edge Node open-source firmware relies on formally verified ML-KEM-768 (FIPS 203) post-quantum key exchange, BLAKE3 integrity, and XChaCha20-Poly1305 encryption to implement post-quantum encryption to connect to a server over the AethyrWire Protocol (AWP). It’s a building block of the Aethyr distributed agent mesh, aiming to deploy autonomous AI agents over a mesh network with small nodes running TinyML and larger nodes for more complex reasoning without having to rely on the cloud. The only part of the project that’s open source for now is the ESP32-S3 firmware, and the rest of the Aethyr agent operating system remains proprietary. Aethyr dashboard The post-quantum resistant algorithms will introduce some delays, but based on the benchmarks released for an ESP32-S3-WROOM-1 module with a CPU clocked at 240MHz (50 iterations, mean and standard deviation), it does not look too bad. Operation Mean StdDev Min Max BLAKE3 (1KB) 255us 102us 238us 969us ML-KEM keygen 9,052us 164us 8,986us 9,558us ML-KEM encap 10,070us 11us 10,058us 10,146us ML-KEM decap 12,197us 11us 12,192us 12,275us XChaCha20 encrypt 243us 46us 235us 564us BLAKE3 KDF 49us 60us 40us 472us AWP frame enc+dec 363us 95us 346us 1,030us The firmware has an 833KB footprint, and the free heap is 157KB out of 512KB SRAM at runtime. The firmware has also been tested with 410,000 fuzz iterations (AddressSanitizer + UBSan) with zero crashes and 100,000 single-bit-flip tests, all detected. It also runs 13 self-tests on every boot. Aethyr tested it on ESP32-S3-WROOM-1 modules with 8MB PSRAM and an NVIDIA Jetson Orin Nano Super acting as a 2.4 GHz WiFi access point running the upstream NODE. It should work on any ESP32-S3 boards, and you can check out the code, configure, build, and flash the firmware to your board as follows (ESP-IDF v5.4+ required): git clone https://github.com/aethyrai/esp32-awp-edge cd esp32-awp-edge # Configure WiFi and upstream node idf.py menuconfig # → AWP Edge Node Configuration # WiFi SSID / Password # Upstream host IP and port idf.py build idf.py -p /dev/ttyUSB0 flash monitor 1 2 3 4 5 6 7 8 9 10 11 git clone https : //github.com/aethyrai/esp32-awp-edge cd esp32 - awp - edge # Configure WiFi and upstream node idf . py menuconfig # → AWP Edge Node Configuration # WiFi SSID / Password # Upstream host IP and port idf . py build idf . py - p / dev / ttyUSB0 flash monitor The output from the terminal should look like: Crypto Self-Test Suite [1] BLAKE3: empty input... PASS [2] BLAKE3: 251 sequential bytes... PASS [3] BLAKE3: derive_key (KDF mode)... PASS [4] XChaCha20-Poly1305: encrypt/decrypt round-trip...PASS [5] XChaCha20-Poly1305: tamper detection... PASS [6] XChaCha20-Poly1305: wrong key rejection... PASS [7] XChaCha20-Poly1305: nonce uniqueness... PASS [8] ML-KEM-768: keygen + encap/decap round-trip... PASS [9] ML-KEM-768: wrong secret key rejection... PASS [10] INTEROP: BLAKE3 KDF matches Python... PASS [11] INTEROP: decrypt Python-produced ciphertext... PASS [12] AWP: frame encode/decode round-trip... PASS [13] AWP: BLAKE3 checksum tamper detection... PASS ALL 13 TESTS PASSED (226ms) ML-KEM-768 keypair ready WiFi connected TCP connected to upstream PQC session established 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Crypto Self - Test Suite [ 1 ] BLAKE3 : empty input . . . PASS [ 2 ] BLAKE3 : 251 sequential bytes . . . PASS [ 3 ] BLAKE3 : derive_key ( KDF mode ) . . . PASS [ 4 ] XChaCha20 - Poly1305 : encrypt / decrypt round - trip . . . PASS [ 5 ] XChaCha20 - Poly1305 : tamper detection . . . PASS [ 6 ] XChaCha20 - Poly1305 : wrong key rejection . . . PASS [ 7 ] XChaCha20 - Poly1305 : nonce uniqueness . . . PASS [ 8 ] ML - KEM - 768 : keygen + encap / decap round - trip . . . PASS [ 9 ] ML - KEM - 768 : wrong secret key rejection . . . PASS [ 10 ] INTEROP : BLAKE3 KDF matches Python . . . PASS [ 11 ] INTEROP : decrypt Python - produced ciphertext . . . PASS [ 12 ] AWP : frame encode / decode round - trip . . . PASS [ 13 ] AWP : BLAKE3 checksum tamper detection . . . PASS ALL 13 TESTS PASSED ( 226ms ) ML - KEM - 768 keypair ready WiFi connected TCP connected to upstream PQC session established The code and instructions can be found on GitHub . However, there’s just a little problem. I couldn’t find an OS image or software to install on the Jetson board, so it’s not super useful at this point. The documented Jetson and Demo directories have not yet been uploaded to GitHub: ── jetson/ │ ├── setup-mesh-ap.sh Create dedicated WiFi AP on Jetson │ ├── stop-mesh-ap.sh Stop mesh AP │ └── aios-node.service systemd service for AWP node ├── demo/ │ └── run_demo.py Scripted 2-minute demo 1 2 3 4 5 6 ── jetson / │ ├── setup - mesh - ap . sh Create dedicated WiFi AP on Jetson │ ├── stop - mesh - ap . sh Stop mesh AP │ └── aios - node . service systemd service for AWP node ├── demo / │ └── run_demo . py Scripted 2 - minute demo Maybe the post-quantum encryption implementation can serve as a base for other PQC-resistant projects. A related blog post has a few more details. (Internet Archive link, because the website won’t work from Thailand, except when using a US VPN). Jean-Luc Aufranc (CNXSoft) Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011. Share this: Support CNX Software! Donate via cryptocurrencies , become a Patron on Patreon, or purchase goods on Amazon or Aliexpress . We also use affiliate links in articles to earn commissions if you make a purchase after clicking on those links. Subscribe Login Notify of new follow-up comments new replies to my comments Connect with: Label {} [+] Name* Email* Website I agree to the Privacy Policy The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment. Connect with: Label {} [+] Name* Email* Website I agree to the Privacy Policy The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment. 4 Comments oldest newest Load More Comments Search for: Search Facebook Twitter LinkedIn Telegram YouTube RSS Trending Posts - Last 7 Days Velxio is an open-source, self-hosted Arduino, Raspberry Pi, and ESP32 simulator 11.5k views | 1 comment Select the right hardware for your local LLM deployment with this online guide 7.4k views | 2 comments T-Display-P4 smartphone-like devkit features ESP32-P4 MCU, ESP32-C6 wireless SoC, and SX1262/LR2021 LoRa transceiver 5.6k views | 7 comments Raspberry Pi 4 3GB launched for $83.75, further price increases announced across the board for 4GB+ RAM hardware 3.6k views | 17 comments Telink TL3228 – Low-power, low-latency dual-core RISC-V wireless MCU supports Bluetooth 6.0, 802.15.4, and 2.4 GHz proprietary 2.9k views | 1 comment SPONSORS Advertisement Recent Comments Subscribe to Comments RSS Feed Latest Reviews This website uses cookies to improve your experience. We'll assume you're ok with this, but if you don't like these, you can remove them Accept Privacy & Cookies Policy Close Privacy Overview This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience. Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT wpDiscuz Insert
← Back to stories