Aethyr Research has released post-quantum encrypted IoT edge node firmware for ESP32-S3 targets that boots in 2.1 seconds and supports full PQC (Post Quantum Cryptography) handshakes in 35ms.
Public-key cryptographic algorithms such as RSA and ECC will soon have to be replaced due to the advance of quantum computers that will be able to crack such encryption within a few hours to days using Shor’s algorithm. While there’s still time, Google recently updated its timeline for post-quantum cryptography migration to 2029, mostly because it’s possible to store data now for an attack once sufficiently powerful quantum computers become available, and the NIST FIPS 203 standard (ML-KEM-768) mandates quantum-resistant security by 2035.
The Aethyr Edge Node open-source firmware relies on formally verified ML-KEM-768 (FIPS 203) post-quantum key exchange, BLAKE3 integrity, and XChaCha20-Poly1305 encryption to implement post-quantum encryption to connect to a server over the AethyrWire Protocol (AWP). It’s a building block of the Aethyr distributed agent mesh, aiming to deploy autonomous AI agents over a mesh network with small nodes running TinyML and larger nodes for more complex reasoning without having to rely on the cloud. The only part of the project that’s open source for now is the ESP32-S3 firmware, and the rest of the Aethyr agent operating system remains proprietary.
The post-quantum resistant algorithms will introduce some delays, but based on the benchmarks released for an ESP32-S3-WROOM-1 module with a CPU clocked at 240MHz (50 iterations, mean and standard deviation), it does not look too bad.
| Operation | Mean | StdDev | Min | Max |
|---|---|---|---|---|
| BLAKE3 (1KB) | 255us | 102us | 238us | 969us |
| ML-KEM keygen | 9,052us | 164us | 8,986us | 9,558us |
| ML-KEM encap | 10,070us | 11us | 10,058us | 10,146us |
| ML-KEM decap | 12,197us | 11us | 12,192us | 12,275us |
| XChaCha20 encrypt | 243us | 46us | 235us | 564us |
| BLAKE3 KDF | 49us | 60us | 40us | 472us |
| AWP frame enc+dec | 363us | 95us | 346us | 1,030us |
The firmware has an 833KB footprint, and the free heap is 157KB out of 512KB SRAM at runtime. The firmware has also been tested with 410,000 fuzz iterations (AddressSanitizer + UBSan) with zero crashes and 100,000 single-bit-flip tests, all detected. It also runs 13 self-tests on every boot.
Aethyr tested it on ESP32-S3-WROOM-1 modules with 8MB PSRAM and an NVIDIA Jetson Orin Nano Super acting as a 2.4 GHz WiFi access point running the upstream NODE. It should work on any ESP32-S3 boards, and you can check out the code, configure, build, and flash the firmware to your board as follows (ESP-IDF v5.4+ required):
|
1 2 3 4 5 6 7 8 9 10 11 |
git clone https://github.com/aethyrai/esp32-awp-edge cd esp32-awp-edge # Configure WiFi and upstream node idf.py menuconfig # → AWP Edge Node Configuration # WiFi SSID / Password # Upstream host IP and port idf.py build idf.py -p /dev/ttyUSB0 flash monitor |
The output from the terminal should look like:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
Crypto Self-Test Suite [1] BLAKE3: empty input... PASS [2] BLAKE3: 251 sequential bytes... PASS [3] BLAKE3: derive_key (KDF mode)... PASS [4] XChaCha20-Poly1305: encrypt/decrypt round-trip...PASS [5] XChaCha20-Poly1305: tamper detection... PASS [6] XChaCha20-Poly1305: wrong key rejection... PASS [7] XChaCha20-Poly1305: nonce uniqueness... PASS [8] ML-KEM-768: keygen + encap/decap round-trip... PASS [9] ML-KEM-768: wrong secret key rejection... PASS [10] INTEROP: BLAKE3 KDF matches Python... PASS [11] INTEROP: decrypt Python-produced ciphertext... PASS [12] AWP: frame encode/decode round-trip... PASS [13] AWP: BLAKE3 checksum tamper detection... PASS ALL 13 TESTS PASSED (226ms) ML-KEM-768 keypair ready WiFi connected TCP connected to upstream PQC session established |
The code and instructions can be found on GitHub. However, there’s just a little problem. I couldn’t find an OS image or software to install on the Jetson board, so it’s not super useful at this point. The documented Jetson and Demo directories have not yet been uploaded to GitHub:
|
1 2 3 4 5 6 |
── jetson/ │ ├── setup-mesh-ap.sh Create dedicated WiFi AP on Jetson │ ├── stop-mesh-ap.sh Stop mesh AP │ └── aios-node.service systemd service for AWP node ├── demo/ │ └── run_demo.py Scripted 2-minute demo |
Maybe the post-quantum encryption implementation can serve as a base for other PQC-resistant projects. A related blog post has a few more details. (Internet Archive link, because the website won’t work from Thailand, except when using a US VPN).
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress. We also use affiliate links in articles to earn commissions if you make a purchase after clicking on those links.
