Post-Quantum VPN Implementation on NVIDIA Jetson Orin Nano

[rytest-1214]

Project Overview: Successfully built a custom Yocto Linux image with kernel 6.6 on NVIDIA Jetson Orin Nano, integrated post-quantum cryptography (PQC) libraries, and established VPN tunnels using strongSwan with Kyber and blast key exchanges. To learn more read the full blog post here.

---

Project Highlights

🔐 Post-Quantum Cryptography Integration

• strongSwan 6.0.0beta4 with OQS (Open Quantum Safe) plugin support
• Kyber L3 (ML-KEM-1024) key exchange for quantum-resistant VPN tunnels
• BLAST Additional key exchange to generate keys at the endpoint without transmission
• Hybrid PQC approach combining classical and post-quantum algorithms
• liboqs 0.11.0 library fully integrated into Yocto build

🐧 Custom Linux Kernel

• Linux kernel 6.6 on Jetson Orin Nano (upgraded from default 5.15)
• Full Yocto build system integration
• Working Ethernet connectivity
• Headless operation optimized for VPN workloads

---

Technical Architecture

VPN Configuration

Endpoint Configuration:

• Two Jetson Orin Nano devices
• Transport mode IPsec with AES-256-GCM encryption
• Post-quantum key exchange using KyberL3 and BLAST
• Pre-Shared Key (PSK) authentication (other methods also supported)
• UDP traffic tunneling (ports 5000-6000)

strongSwan Proposal:

esp_proposals = aes256gcm16-modp2048-ke1_kyber3-ke2_blast-esn

This provides:

• AES-256-GCM-16: Authenticated encryption with associated data
• MODP-2048: Classical Diffie-Hellman for backward compatibility
• ke1_kyber3: Kyber Level 3 (ML-KEM-1024) for quantum resistance
• ke2_blast: Blast key exchange for key generation at the endpoint, negating PKI
• ESN: Extended Sequence Numbers for replay protection

---

Build System Details

Yocto Configuration

Key Components:

• Base: Yocto with meta-tegra layer
• Kernel: Custom linux-tegra 6.6
• strongSwan: 6.0.0beta4 with OQS/BLAST plugins
• liboqs: 0.11.0 cross-compiled for ARM64

---

Performance Testing & Metrics

Configuration	Throughput
No VPN (baseline)	927.09 Mbps
AES-256-GCM only	926.54 Mbps
Hybrid PQC (ML-KEM + DH + BLAST)	926.21 Mbps

Key insight: PQC adds negligible steady-state overhead. The main cost is during handshake and rekey operations, with no measurable impact on continuous data transfer.

PQC Algorithm Performance

Algorithm	Operation	Time (ms)	Notes
ML-KEM-768	Key Generation	.036	Per handshake
ML-KEM-768	Encapsulation	.043	Per handshake
ML-KEM-768	Decapsulation	.041	Per handshake
ECDH P-256	Key Derivation	.092	For comparison

Bottom line: ML-KEM adds ~.1ms to handshake. For a tunnel that rekeys hourly, this is negligible.

Rekey Performance

Rekey Interval	Time
AES-256-GCM Only	480 (ms)
Hybrid PQC (ML-KEM + DH)	483 (ms)
Hybrid PQC (ML-KEM + DH + BLAST)	741 (ms)

---

Challenges Overcome

1. Kernel 6.6 Compatibility

• NVIDIA's default DCE firmware compiled for kernel 5.15
• Solution: Compiled a custom yocto image upgrading the kernel to 6.6, taking advantage of IKEv2 features in updated kernel

2. Cross-Compilation

• liboqs, BLAST and strongSwan built for ARM64 architecture
• Custom Yocto recipes for all PQC dependencies/necessary kernel modules

---

Results & Validation

Successfully Achieved

• VPN tunnel establishment with post-quantum key exchange
• Kyber3 + BLAST key exchange visible in strongSwan logs:

  selected proposal: ESP:AES_GCM_16_256/MODP_2048/EXT_SEQ/KE1_KYBER_L3/KE2_BLAST/ESN
  IKE_FOLLOWUP_KE message with Kyber and BLAST exchange
  CHILD_SA established with PQC protection
  

• Bidirectional traffic flow through encrypted tunnel
• Stable connections with configurable rekey intervals

Measured Performance

• Baseline throughput: ~927 Mbps (Gigabit Ethernet)
• Classical VPN: ~926 Mbps (<1% overhead)
• Hybrid PQC VPN: ~926 Mbps (<1% overhead)
• Rekey impact: Minimal (<1% throughput drop during rekey)

Resources & References

Github link

---

Questions Welcome!

I'm happy to share more details about any aspect of this project:

• Build system configuration and recipes
• strongSwan/OQS integration details
• OP-TEE TA development
• Performance testing methodology
• Troubleshooting specific issues

This project demonstrates that post-quantum VPN solutions are practical and deployable today on embedded ARM platforms like the Jetson Orin Nano, providing future-proof security for edge computing applications.

---

Hardware Used:

• 2x NVIDIA Jetson Orin Nano Developer Kits
• Gigabit Ethernet network
• Standard 802.3 cabling

Software Stack:

• Yocto Kirkstone
• Linux kernel 6.6
• strongSwan 6.0.0beta4
• liboqs 0.11.0
• OP-TEE 3.22.0
• systemd