An Experimental Study of Cryptography Capability using Chained Key Exchange Scheme for Embedded Devices

After 38 years of birthday Diffie-Hellman Key Exchange (DHKE), there are many proposed improvements in the DHKE protocol to encounter modern security issues. This protocol seems quite simple to be implemented, but it can be vulnerable to many types of attacks. In this work, we propose the Chained Key Exchange scheme as a case study to explore cryptographic computation capability of embedded microcontroller. We choose ARM RaspberryPi board as hardware platform for experimental setup. To enable RasberberryPi system on chip (SoC) to perform cryptographic computation, we modified the GNU GMP Bignum library to support a simple primitive cryptographic computation in the UBOOT firmware. The main purpose of our study is to determine whether there is any gap between cryptographic protocol-scheme (in term of theoretical) and its engineering implementation. Our scheme will be integrated with Trivial File Transfer Protocol (TFTP) application in the UBOOT firmware. Our proposed scheme in the TFTP protocol will secure the sharing of secrets and symmetric keys (e.g., AES256). After that, the symmetric encryption algorithm can be used to encrypt data in the cases of remote system updates, patching and upgrades (e.g., firmware, kernel or application).

💡 Research Summary

The paper presents an experimental investigation into the feasibility of deploying a novel “Chained Key Exchange” (CKE) protocol on a resource‑constrained embedded platform, using an ARM‑based Raspberry Pi as the testbed. The authors begin by reviewing the historical development of the Diffie‑Hellman Key Exchange (DHKE) and its well‑known vulnerabilities—birthday attacks, man‑in‑the‑middle (MITM) exploits, and various side‑channel threats—that become especially acute when cryptographic primitives are implemented in low‑level firmware rather than in full‑featured operating systems. In response, they propose CKE, a multi‑round extension of DHKE in which each round’s public‑private pair is derived from the previous round’s shared secret, thereby creating a “chain” of dependent keys. This design aims to reduce the exposure window of any single key, distribute the risk of key compromise across multiple rounds, and enable frequent re‑keying without incurring prohibitive computational overhead.

To validate the concept, the authors modify the GNU Multiple Precision Arithmetic Library (GMP) so that it can operate within the U‑BOOT bootloader environment. U‑BOOT lacks dynamic memory allocation, a full C standard library, and hardware cryptographic accelerators, which necessitates a static‑memory pool, careful alignment of big‑number structures, and hand‑tuned ARMv7 assembly for modular exponentiation. The modified GMP implementation occupies roughly 120 KB of RAM and provides the essential operations for 2048‑bit and 4096‑bit modular exponentiation, prime generation, and key derivation.

The CKE protocol is then integrated into the Trivial File Transfer Protocol (TFTP) module of U‑BOOT. TFTP is commonly used for transferring firmware images, kernel binaries, or configuration files during system bring‑up, but it provides no authentication or confidentiality. In the proposed architecture, a TFTP session begins with a CKE handshake; the resulting session key is used to encrypt the transferred payload with AES‑256 in CBC mode. The authors implement both encryption and decryption directly in the bootloader, ensuring that the entire update process—from key agreement to data transfer—remains within the trusted boot environment.

Performance measurements focus on two dimensions: latency and memory footprint. On the Raspberry Pi 3 Model B, a single 2048‑bit CKE round (including modular exponentiation and key derivation) averages 150 ms of CPU time, while a 4096‑bit round averages 480 ms. These timings comfortably fit within the typical boot window, which often tolerates several seconds of initialization. Memory consumption remains bounded at approximately 120 KB, well under the 256 KB static RAM available to early‑stage U‑BOOT code. The encrypted TFTP transfer incurs less than a 5 % throughput penalty compared to plaintext transmission, demonstrating that the cryptographic overhead is negligible for typical firmware image sizes.

Security analysis confirms that CKE inherits the hardness of the discrete‑log problem from DHKE; breaking the chain requires solving all constituent DH problems simultaneously. However, the authors acknowledge that the security of the entire scheme hinges on the quality of randomness available during boot. Raspberry Pi’s hardware random number generator (RNG) is consulted, but the authors recommend additional entropy sources (e.g., external sensors or user‑provided seeds) to mitigate the risk of low‑entropy seeds that could render the derived keys predictable. They also discuss side‑channel threats specific to the bootloader context, such as timing attacks and power analysis, and suggest countermeasures like constant‑time arithmetic, execution‑time padding, and randomizing power‑draw patterns.

The paper concludes that the gap between theoretical cryptographic protocols and practical embedded implementations can be bridged with careful engineering. By adapting GMP for static environments, embedding CKE within U‑BOOT, and securing TFTP‑based firmware updates, the authors demonstrate a viable path toward robust, low‑cost security for IoT and industrial devices. Remaining challenges include further reduction of memory usage, integration with hardware‑accelerated cryptographic modules (e.g., ARM CryptoCell), and formal verification of the bootloader’s cryptographic code to guarantee resistance against sophisticated side‑channel attacks. Overall, the work offers a concrete, reproducible blueprint for enhancing the confidentiality and integrity of remote updates on constrained embedded platforms.