{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,2]],"date-time":"2026-03-02T22:54:47Z","timestamp":1772492087443,"version":"3.50.1"},"reference-count":39,"publisher":"Association for Computing Machinery (ACM)","issue":"CoNEXT4","funder":[{"DOI":"10.13039\/501100003725","name":"National Research Foundation of Korea","doi-asserted-by":"publisher","award":["RS-2022-NR070293"],"award-info":[{"award-number":["RS-2022-NR070293"]}],"id":[{"id":"10.13039\/501100003725","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Netw."],"published-print":{"date-parts":[[2025,11,24]]},"abstract":"<jats:p>Confidentiality and integrity are essential for secure communication. In RDMA-based systems, however, they are often neglected because security mechanisms impose significant performance overheads. In this work, we design a secure RDMA data path that ensures confidentiality and integrity by protecting data in transit and at the remote side using encryption and checksums. To reduce security overhead, our system offloads cryptographic operations to the RDMA NIC (RNIC). However, hardware limitations and relatively slow cryptography performance in RNICs make a secure and efficient design challenging. We address these challenges with three key techniques: dynamic key reconfiguration, configuration-data batching, and context pooling. We also conduct a case study with RDMA memory disaggregation systems to evaluate when offloading is beneficial. We find that naive offloading degrades performance and that overlapping CPU's computation with RNIC's cryptography is essential to realizing its benefits. Our evaluation shows that overlapping achieves up to 9.63x lower P99.9 latency than a CPU-based secure RDMA data path on RocksDB.<\/jats:p>","DOI":"10.1145\/3768991","type":"journal-article","created":{"date-parts":[[2025,11,25]],"date-time":"2025-11-25T17:09:56Z","timestamp":1764090596000},"page":"1-13","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Secure and Efficient RDMA NIC Cryptography Offloading for Memory Disaggregation"],"prefix":"10.1145","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6247-4119","authenticated-orcid":false,"given":"Wonsup","family":"Yoon","sequence":"first","affiliation":[{"name":"The University of Texas at Austin, Austin, Texas, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5692-1111","authenticated-orcid":false,"given":"Sue","family":"Moon","sequence":"additional","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}]}],"member":"320","published-online":{"date-parts":[[2025,11,25]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/3342195.3387522"},{"key":"e_1_2_1_2_1","unstructured":"Broadcom. 2024. BCM57608 Ethernet NIC Adapters. https:\/\/docs.broadcom.com\/doc\/957608-PB1."},{"key":"e_1_2_1_3_1","unstructured":"Chelsio. 2025. S72200. https:\/\/www.chelsio.com\/wp-content\/uploads\/2025\/01\/T7\/Product-Brief\/S72200-pb.pdf."},{"key":"e_1_2_1_4_1","unstructured":"Intel Corporation. 2025. Intel\u00ae Advanced Vector Extensions 10.1 (Intel\u00ae AVX10.1) Architecture Specification). https:\/\/www.intel.com\/content\/www\/us\/en\/content-details\/848455\/intel-advanced-vector-extensions-10-1-intel-avx10-1-architecture-specification.html."},{"key":"e_1_2_1_5_1","unstructured":"Intel Corporation. [n. d.] a. Intel\u00ae Advanced Vector Extensions 512 (Intel\u00ae AVX-512). https:\/\/www.intel.com\/content\/www\/us\/en\/products\/docs\/accelerator-engines\/advanced-vector-extensions-512.html."},{"key":"e_1_2_1_6_1","unstructured":"Intel Corporation. [n. d.] b. Intel\u00ae QuickAssist Technology (Intel\u00ae QAT). https:\/\/www.intel.com\/content\/www\/us\/en\/architecture-and-technology\/intel-quick-assist-technology-overview.html."},{"key":"e_1_2_1_7_1","unstructured":"Intel Corporation. [n. d.] c. Runtime Encryption of Memory with Intel\u00ae Total Memory Encryption-Multi-Key (Intel\u00ae TME-MK). https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/news\/runtime-encryption-of-memory-with-intel-tme-mk.html."},{"key":"e_1_2_1_8_1","unstructured":"NVIDIA Corporation. 2021. NVIDIA CONNECTX-6 DX Ethernet SmartNIC. https:\/\/www.nvidia.com\/content\/dam\/en-zz\/Solutions\/networking\/ethernet-adapters\/connectX-6-dx-datasheet.pdf."},{"key":"e_1_2_1_9_1","doi-asserted-by":"crossref","unstructured":"Matthijs Douze Alexandr Guzhva Chengqi Deng Jeff Johnson Gergely Szilvasy Pierre-Emmanuel Mazar\u00e9 Maria Lomeli Lucas Hosseini and Herv\u00e9 J\u00e9gou. 2024. The Faiss library. (2024). arXiv:2401.08281 [cs.LG]","DOI":"10.1109\/TBDATA.2025.3618474"},{"key":"e_1_2_1_10_1","unstructured":"Oren Duer and Sergey Gorenko. 2023. mlx5dv_wr_set_mkey_sig_block - Configure a MKEY for block signature (data integrity) operation. https:\/\/manpages.debian.org\/bookworm\/libibverbs-dev\/mlx5dv_wr_set_mkey_sig_block.3.en.html."},{"key":"e_1_2_1_11_1","unstructured":"Oren Duer Avihai Horon and Maher Sanalla. 2023. mlx5dv_wr_set_mkey_crypto - Configure a MKey for crypto operation. https:\/\/manpages.debian.org\/bookworm\/libibverbs-dev\/mlx5dv_wr_set_mkey_crypto.3.en.html."},{"key":"e_1_2_1_12_1","doi-asserted-by":"crossref","unstructured":"Morris Dworkin. 2010. Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices. https:\/\/tsapps.nist.gov\/publication\/get_pdf.cfm?pub_id=904691","DOI":"10.6028\/NIST.SP.800-38e"},{"key":"e_1_2_1_13_1","unstructured":"NVM Express. 2021. NVM Express over Fabrics Revision 1.1a. https:\/\/nvmexpress.org\/wp-content\/uploads\/NVMe-over-Fabrics-1.1a-2021.07.12-Ratified.pdf."},{"key":"e_1_2_1_14_1","first-page":"649","volume-title":"Efficient Memory Disaggregation with Infiniswap. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17)","author":"Gu Juncheng","unstructured":"Juncheng Gu, Youngmoon Lee, Yiwen Zhang, Mosharaf Chowdhury, and Kang G. Shin. 2017. Efficient Memory Disaggregation with Infiniswap. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17). USENIX Association, Boston, MA, 649-667. https:\/\/www.usenix.org\/conference\/nsdi17\/technical-sessions\/presentation\/gu"},{"key":"e_1_2_1_15_1","unstructured":"Maximilian J. Heer Benjamin Ramhorst Jonas Dann and Gustavo Alonso. 2025. RoCE BALBOA: Towards FPGA-enhanced RDMA. Poster presented at the European Conference on Computer Systems (EuroSys)'25'. https:\/\/your-poster-link-if-any.com Poster presentation."},{"key":"e_1_2_1_16_1","unstructured":"Avihai Horon. 2023. mlx5dv_crypto_login - Creates a crypto login session. https:\/\/manpages.debian.org\/bookworm\/libibverbs-dev\/mlx5dv_crypto_login.3.en.html."},{"key":"e_1_2_1_17_1","unstructured":"Meta Platforms Inc. 2022. RocksDB. https:\/\/rocksdb.org."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2011.5946540"},{"key":"e_1_2_1_19_1","first-page":"843","volume-title":"Effectively Prefetching Remote Memory with Leap. In 2020 USENIX Annual Technical Conference (USENIX ATC 20)","author":"Maruf Hasan Al","year":"2020","unstructured":"Hasan Al Maruf and Mosharaf Chowdhury. 2020. Effectively Prefetching Remote Memory with Leap. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 843-857. https:\/\/www.usenix.org\/conference\/atc20\/presentation\/al-maruf"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3230543.3230560"},{"key":"e_1_2_1_21_1","unstructured":"NVIDIA. 2023. Linux Kernel Upstream Release Notes v6.1. https:\/\/docs.nvidia.com\/networking\/display\/kernelupstreamv61\/changesandnewfeatures."},{"key":"e_1_2_1_22_1","unstructured":"The GnuPG Projec. [n.d.]. Libgcrypt. https:\/\/gnupg.org\/software\/libgcrypt\/index.html."},{"key":"e_1_2_1_23_1","unstructured":"DPDK Project. [n.d.]. NVIDIA MLX5 Crypto Driver. https:\/\/doc.dpdk.org\/guides\/cryptodevs\/mlx5.html."},{"key":"e_1_2_1_24_1","first-page":"181","volume-title":"20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23)","author":"Qiao Yifan","year":"2023","unstructured":"Yifan Qiao, Chenxi Wang, Zhenyuan Ruan, Adam Belay, Qingda Lu, Yiying Zhang, Miryung Kim, and Guoqing Harry Xu. 2023. Hermit: Low-Latency, High-Throughput, and Transparent Remote Memory via Feedback-Directed Asynchrony. In 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23). USENIX Association, Boston, MA, 181-198. https:\/\/www.usenix.org\/conference\/nsdi23\/presentation\/qiao"},{"key":"e_1_2_1_25_1","first-page":"4277","volume-title":"ReDMArk: Bypassing RDMA Security Mechanisms. In 30th USENIX Security Symposium (USENIX Security 21)","author":"Rothenberger Benjamin","year":"2021","unstructured":"Benjamin Rothenberger, Konstantin Taranov, Adrian Perrig, and Torsten Hoefler. 2021. ReDMArk: Bypassing RDMA Security Mechanisms. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 4277-4292. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/rothenberger"},{"key":"e_1_2_1_26_1","first-page":"315","volume-title":"Application-Integrated Far Memory. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20)","author":"Ruan Zhenyuan","year":"2020","unstructured":"Zhenyuan Ruan, Malte Schwarzkopf, Marcos K. Aguilera, and Adam Belay. 2020. AIFM: High-Performance, Application-Integrated Far Memory. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20). USENIX Association, 315-332. https:\/\/www.usenix.org\/conference\/osdi20\/presentation\/ruan"},{"key":"e_1_2_1_27_1","unstructured":"Maher Sanalla. 2022. mlx5: Add new AES-XTS single block capability. https:\/\/github.com\/linux-rdma\/rdma-core\/commit\/bca03d4adc1f40baea7aaa2cd9d03834fb41fdce."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP60621.2024.00024"},{"key":"e_1_2_1_29_1","first-page":"69","volume-title":"Distributed OS for Hardware Resource Disaggregation. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18)","author":"Shan Yizhou","year":"2018","unstructured":"Yizhou Shan, Yutong Huang, Yilun Chen, and Yiying Zhang. 2018. LegoOS: A Disseminated, Distributed OS for Hardware Resource Disaggregation. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). USENIX Association, Carlsbad, CA, 69-87. https:\/\/www.usenix.org\/conference\/osdi18\/presentation\/shan"},{"key":"e_1_2_1_30_1","doi-asserted-by":"crossref","first-page":"708","DOI":"10.1145\/3387514.3405897","volume-title":"Proceedings of the Annual Conference of the ACM Special Interest Group on Data Communication on the Applications, Technologies, Architectures, and Protocols for Computer Communication","author":"Singhvi Arjun","year":"2020","unstructured":"Arjun Singhvi, Aditya Akella, Dan Gibson, Thomas F. Wenisch, Monica Wong-Chan, Sean Clark, Milo M. K. Martin, Moray McLaren, Prashant Chandra, Rob Cauble, Hassan M. G. Wassel, Behnam Montazeri, Simon L. Sabato, Joel Scherpelz, and Amin Vahdat. 2020. 1RMA: Re-envisioning Remote Memory Access for Multi-tenant Datacenters. In Proceedings of the Annual Conference of the ACM Special Interest Group on Data Communication on the Applications, Technologies, Architectures, and Protocols for Computer Communication (Virtual Event, USA) (SIGCOMM '20). Association for Computing Machinery, New York, NY, USA, 708-721. doi:10.1145\/3387514.3405897"},{"key":"e_1_2_1_31_1","first-page":"691","volume-title":"2020 USENIX Annual Technical Conference (USENIX ATC 20)","author":"Taranov Konstantin","year":"2020","unstructured":"Konstantin Taranov, Benjamin Rothenberger, Adrian Perrig, and Torsten Hoefler. 2020. sRDMA - Efficient NIC-based Authentication and Encryption for Remote Direct Memory Access. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 691-704. https:\/\/www.usenix.org\/conference\/atc20\/presentation\/taranov"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.240277"},{"key":"e_1_2_1_33_1","first-page":"261","volume-title":"Semeru: A Memory-Disaggregated Managed Runtime. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20)","author":"Wang Chenxi","year":"2020","unstructured":"Chenxi Wang, Haoran Ma, Shi Liu, Yuanqi Li, Zhenyuan Ruan, Khanh Nguyen, Michael D. Bond, Ravi Netravali, Miryung Kim, and Guoqing Harry Xu. 2020. Semeru: A Memory-Disaggregated Managed Runtime. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20). USENIX Association, 261-280. https:\/\/www.usenix.org\/conference\/osdi20\/presentation\/wang"},{"key":"e_1_2_1_34_1","first-page":"35","volume-title":"16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22)","author":"Wang Chenxi","year":"2022","unstructured":"Chenxi Wang, Haoran Ma, Shi Liu, Yifan Qiao, Jonathan Eyolfson, Christian Navasca, Shan Lu, and Guoqing Harry Xu. 2022. MemLiner: Lining up Tracing and Application for a Far-Memory-Friendly Runtime. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22). USENIX Association, Carlsbad, CA, 35-53. https:\/\/www.usenix.org\/conference\/osdi22\/presentation\/wang"},{"key":"e_1_2_1_35_1","first-page":"161","volume-title":"Canvas: Isolated and Adaptive Swapping for Multi-Applications on Remote Memory. In 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23)","author":"Wang Chenxi","year":"2023","unstructured":"Chenxi Wang, Yifan Qiao, Haoran Ma, Shi Liu, Wenguang Chen, Ravi Netravali, Miryung Kim, and Guoqing Harry Xu. 2023. Canvas: Isolated and Adaptive Swapping for Multi-Applications on Remote Memory. In 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23). USENIX Association, Boston, MA, 161-179. https:\/\/www.usenix.org\/conference\/nsdi23\/presentation\/wang-chenxi"},{"key":"e_1_2_1_36_1","unstructured":"Schrodinger ZHU Yifan. 2021. crc64-cxx. https:\/\/github.com\/SchrodingerZhu\/crc64-cxx."},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3689031.3717475"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3552326.3567488"},{"key":"e_1_2_1_39_1","first-page":"55","volume-title":"Carbink: Fault-Tolerant Far Memory. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22)","author":"Zhou Yang","year":"2022","unstructured":"Yang Zhou, Hassan M. G. Wassel, Sihang Liu, Jiaqi Gao, James Mickens, Minlan Yu, Chris Kennelly, Paul Turner, David E. Culler, Henry M. Levy, and Amin Vahdat. 2022. Carbink: Fault-Tolerant Far Memory. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22). USENIX Association, Carlsbad, CA, 55-71. https:\/\/www.usenix.org\/conference\/osdi22\/presentation\/zhou-yang"}],"container-title":["Proceedings of the ACM on Networking"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3768991","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,2]],"date-time":"2026-03-02T22:05:11Z","timestamp":1772489111000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3768991"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,24]]},"references-count":39,"journal-issue":{"issue":"CoNEXT4","published-print":{"date-parts":[[2025,11,24]]}},"alternative-id":["10.1145\/3768991"],"URL":"https:\/\/doi.org\/10.1145\/3768991","relation":{},"ISSN":["2834-5509"],"issn-type":[{"value":"2834-5509","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,11,24]]},"assertion":[{"value":"2025-11-25","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}