Post-Quantum Cryptography for IoT Study Notes

Post-Quantum Cryptography for IoT: The Threat, Standards, and Migration Costs

  • Overview: This course module (Week 11, CEN 445) focuses on the transition from classical cryptography to post-quantum cryptography (PQC) within the Internet of Things (IoT) ecosystem.

  • The IoT Quantum Problem: A water meter shipped today must remain secure until 2041. This creates an immediate requirement for quantum-resistant designs due to long device lifetimes.

  • Defender Takeaway: Post-quantum migration is a present-day design decision for every IoT system shipping this year. Choosing the right scheme for each operation is critical.

Opening Discussion: Why Start Now?

  • Question: A board member asks: "Quantum computers powerful enough to break encryption don't exist yet. Why should we spend money on post-quantum cryptography in 2026?"

  • Abridged Answer Options:

    • A: Quantum computers can already break encryption today.

    • B: NIST regulations impose fines for not migrating immediately.

    • C: Traffic recorded today can be decrypted later by quantum computers.

    • D: Post-quantum algorithms are cheaper than classical ones.

  • Strongest Reason: C. Known as the "Harvest Now, Decrypt Later" strategy, attackers record encrypted traffic today to decrypt it once quantum hardware matures.

Section 1: The Quantum Threat

The Building Block of Quantum Computing: The Qubit

  • Classical Bit: Foundations of laptops, sensors, and phones. A bit is either $0$ OR $1$, representing one value at a time.

  • Qubit: Foundations of quantum computers. A qubit can be $0$ AND $1$ at the same time (superposition).

  • Scaling Power: While $N$ bits hold $1$ value out of 2N2^N possible combinations, $N$ qubits hold all 2N2^N values simultaneously.

    • Example: 8 bits hold one of 256 patterns; 8 qubits hold all 256 patterns at once.

Primary Quantum Algorithms vs. Cryptography

Two specific algorithms turn quantum hardware into a weapon against current encryption:

  1. Shor's Algorithm (Peter Shor, 1994):

    • Effect: Destroys asymmetric cryptography.

    • Target: Solves integer factoring and discrete logarithm problems in polynomial time.

    • Broken Schemes: RSA, Diffie-Hellman, ECDH, ECDSA, Ed25519.

    • Fix: Replacement is mandatory; increasing key sizes does not help.

  2. Grover's Algorithm (Lov Grover, 1996):

    • Effect: Weakens symmetric cryptography.

    • Target: Provides a square-root speedup on brute-force searches (e.g., 2N2N/22^N \rightarrow 2^{N/2}).

    • Impact: AES-128 is reduced to an effective security level of 2642^{64}. While likely still infeasible, the security margin is lost.

    • Fix: AES-256 is recommended, as it maintains an effective security level of 21282^{128}.

Hardware Status and Progress

  • Physical Qubits: Individual hardware devices that are noisy.

  • Logical Qubits (LQ): Error-corrected groups of physical qubits reliable for computation.

  • Current Capabilities (Jan 2026):

    • QuEra: $96$ LQ.

    • Quantinuum (Nov 2025): $48$ LQ.

  • Required to break RSA-2048: Approximately $1,400$ LQ (Gidney 2025 estimate).

  • The Gap: Hardware is roughly $15$ times short of the target, but the gap is closing rapidly (down from an estimated $6,000$ LQ in 2019).

Implementation Readiness: PQC vs. QKD

  • Post-Quantum Cryptography (PQC):

    • Type: Mathematical.

    • Mechanism: New math problems unsolvable by quantum computers.

    • Hardware: Runs on standard CPUs; feasible for any device that can run AES.

    • Standards: FIPS 203, 204, 205 (August 2024).

  • Quantum Key Distribution (QKD):

    • Type: Physics-based.

    • Mechanism: Single photons sent over fiber; eavesdropping is detected by changes in state.

    • Hardware: Dedicated fiber, photon sources, and detectors.

    • Feasibility: Not feasible for widespread IoT; suitable for specialist links (military/finance).

Section 2: What NIST Standardized

NIST Standardization Timeline

  1. Dec 2016: Public call for PQC proposals.

  2. 2017: 82 submissions received, 69 accepted.

  3. July 2022: First algorithms selected for standardization.

  4. Aug 2024: FIPS 203, 204, and 205 finalized (ML-KEM, ML-DSA, SLH-DSA).

  5. 2030: RSA-2048 and ECDSA-P256 scheduled for deprecation in US federal systems.

  6. 2035: Classical asymmetric crypto disallowed for US federal systems.

The Five Families of PQC

Family

Hard Problem

Notable Schemes

Status

Lattice-based

Learning With Errors (LWE), NTRU

Kyber, Dilithium, Falcon

Standardized (Kyber=ML-KEM, Dilithium=ML-DSA)

Hash-based

Hash tree of one-time signatures

SPHINCS+, XMSS, LMS

Standardized (SPHINCS+=SLH-DSA)

Code-based

Decoding random linear codes

McEliece, BIKE, HQC

HQC selected for 2027 draft

Multivariate

Quadratic equations systems

Rainbow

Broken in 2022

Isogeny-based

Finding isogenies on curves

SIKE

Broken in 2022

Deep Dive: FIPS Standards

  • FIPS 203: ML-KEM (Module-Lattice KEM):

    • Based on: Kyber.

    • Role: Key exchange, replacing ECDH and RSA-KEM in TLS.

    • Hard Problem: Module-Lattice LWE.

    • Attributes: Fast, small keys.

  • FIPS 204: ML-DSA (Module-Lattice DSA):

    • Based on: Dilithium.

    • Role: Digital signatures, replacing ECDSA and RSA.

    • Hard Problem: Module-Lattice LWE.

  • FIPS 205: SLH-DSA (Stateless Hash-based DSA):

    • Based on: SPHINCS+.

    • Role: Digital signatures, used for long-term archival signatures.

    • Hard Problem: Hash function security.

    • Comparison with LMS:

      • LMS (Leighton-Micali Signatures): Needs a counter on disk. If a device resets or clones and uses the same counter twice, security is broken completely.

      • SLH-DSA: Stateless; each signature uses a fresh internal random value. Safe for IoT devices prone to state loss from power failure or cloning.

The Mathematics of LWE (Learning With Errors)

LWE hides a secret (e.g., $x = 1, y = 4$) by adding small random changes (errors) to linear equations.

  1. Math: $3 \times 1 + 5 \times 4 = 23$; $7 \times 1 + 2 \times 4 = 15$.

  2. Add Errors: $23 \rightarrow 24 (+1)$; $15 \rightarrow 14 (-1)$.

  3. Public Key: The random numbers ($3, 5, 7, 2$) and the changed results ($24, 14$).

  4. Security: Attacker missing the original secret and the error values faces an impossible task in high dimensions.

Section 3: The Cost of Migration

Device Class Constraints (RFC 7228)

  • Class 0/1: $< 10\,KB$ RAM, $< 100\,KB$ Flash. Examples: Arduino Nano (ATmega328P with $2\,KB$ SRAM).

  • Class 2 and above: $\ge 50\,KB$ RAM, $\ge 250\,KB$ Flash. Examples: ESP32, Cortex-M4.

  • Standard Fit: ML-KEM-512 requires approximately $18\,KB$ of RAM during handshake. This fits Class 2+ but fails on Class 0/1.

Septien-Hernandez 2022 Study: Performance Data

  • Testbed: Arduino Nano (Sensor) connecting to a Raspberry Pi 3B+ (Gateway).

  • RAM Usage:

    • ML-KEM (Kyber512): $18,528\,B$ peak RAM.

    • LightSaber: $994\,B$ (not a NIST standard).

  • TLS 1.3 Handshake Metrics on Wire:

    • ML-KEM: $8,236\,B$ ($24$ packets).

    • P-256 ECDH: $7,748\,B$ ($28$ packets).

    • Change: $+6.3\%$ bytes, $-14\%$ packets.

  • CPU Time (Pi 3B+): ML-KEM full operation (keygen + encap + decap) takes $204\,ms$.

The Gateway Pattern for Constrained Leaf Nodes

Because Class 0/1 sensors cannot run ML-KEM, the Gateway Pattern is the standard architecture:

  • Sensor (Class 0/1): Communicates with the gateway using pre-shared AES keys (symmetric is quantum-safe).

  • Gateway (Class 2+): Runs the full ML-KEM handshake to connect to the utility cloud.

  • Benefit: Shifts heavy RAM requirements away from the sensor while maintaining end-to-end quantum resistance against off-site attackers.

Hybrid Migration

  • Mechanism: Running classical (X25519) and post-quantum (ML-KEM-768) key exchanges in parallel.

  • Process: Both secrets are mixed via an HKDF to produce the session key. Security holds if either algorithm survives.

  • Adoption: Over half of human Internet traffic (Cloudflare early 2026 data) uses X25519MLKEM768. Default in Chrome and iOS/macOS 2026 releases.

Side-Channel Attacks (SCA)

Mathematical security $\neq$ physical security. Physical devices leak secrets via timing, power spikes, or radio emissions.

  • Specific Attacks: KyberSlash (timing), Berzati 2025 (EM emissions).

  • Platforms: ChipWhisperer (open-source SCA platform).

  • Defenses:

    • Constant-time code (vetted libraries like pqm4).

    • Masking (splitting secrets into random shares).

    • Secure enclaves/hardware shielding.

Synthesis: Designing a Smart City Archetecture (2026-2046)

  • Scenario: 50,000 sensors (ATmega328P, $2\,KB$ SRAM), 500 gateways (Cortex-M4, high RAM), and a central server.

  • Requirement: Must remain secure until 2046.

  • Best Solution:

    • Leaf-to-Gateway: Pre-shared AES (gateway pattern) because sensors lack RAM for ML-KEM.

    • Gateway-to-Server: Hybrid TLS (X25519+ML-KEM) for defense-in-depth.

    • Firmware Signatures: SLH-DSA due to stateless property (prevents corruption from power loss/cloning).

    • Physical Protection: Masked implementations for gateways in locked enclosures.

Questions & Discussion

Q1: What does quantum computing actually damage the most in a typical IoT firmware stack?

  • Options: AES-128, SHA-256, ECDSA-P256, HMAC-SHA256.

  • Answer: ECDSA-P256. It is asymmetric and Shor's algorithm solves its underlying discrete log problem in polynomial time. The others are symmetric or hash-based and only face quadratic weakening from Grover's algorithm.

Q2: Which signature scheme is best for sensors that may lose power or be cloned?

  • Answer: SLH-DSA. Being stateless, it does not rely on a non-volatile counter. Using LMS (stateful) in such an environment risks reusing a counter, which breaks the private key security.

Q3: Can a smart meter with $2\,KB$ RAM run ML-KEM-512?

  • Answer: No. Even the smallest variant of ML-KEM requires $\approx 9-18\,KB$ of RAM depending on the specific implementation. The device must use a gateway pattern or pre-shared keys.