Practical Encryption Strategies for Securing the Post-Quantum IoT

In any system built on data exchange, security becomes one of the most critical properties, and cryptography plays a central role in ensuring it. To understand how cryptography for the Internet of Things is evolving, it helps to look at the history of this field.

Machine cryptography began in the twentieth century and relied on specialized encryption devices, first mechanical and later electromechanical. General-purpose computers appeared much later. The most famous example of early cipher machines is the German Enigma, whose decryption by British cryptanalysts significantly influenced the outcome of World War II.

A significant shift came in 1948 when Claude Shannon published his foundational work on information theory. As general-purpose computers became more widespread, cryptography entered a new technological era.

For many decades, practical cryptography focused on two main goals. The first was to make sure that a cipher stayed strong enough so that even an attacker with considerable computing power couldn’t decode a message without the secret key. The second was to maximize the amount of data protected by a single key before it needed to be changed.

By the end of the twentieth century, these goals were mostly accomplished. However, the rapid growth of IoT technologies and the emerging threat of quantum computing introduced new challenges for modern cryptography.

New Requirements for Cryptography in the Internet of Things

The Internet of Things is a system built on constant data exchange between millions of devices. Protecting this data has become critical. This is especially true for LPWAN-class devices (Low-Power Wide-Area networks), which have very limited processing power and send small data packets infrequently. For these devices, cryptography must meet several requirements.

1. Efficient work with small packets

IoT devices usually send small pieces of data — sensor readings, meter values, or quick status messages. Cryptographic algorithms must encrypt and decrypt these tiny packets efficiently. Ideally, algorithms should support different block sizes to fit various packet formats.

2. Minimal traffic overhead

Because LPWAN systems have strict bandwidth limits and many IoT deployments are billed by transmitted bytes, cryptographic overhead must be kept to a minimum. Reducing overhead prolongs battery life, decreases operating costs, and promotes efficient use of radio spectrum.

3. Computational efficiency

IoT devices often use inexpensive, low-power microcontrollers with very limited processing capabilities. A cryptographic algorithm cannot consume too many CPU cycles or require complex operations. Lightweight mathematical operations are critical for keeping battery consumption low.

4. Ability to function without a permanent connection

Some devices only communicate once per hour or even once per day. Cryptography must support secure communication without constant synchronization or permanent online connectivity. This is crucial for maintaining low energy use and prolonging device lifetime.

5. Readiness for the quantum era

As quantum computing research progresses, existing cryptographic systems, especially those based on asymmetric mathematics, face long-term risks. IoT solutions must consider these potential threats, as IoT devices typically stay in operation for many years, sometimes for a decade or more.

So, cryptography for IoT must address a unique set of challenges: small messages, limited bandwidth, minimal CPU resources, infrequent connectivity, and the requirement for long-term security.

Quantum Threats and Their Impact

Quantum computers introduce new risks for modern cryptographic systems. To understand how they affect security, it helps to distinguish between symmetric and asymmetric encryption.

Symmetric cryptography uses the same key for encryption and decryption, requires relatively little computing power, and is generally resistant to quantum attacks. Quantum algorithms provide only a quadratic speedup when brute-forcing a symmetric key. Grover’s algorithm is the most well-known example, and its impact can be countered simply by increasing the key length. Therefore, AES remains structurally strong even in a future quantum environment.

Asymmetric cryptography works differently. It uses paired public and private keys to support functions like authentication, digital signatures, and secure key exchange. This type is more vulnerable because Shor’s algorithm could theoretically break RSA, ECC, and similar systems. However, such an attack would need a quantum computer far more powerful than anything available today. Today, such machines do not exist. Current quantum computers are small, noisy, and far from the scale needed to threaten cryptography used on the internet.

Although symmetric algorithms are still secure, the main challenge remains in key distribution. Asymmetric methods make key exchange easier but are vulnerable to quantum computing. IoT systems need alternatives that provide strong security while accommodating resource-constrained environments.

In 2025, RSA, ECC, and similar systems remain operationally secure, but the industry is already preparing for the transition to post-quantum cryptography (PQC).

NIST’s Post-Quantum Standardization Effort

To address future risks, NIST began a public effort in 2016 to develop and standardize quantum-resistant algorithms. By 2022, finalists were selected. In 2024, NIST released the first official standards:

• FIPS 203 (ML-KEM) — based on Kyber
• FIPS 204 (ML-DSA) — based on Dilithium
• FIPS 205 (SLH-DSA) — based on SPHINCS+

These form the foundation for cryptography that will protect communication in the quantum era.

Exploring New Approaches

There is a practical relationship between how often keys are replaced and how complex a cipher must be:

• Frequent key rotation allows using simpler, cheaper algorithms
• Simpler algorithms reduce computational load and energy consumption

At the end lies the Vernam one-time pad (OTP), which encrypts data using XOR with a key identical in length to the message. OTP provides perfect information-theoretic security, but requires key material equal in size to all transmitted data.

Historically, OTP was used by intelligence services, where keys were distributed physically. While it may seem outdated, OTP becomes surprisingly practical in certain IoT scenarios.

Real-World Feasibility Examples

Scenario 1: Temperature and humidity sensor

Assume a sensor sends:

• Temperature: 0–50°C in 0.5°C steps
• Humidity: 0–99% in 1% steps

That is approximately 2 bytes per transmission, including redundancy. If the sensor transmits every hour for 10 years, it would send: 2 bytes × 24 × 365 × 10 ≈ 175 KB.

This means only about 175 KB of one-time-pad key material is needed for the entire lifespan — easily stored in modern flash memory.

Scenario 2: Water consumption meter

If a meter sends a 3-byte reading once per day for 16 years, the total data volume is about 17 KB. This example again shows that many real IoT devices generate extremely small amounts of data over their entire lifetimes.

For ultra-low-bandwidth devices, OTP and similar lightweight symmetric systems are feasible and efficient. Even if data volumes increase several times, the required storage remains trivial by modern standards.

These examples demonstrate that many IoT devices produce only small amounts of data, making one-time pads and other pre-provisioned symmetric methods entirely feasible. However, their simplicity often means they lack OS-level protections, so a compromised firmware could still capture readings before encryption, similar to a keylogger. This doesn't lessen the viability of lightweight cryptography but highlights the importance of maintaining device integrity.

Do We Need Complex Quantum-Resistant Key Exchange?

In some tightly controlled IoT deployments, a device can be factory-provisioned with all the symmetric keys it will ever need. When the trust relationships are fixed and the backend never changes, the device does not require runtime key negotiation. This breaks the traditional assumptions that led to complex key-exchange protocols, which were designed for systems with abundant resources, frequent communication, and long-lived asymmetric keys.

In such scenarios, preloading key material can reduce or even eliminate the need for post-quantum key-exchange mechanisms, provided the system includes secure storage, unique per-device keys, and a plan for key revocation or rotation if needed.

Implementation Requirements

To support this approach, secure key storage is essential both in the cloud and on the device.

Server-Side: Hardware Security Modules (HSMs)

HSMs are industry-standard solutions for storing and managing cryptographic keys. They are mature, widely deployed, and well-understood.

Device-Side: Secure Elements

Modern IoT devices often use secure elements for key storage. A common form is the UICC (SIM card), including its variants:

• SIM
• eSIM
• iSIM
• eUICC / iUICC

These chips are very affordable, tamper-resistant, mass-produced, and already trusted in the financial and telecom sectors.

GSMA IoT SAFE

The GSMA IoT SAFE initiative positions the SIM/UICC as the root of trust for IoT devices, enabling it to securely store keys, execute cryptographic operations within a protected environment, and support end-to-end encryption via dedicated applets. Key material can also reside externally in encrypted containers that only the secure element can unlock. Updates to these keys can be delivered via well-established mechanisms, such as Key Wrap, which is widely used in HSM deployments.

All necessary components for secure IoT cryptography already exist, are inexpensive, and are familiar to engineers. No exotic new hardware is required.

Conclusion

Using pre-provisioned symmetric keys, including one-time pads in some scenarios, enables simple and lightweight quantum-resistant cryptography for IoT devices. This method reduces computational overhead, supports long battery life, works with widely available secure elements like SIM cards, remains secure even against future quantum computers, and avoids reliance on asymmetric algorithms that may become vulnerable. Although not suitable for all IoT types, it is especially well-suited for low-bandwidth sensors, meters, and long-life embedded devices.