For resource-constrained IoT devices, lattice-based post-quantum protocols currently offer the best balance of security, computational cost, and compactness. The National Institute of Standards and Technology selects CRYSTALS-Kyber for key-encapsulation and CRYSTALS-Dilithium among signature options, and official guidance from Dustin Moody National Institute of Standards and Technology explains the rationale behind those selections. Cryptographers such as Matthew Green Johns Hopkins University have analyzed these choices and highlighted that lattice schemes typically require less RAM and CPU time than many alternatives while providing robust security against known quantum attacks.
Trade-offs and implementation considerations
Choices hinge on three intertwined constraints: processing power, memory, and network energy. CRYSTALS-Kyber provides an efficient method for establishing symmetric keys with comparatively small ciphertext sizes and modest computation, which reduces transmission energy and latency. CRYSTALS-Dilithium offers faster verification and smaller signature sizes than some hash-based alternatives, though signature verification cost and code complexity remain important in very tiny devices. Code-based schemes such as Classic McEliece have outstanding conservative security but large public keys that make them impractical for bandwidth-limited sensors. Isogeny-based schemes once promised tiny keys but suffered a catastrophic cryptanalysis by Wouter Castryck KU Leuven and Thomas Decru KU Leuven in 2022, demonstrating that theoretical promise does not always translate into deployed resilience.
Practical recommendations
Designers should favor a KEM-first approach to minimize on-device asymmetric operations, using CRYSTALS-Kyber for key exchange and delegating heavyweight operations to servers when feasible. Where device authentication is required on-device, choose CRYSTALS-Dilithium or other NIST-approved signatures after profiling memory and CPU budgets. Use hybrid constructions during the transition to combine classical and post-quantum assurances. Implementations must follow constant-time coding and side-channel hardening to avoid practical breaks that cryptanalysis does not cover. In regions with intermittent connectivity or metered data, the environmental and economic consequences are material: larger keys and frequent rekeying increase energy consumption and can accelerate battery depletion, influencing device lifetimes and electronic waste.
Adopting post-quantum cryptography in IoT is therefore not just a cryptographic choice but a systems and policy decision. Industry and standards work led by organizations such as the National Institute of Standards and Technology should be followed closely, and field testing remains essential to reconcile theoretical security with the territorial, cultural, and environmental realities of deployed IoT networks.