Securing IoT in the post-quantum world?

Generally, the main security goals for the IoT are confidentiality, integrity, and authentication. Confidentiality guarantees that sensitive information can not be leaked to unauthorized entities, while integrity prevents information from being modified en router, and authentication ensures that the communicating entities are indeed those they declare to be.

disclaimer: I am not a cryptographer, so the material is from the a paper I recently read. Cool paper tho:

A little bit about cryptography:

Current cryptographic primitives for securing communication in the IoT

Protocols like IP v6 over LoWPAN, COAP or IEEE (802.15.4, like wifi) are powered by cryptography primitives such as AES, ECDH and ECDSA to ensure secure key exchange (ECDH), integrity (AES, ECDSA) and authentication (ECDSA).

However, recent advances in quantum computing threaten the security of the current IoT using these cryptographic schemes. Check out the following table to compare for each cryptographic technologies.

Impact of large-scale quantum computers

Basically, it means all of our computer security system, IoT devices, files… are gonna be exposed to “quantum hackers”. Everything encrypted will be broken.

Initial recommendations for quantum-resistant algorithms

Researchers proposed the above cryptographic recommendations to upgrade the existing encryption algorithm for post-quantum era.

What is the real problem in IoT security?

To be honest, I am not sure if this will solve the problem of IoT devices. Today, 540,000 IoT devices online, they are just running a default configuration. Passwordless or “admin admin” stuff. You know what I mean.

It’s relatively hard to break into an iPhone or a well protected Android phone, because Apple and Google actually put security in place. It’s still possible, but not that straightforward. However, this is not the case happening in the low-end embedded computers – Internet of Things devices.

Why Tesla is relatively safer than other connected cars in the world? Because Tesla is building a computer with wheels and battery around it. Other automakers, they are inserting a computer (made by others) into a traditional car! Similar to other manufacturers, they want to make everything into a computer without putting enough resources into cybersecurity.

Related image


In my opinion, post-quantum cryptography is not gonna help the IoT security unless we improve the fundamental IoT security practices.