On the Energy Costs of Post-Quantum KEMs in TLS-based Low-Power Secure IoT.

Recent achievements in designing quantum computers place a serious threat on the security of state-of-the-art public key cryptography and on all communication that relies on it. Meanwhile, security is seen as one of the most critical issues of low-power IoT devices even with pre-quantum public key cryptography since IoT devices have strict energy constraints and limited computational power. Thus, state-of-the-art dedicated hardware accelerators have been deployed to facilitate secure and confidential communication with well established protocols on such devices. It is common belief that the complexity of the cryptographic computations are also the bottleneck of the new, quantum-resistant algorithms and that hardware accelerators are necessary to use them efficiently on energy constrained embedded devices. In this paper, we carried out an in-depth investigation of the application of potential Post-Quantum Cryptography algorithms, which were proposed in the associated US NIST process, to a representative TLS-based low-power IoT infrastructure. First, we show that the main contributor to the TLS handshake latency are the higher bandwidth requirements of post-quantum Key-Encapsulation Mechanisms rather than the cryptographic computations itself. Second, from the perspective of crypto-agility we show that edge devices with code-based, isogeny-based as well as lattice-based algorithms have low energy consumption, which enables long battery run times in typical IoT scenarios without dedicated hardware accelerators. Third, we increase the level of security further by combining pre-quantum and post-quantum algorithms to a hybrid key exchange, and quantify the overhead in energy consumption and latency of it.