Evaluating Post-Quantum Cryptographic Algorithms on Resource-Constrained Devices

This Paper is accepted to IEEE International Conference on Quantum Computing and Engineering (QCE25)

Git Logo GitHub article Paper Link

Abstract

The rapid advancement of quantum computing poses a critical threat to classical cryptographic algorithms such as RSA and ECC, particularly in Internet of Things (IoT) devices, where secure communication is essential but often constrained by limited computational resources. This paper investigates the feasibility of deploying post-quantum cryptography (PQC) algorithms on resource-constrained devices. In particular, we implement three PQC algorithms --- BIKE, CRYSTALS-Kyber, and HQC --- on a lightweight IoT platform built with Raspberry Pi devices. Leveraging the Open Quantum Safe (liboqs) library in conjunction with mbedTLS, we develop quantum-secure key exchange protocols, and evaluate their performance in terms of computational overhead, memory usage, and energy consumption for quantum secure communication. Experimental results demonstrate that the integration of PQC algorithms on constrained hardware is practical, reinforcing the urgent need for quantum-resilient cryptographic frameworks in next-generation IoT devices.

Introduction

In today’s world, millions—if not billions—of people use a wide variety of devices. This ranges from the typical gadgets like phones, laptops, and computers to more specialized smart appliances such as electric toothbrushes and smart cat litter trays. These devices are categorized as Internet of Things (IoT) devices and are equipped with microcontrollers, transceivers for digital communications, and suitable protocol stacks that enable them to communicate with one another and with users. IoT devices are constantly evolving, with the goal of connecting everyday objects to the Internet. This allows them to collect, share, and analyze data much easier, improving efficiency, productivity, and convenience. While the concept of integrating everyday devices with the Internet through IoT is promising, significant vulnerabilities remain that have not been thoroughly addressed.

Contributions

The contributions of this projet are as follows:

  1. We present a standardized, reproducible benchmarking methodology for evaluating PQC algorithms using a TLS-inspired client-server model deployed on constrained embedded platforms.
  2. We implement and evaluate three NIST-designated PQC KEMs -- BIKE, HQC, and CRYSTALS-Kyber, at multiple security levels, measuring execution time, power consumption, memory usage, and thermal behavior on Raspberry Pi-based systems.
  3. Our findings show that CRYSTALS-Kyber provides the most favorable trade-off across performance metrics, demonstrating high suitability for secure deployment in constrained IoT environments.
  4. We identify key trade-offs in BIKE and HQC, showing that while BIKE achieves the lowest memory usage, it incurs significant latency and power costs at higher security levels; HQC offers moderate runtime efficiency but suffers from high memory demand and thermal overhead.

Methodology

This study evaluates the performance of three post-quantum key encapsulation mechanisms (KEMs) -- BIKE, CRYSTALS-Kyber, and HQC, within a simulated client-server communication framework. The goal is to assess the feasibility of deploying these algorithms on constrained embedded systems by measuring their power consumption, execution time, memory usage, and communication throughput.

Experimental Setup

The experimental setup, shown in the diagram, consisted of a Raspberry Pi 3 Model B+ as the client and a Raspberry Pi 5 as the server. Both devices ran Raspberry Pi OS Lite, a Debian-based system selected for its minimal overhead and lightweight design. An offline network switch connected the two devices, providing an isolated environment free from external interference to ensure consistent and reproducible measurements.

Lightweight protocol

A custom lightweight protocol is implemented for benchmarking consiting of the following steps:

  • Handshake: The client initiates a secure session by establishing a TCP connection with the server
  • Key exchange:
    • The server generates a key pair using the selected post-quantum key encapsulation mechanism (PQC-KEM) and sends the public key to the client.
    • The client performs key encapsulation and returns the resulting ciphertext and shared secret to the server.
  • Session Key Derivation: Both the client and server derive a common session key from the KEM output.
  • Secure Message Exchange: To validate successful key agreement, the client encrypts a message using AES-GCM and transmits it to the server.

Performance Evaluation Procedure

To evaluate the performance of each algorithm, the client and server applications are executed concurrently in isolated sessions. Four text files of varying sizes (208 bytes, 731 bytes, 1235 bytes, and 2328 bytes) are used to simulate different communication loads and observe the impact of message size on system performance. The use of text files were chosen for their simplicity and transparency, allowing us to easily control the data size, format, and structure. This approach is straightforward for manual testing, reproducibility and consistency. Each session runs for a fixed duration of five minutes, followed by a five-minute rest period to allow the devices to return to baseline thermal and performance conditions.

All software is developed in C, using mbedTLS (version 3.6) as the primary cryptographic library, extended with liboqs from the Open Quantum Safe (OQS) project (version 0.12). Each KEM is integrated independently into the communication protocol to allow for a fair evaluation.

Acknowledgments

Jesus Lopez is funded by the Department of Computer Science at UTEP. Viviana Cadena is funded by the Cyber Halo Innovation Research Program (CHIRP) at Pacific Northwest National Laboratory (PNNL).

Contributors

UTEP logo IQSec-logo pnnl logo