Gweltas Radenac, Director of IoT Business Line at WISeKey shares how quantum computers are due to impact IoT security
As the deployment of IoT devices accelerates, particularly in low-power wide-area networks (LPWAN) like smart meters, questions about post-quantum security are becoming more relevant. Devices deployed today are designed for a long lifecycle—many will remain active for 10 to 20 years. This timeline raises an important question: will these devices still be secure when quantum computers become practical?
The answer is complex. Quantum computing holds the potential to break widely used cryptographic algorithms, such as RSA and ECC. As a result, cryptographers are actively researching quantum-resistant algorithms. Institutions like NIST are leading the charge in standardising post-quantum cryptography (PQC). This has led some to consider implementing these new cryptographic schemes today to future-proof their IoT devices.
But for constrained LPWAN devices like smart meters, the situation is not so straightforward. These devices often operate on ultra-low power, have very limited memory, and support minimal bandwidth. Implementing PQC now would mean heavier algorithms, larger key sizes, and greater processing demands—which are impractical for many devices without dramatically increasing cost and power consumption.
Another important point: who will be attacking LPWAN devices using quantum computers? When quantum computers become powerful enough to threaten public-key cryptography, they will likely be restricted to national laboratories or research institutions due to their immense cost and complexity. The probability that someone will burn thousands of dollars per hour to compromise a smart meter or a water sensor—devices that generate little monetisable data—is very low.
Instead of prematurely jumping to post-quantum cryptography, organisations are increasingly exploring crypto-agility. This approach emphasises designing systems and devices in such a way that their cryptographic algorithms can be updated or replaced in the future, without changing the hardware.
There are two main strategies:
- Crypto-agile design: this means enabling devices to accept new cryptographic algorithms, possibly even firmware updates that change how security functions work. Devices must be built with enough memory, compute, protocol flexibility and secure algorithms updates to accommodate future changes
- Preemptive PQC adoption: some are advocating for deploying quantum-safe cryptography now, particularly in sectors like IT, automotive, aerospace, or defence, critical infrastructures where long-term security is critical and hardware limitations are less severe
Both approaches carry trade-offs. Pre-emptive deployment increases cost and complexity now for a theoretical benefit later. Crypto-agility introduces its own engineering burdens and requires robust update mechanisms and forward-compatible architectures.
An important nuance is contextual security. Not all data is equally valuable. Historical water usage might not warrant post-quantum protection, whereas a personal’s location data or a medical implant’s firmware might. This means the security posture must be tailored to data sensitivity and device purpose.
Given these factors, the most practical near-term solution for many IoT and LPWAN devices is to focus on crypto-agile design, while preparing the broader ecosystem—software, gateways, Cloud —for eventual PQC compatibility.
The case for secure hardware and hybrid PKI
One way to prepare for both current and future threats—including quantum—is through hardware-based security. Technologies like Trusted Platform Modules (TPM) and Secure Elements (SE) allow cryptographic keys to be stored in tamper-resistant, non-exportable environments.
- A TPM enables devices to securely generate and store cryptographic keys, protect firmware integrity via secure boot, and manage authentication
- A Secure element offers similar benefits but in a form factor more suitable for resource-constrained environments like smart meters or tracking tags
- These hardware anchors also facilitate anti-rollback protection, key attestation, and side-channel resistance, all of which are critical for devices that will remain deployed for over a decade
Additionally, implementing a hybrid PKI model is gaining traction. This means:
- Using classical ECC or RSA-based certificates today, while designing the PKI to also support future PQC certificate formats (e.g., via hybrid certificates that include both classical and quantum-safe public keys)
- The PKI infrastructure (Root CA, Intermediate CA, RA) can be designed to support crypto-agile enrollment, rotate algorithms over time, and enforce certificate renewal policies that reduce the impact of future crypto breaks
Hybrid PKI bridges the gap between today’s standards and tomorrow’s needs without forcing an overhaul of the entire system. It supports a phased transition toward post-quantum readiness—allowing organisations to adopt PQC at the network or node level as maturity, use case, and regulation dictate.
In conclusion, while the quantum threat is real, it’s more urgent for most LPWAN deployments to embrace crypto-agility, securing devices with TPMs or SEs, and adopting hybrid PKI architectures, and thus manufacturers and operators can balance present-day performance with future-proofed security—without compromising cost or efficiency.
Gweltas Radenac is Director of the IoT Business Line at WISeKey/SEALSQ, where he leads secure hardware and software solutions for IoT identity and device trust. With a strong background in mobile, embedded systems, robotics, and in applications such as medical devices & smart buildings, he has driven product innovation across Asia and Europe.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.