Post-Quantum Cryptography for Industrial IoT with Rust

"Quantum-safe infrastructure starts at the silicon level. We built pqc-iiot to be that foundation."

Why We Built pqc-iiot

The looming threat of quantum computing has made it imperative to rethink how we secure digital communication — especially in Industrial IoT (IIoT) systems, where devices are often deployed for decades with limited ability to patch or upgrade.

pqc-iiot is a modular, no_std-compatible Rust crate designed from scratch to bring post-quantum cryptographic primitives to resource-constrained devices.

Our goal was to build a portable, memory-efficient, and secure-by-design library that supports Kyber (KEM), Falcon (signatures), and other NIST PQC algorithms with real-world applicability in constrained IIoT environments.

Design Requirements

We started with some hard non-negotiables:

• Post-Quantum primitives only — no hybrid fallback to RSA/ECC
• Must compile with #![no_std] and run on microcontrollers
• Zero-allocation with strict memory control via heapless
• Constant-time operations to resist side-channel attacks
• High-level API for easy adoption across MQTT, CoAP, LoRaWAN, etc.

Architecture Overview

The crate follows a modular layout:

src/
├── kem.rs         # Kyber / Saber (KEM)
├── sign.rs        # Falcon / Dilithium (signatures)
├── profile.rs     # CryptoProfile abstraction layer
├── utils.rs       # RNG, hashing, key encoding
├── lib.rs         # Public API

Supported Algorithms

We currently support:

• Kyber512, Kyber768, Kyber1024
• Falcon-512, Falcon-1024
• Dilithium (experimental)
• Saber (KEM alternative)
• BIKE (experimental)

These can be selected via Cargo features, or grouped into profiles.

Crypto Profiles

To simplify configuration and usage in constrained environments, we introduced CryptoProfile, a high-level abstraction for pairing a KEM with a digital signature scheme.

let profile = CryptoProfile::KyberFalcon;
let (pk, sk) = profile.generate_keypair();
let ciphertext = profile.encapsulate(&pk);
let signature = profile.sign(&sk, message);

This allows developers to pick from balanced, high-security, or low-power profiles depending on hardware capabilities.

Integration with IIoT Protocols

The library was built to be integrated into:

• MQTT stacks (e.g. rumqttc)
• CoAP frameworks (coap-lite)
• Custom serial protocols for edge gateways

Secure payloads are encapsulated using Kyber and authenticated with Falcon, enabling end-to-end post-quantum secure messaging.

Performance & Footprint

• All timings are constant-time implementations
• Measured with cargo-embed on thumbv7em-none-eabihf

Security Considerations

• RNG is based on rand_core and configurable to use hardware TRNG
• Wiped secrets using zeroize traits
• Internal operations audited to prevent timing leaks

Development Process

1. Phase 1 — Research & algorithm selection
2. Phase 2 — no_std crate skeleton, Kyber+Falcon working
3. Phase 3 — MQTT/CoAP integration, secure messaging
4. Phase 4 — Benchmarks, fuzz testing, memory profiling
5. Phase 5 — Expansion with Saber, Dilithium, BIKE
6. Phase 6 — Introduction of CryptoProfile abstraction

Limitations

• No TLS integration yet — planned for Phase 7 (rustls hybrid support)
• Only deterministic keygen — no on-device entropy enhancement
• Experimental algorithms not production-hardened

Future Directions

• WASM demo + WebSerial secure handshake
• Integration with Zephyr RTOS and RIOT
• Dynamic crypto profile loading via config
• NIST-compliant key formatting (SP 800-56C)
• PQ-TLS bindings for constrained TLS over MQTT

Try It Now

cargo add pqc-iiot --git https://github.com/doomhammerhell/pqc-iiot

Final Thoughts

We don’t just need stronger encryption — we need encryption that survives the next 30 years.

pqc-iiot is an evolving foundation for secure-by-default IIoT systems. Whether you’re securing sensors, edge gateways, or autonomous machines, this crate is designed to give you the cryptographic edge in a quantum future.

💬 Questions? PRs and issues welcome at GitHub.

---