Resilience of Post-Quantum Cryptography in Lightweight IoT Protocols: A Systematic Review

Abstract

The rapid advancement of quantum computing poses significant threats to classical cryptographic methods, such as Rivest–Shamir–Adleman (RSA) and Elliptic Curve Cryptography (ECC), which currently secure Internet of Things (IoT) and cloud communications. Post-Quantum Cryptography (PQC), particularly lattice-based schemes, has emerged as a promising alternative. CRYSTALS-Kyber, standardized by the National Institute of Standards and Technology (NIST) as ML-KEM, has shown efficiency and practicality for constrained IoT devices. Most existing research has focused on PQC within the Transport Layer Security (TLS) protocol. Consequently, a critical gap exists in understanding PQC’s performance in lightweight IoT protocols. These are Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP), particularly under adverse network conditions. To address this gap, this paper provides a systematic review of the literature on the network resilience and performance of CRYSTALS-Kyber when integrated into these protocols operating over lossy and high-latency networks. Additional challenges include non-standardized integration, resource limitations, and side-channel vulnerabilities. This review provides a structured synthesis of current knowledge, highlights unresolved trade-offs between security and efficiency, and outlines future research directions, including protocol-level optimization, lightweight signature schemes, and resilience testing of PQC-secured IoT protocols under realistic conditions.

1. Introduction

The rapid advancement of quantum computing poses significant risks to classical cryptographic systems such as RSA (Rivest–Shamir–Adleman) and ECC (Elliptic Curve Cryptography), widely used to secure communications between Internet of Things (IoT) devices and cloud platforms. Quantum algorithms, particularly Shor’s algorithm, have demonstrated capabilities to compromise these cryptographic foundations by efficiently factoring large integers and solving discrete logarithm problems and tasks previously considered computationally infeasible for classical computers [1]. This phenomenon, often referred to as “harvest-now, decrypt-later,” poses a serious risk to long-lived IoT data and justifies the urgent transition to quantum-resistant cryptography (Figure 1). Also, Grover’s algorithm accelerates brute force attacks, significantly reducing the effective security of symmetric encryption schemes [2]. Consequently, there is an urgent need to transition toward quantum-resistant cryptographic protocols, collectively known as Post-Quantum Cryptography (PQC).

In response to these quantum threats, the National Institute of Standards and Technology (NIST) initiated a global standardization process to identify robust and efficient PQC algorithms. As of 2024, CRYSTALS-Kyber was selected and standardized by NIST for Key Encapsulation Mechanisms (KEMs), marking it as a critical candidate for securing sensitive data against quantum-enabled adversaries [3]. Kyber is notable in IoT because of its efficiency, small keys, and suitability for resource-limited devices with constrained processing, memory, and energy [4].

Several recent studies have benchmarked the performance of Kyber, demonstrating its practicality in various IoT contexts. For example, Fitzgibbon and Ottaviani (2024) evaluated Kyber on typical IoT hardware such as the Raspberry Pi 4, confirming its superior speed compared to other PQC finalists [4]. Sajimon et al. (2022) similarly highlighted Kyber’s practical benefits by implementing and evaluating it on Linux-based IoT edge devices, recommending it due to its demonstrated efficiency and manageable computational overhead [5]. Moreover, practical studies such as Bürstinghaus et al. (2020) demonstrated Kyber’s compatibility with embedded Transport Layer Security (TLS) libraries. Their findings revealed that Kyber outperformed traditional ECC-based methods in handshake speed [6].

However, despite these promising initial results, significant research gaps remain. Existing literature lacks comprehensive end-to-end evaluations of PQC integration in IoT-to-cloud communication. Holistic benchmarking across key performance metrics (latency, memory usage, and ciphertext size) and practical deployment considerations remains largely unexplored. Additionally, the implications of fully integrating PQC into existing IoT and cloud infrastructures, particularly addressing interoperability, performance trade-offs, and side-channel vulnerabilities, require further exploration.

Existing reviews on PQC have surveyed its broad landscape or benchmarked algorithm performance on IoT hardware, especially within robust protocols like TLS. This focus has left a critical gap in the network resilience of PQC in lightweight IoT protocols (MQTT and CoAP) under adverse conditions. To our knowledge, this is the first systematic review to synthesize the literature on the end-to-end performance of PQC-secured IoT protocols in high-latency and lossy network environments. This work addresses these practical deployment challenges, providing a targeted synthesis for researchers and practitioners securing next-generation IoT infrastructures.

Research Questions

• What post-quantum cryptographic schemes have been evaluated for IoT-to-cloud security?
• What performance trade-offs (latency, bandwidth, memory) are reported when integrating PQC into IoT protocols?
• What open challenges and research gaps remain for deploying PQC in real-world IoT-cloud systems?
• How do PQC-secured lightweight protocols perform under realistic network conditions?

However, a critical analysis of the review reveals that these promising results are primarily focused on PQC integration within robust, high-overhead protocols, such as TLS. While essential, this focus overlooks a significant portion of the IoT ecosystem that relies on lightweight, publish-subscribe protocols like Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) for efficiency. Recent research has called for the development of PQC-friendly versions of these specific protocols. Unlike ideal lab environments, many IoT deployments face high packet loss and variable latency. This gap in understanding the resilience of PQC in IoT protocols represents a significant blind spot for practical, large-scale deployment.

This paper synthesizes current research on integrating CRYSTALS-Kyber into IoT-to-cloud communication and compares the performance of PQC methods against classical methods. Also, it identifies a critical research gap, specifically, the lack of systematic evaluation of PQC in lightweight IoT protocols under real-world network conditions. Based on this analysis, the paper outlines key challenges and recommends future directions to guide researchers and practitioners working toward quantum-secure IoT infrastructures.

2. Background and Related Work

2.1. The Threat of Quantum Computing to Current Cryptography

Quantum computing poses a technically well-defined threat to classical public-key infrastructures. Shor’s algorithm enables polynomial-time factoring and discrete logarithms, reducing the effective security of RSA and ECC from “infeasible” to “routine” once scalable fault-tolerant machines emerge [7]. Grover’s algorithm also undermines symmetric cryptography by halving the effective key space, necessitating longer keys to maintain equivalent strength. These advances threaten a wide range of systems, such as IoT firmware updates, blockchain signatures, and satellite communications, that rely on RSA/ECC handshakes [7,8].

Table 1. NIST-PQC Standardization Timeline.

Year	Milestone
2016	NIST issues a call for PQC proposals.
December 2017–January 2019	Round 1 (69 candidates) → Round 2 (26).
July 2020	Round 3 finalists and alternates announced (7 KEM/sig algorithms).
5 July 2022	NIST selects CRYSTALS-Kyber as the sole KEM to be standardized, alongside Dilithium, Falcon and SPHINCS+ for signatures.
13 August 2024	Final FIPS 203—Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM), derived from Kyber, is published; it becomes the primary federal standard for general-purpose encryption [9].
11 March 2025	NIST announces Hamming Quasi-Cyclic (HQC) as an additional KEM for specialized use cases and releases status report NIST IR 8545 on Round 4 [10].

summarizes the major milestones in the NIST PQC standardization process, including the selection of CRYSTALS-Kyber and other dates. NIST’s transition guidance urges federal agencies and critical-infrastructure operators to inventory vulnerable cryptography now and plan upgrades. Thus, the long-lived data remain confidential beyond 2035 PQShield.

2.2. Overview of CRYSTALS-Kyber (ML-KEM)

Kyber, standardized as ML-KEM, is a lattice-based KEM built on the difficulties of the Module Learning with Errors (M-LWE) problem. Lattice assumptions are believed to resist both classical and quantum attacks and admit efficient polynomial-time implementations [11]. A high-level view of how the Kyber algorithm works is shown in Figure 2. A KEM is used to send a symmetric key between two parties using asymmetric algorithms.

Table 2. Parameter sets and security levels. (All three share a 32-byte shared secret).

Variant	NIST Level	Public-Key (Bytes)	Cipher-Text (Bytes)	Symmetric Comparable
Kyber-512	1	800	768	AES-128
Kyber-768	3	1184	1088	AES-192
Kyber-1024	5	1568	1568	AES-256

shows Kyber’s three parameter forms, their related NIST security levels, and key/ciphertext sizes. These values are essential when comparing PQC schemes with traditional methods in constrained IoT environments.

Performance advantages for IoT-cloud links.

•

Completes encapsulation on IoT class processors three to five times faster than classical schemes, reducing latency and energy consumption during the handshake process.

•

Constant-time C implementations achieve 2–4 ms encapsulation on Cortex-M4 devices within the same power envelope (based on benchmark studies summarized in Section 2.4).

•

Its simple message-independent design makes it more resistant to side-channel attacks than other lattice-based alternatives.

Standardization status under FIPS 203, Kyber is selected as the default federal choice for data encryption. Vendors must label compliant implementations with “ML-KEM” and follow the byte-exact encodings and test vectors defined therein [12].

2.3. Mathematical Foundations of Kyber and Lattice-Based Cryptography

The security of CRYSTALS-Kyber rests on the assumed computational difficulty of solving mathematical problems on lattices. Specifically, Kyber’s security is derived from the M-LWE problem. Primarily, M-LWE is a mathematical challenge that is easy to formulate but is strongly believed to be hard to solve for both classical and quantum computers. This provides a robust foundation for a quantum-resistant cryptosystem [13].

The breakthrough in PQC was not only identifying these hard problems but designing efficient and practical cryptographic schemes based upon them. The assumed difficulties of lattice-based problems like M-LWE against quantum attacks are the primary reason the NIST selected CRYSTALS-Kyber as the standardized algorithm for general-purpose KEM. This choice reflects years of public analysis concluding that Kyber offers a strong balance of security, performance, and implementation readiness.

While a deep mathematical analysis is beyond the scope of this review, a foundational understanding of lattice-based cryptography is crucial for the security claims of PQC. Accordingly, our focus is on the practical implementation and network performance trade-offs of these algorithms.

2.4. Key Prior Studies on PQC (Kyber) in IoT and Cloud Settings

Recent studies have explored the integration of PQC, particularly CRYS-TALS-Kyber, into IoT and edge devices. These works collectively establish a strong basis for assessing its practicality in real-world constrained environments.

•

Fitzgibbon et al. (2023) benchmarked NIST’s PQC finalists on a Raspberry Pi 4, representing a typical IoT class device [4]. Among the candidates, CRYSTALS-Kyber appeared as the fastest KEM, with key generation, encapsulation, and decapsulation completing in the hundreds of microseconds [14]. Kyber consistently outperformed other candidates on low-power platforms, confirming its suitability for resource-constrained IoT devices. Additionally, Dilithium was identified as the most efficient signature algorithm on the same platform, which is relevant for future authentication needs [4].

•

Sajimon et al. (2022) implemented several NIST PQC finalists (Level 3 security), including Kyber, on a Raspberry Pi 4 running Linux, simulating a typical IoT edge device [5]. Their evaluation recommended suitable PQC schemes based on performance in constrained environments. While specific metrics were not detailed, Kyber was among the top performers due to its known speed, reinforcing its practicality for real-world IoT deployments.

•

Bürstinghaus et al. (2020) integrated Kyber for key exchange and SPHINCS+ for digital signatures into an embedded TLS library (mbedTLS) [6]. Their tests on lightweight devices revealed that Kyber’s key agreement outperformed classical ECC (ECDH) by approximately 10× in speed. However, the addition of SPHINCS+ introduced high latency and memory overhead during TLS handshakes. This emphasizes the need to carefully select lightweight signature algorithms, suggesting Dilithium may be a more practical alternative for IoT use. This underscores that full PQC stacks require a balanced selection of encryption and signature schemes.

•

K. Mayes (2020) demonstrated that Kyber-768 on an ultra-constrained device was implemented on a Multi-application Operating System (MULTOS) security module with 13 KB of RAM [15]. Although successful, the encapsulation process took nearly 10 s, even with a cryptographic co-processor, demonstrating that Kyber can function in minimal memory environments but at the cost of speed. A related study implementing a Kyber-768 variant on a similar smart card platform with a cryptographic co-processor reported concrete performance figures: key generation in 79.6 ms, encapsulation in 102.4 ms, and decapsulation in 132.7 ms. These results demonstrate that Kyber can function in minimal memory environments with promising speed [16]. This sets a lower bound for Kyber’s practicality and suggests real-world use should target hardware at or above Cortex-M4/M7 levels.

•

Kumari et al. (2022) reviewed about 70 studies mapping PQC to microcontrollers and gateways [17]. They found lattice-based KEMs, particularly Kyber, offered the best trade-off among ciphertext size, speed, and code footprint (<10 KB flash, <4 KB RAM), while noting side-channel and key management challenges.

•

Mahdi and Abdullah (2025) emphasize that while algorithms such as CRYSTALS-Kyber are computationally efficient, practical deployment still faces hurdles [18]. These include energy consumption, hardware limitations, and scalability across heterogeneous IoT devices. Also, they proposed optimization techniques currently under exploration, such as hardware acceleration, algorithmic improvement, and hybrid frameworks to enhance feasibility. Long-term success will demand systematic engineering efforts to balance security, efficiency, and scalability.

•

Chung et al. (2022) evaluated Kyber-512/768 and other NIST finalists in a TLS 1.3 stack running on a Raspberry Pi 4 manufactured by Raspberry Pi Ltd., Cambridge, UK (Cortex-A72) and an STM32F411 manufactured by STMicroelectronics, Geneva, Switzerland (Cortex-M4) [19]. Full handshakes completed in 1.1 to 1.4 × the latency and fit within 32 KB RAM, showing post-quantum security is feasible on IoT hardware.

•

Tasopoulos et al. (2022) demonstrated that implementing PQC in TLS 1.3 for resource-constrained devices increases execution time, memory usage, and bandwidth requirements [20]. Similarly, Abbasi et al. (2025) reported that trustful PQC implementation can raise handshake size by up to 7× compared to classical approaches, although they showed that optimization strategies can reduce bandwidth demands by 40–60% [21]. Beyond TLS, Blanco-Romero et al. (2024) integrated PQC into IoT protocols such as CoAP and MQTT-SN, addressing the limited understanding of PQC’s impact on lightweight communication mechanisms [22]. Similarly, Paul et al. (2021) investigated PQC integration with Trusted Platform Modules (TPMs) in TLS, and they found it feasible but noted performance degradation when offloading hash computations [23]. Together, these works highlight both the challenges and opportunities of PQC adoption in IoT environments, emphasizing the need for optimized implementations to balance security, performance, and scalability.

•

Achoe (2025) recommends as future work to develop custom-built lightweight PQC-friendly versions of MQTT, CoAP, and 6LoWPAN [16]. This highlights a recognized need for research focused specifically on these IoT protocols.

•

Kumar et al. (2022) and Almutairi & Sheldon (2025) surveyed post-quantum cryptography in IoT and IoT-Cloud contexts, emphasizing the urgency of migrating IoT systems to quantum-safe algorithms [24,25]. Their works outline candidate schemes, integration challenges, and highlight PQC as an emerging solution to strengthen IoT-Cloud security, though neither includes an implementation study, serving primarily as conceptual motivation. On the industry side, cloud providers such as AWS have begun testing hybrid TLS configurations with Kyber in production environments, signaling that cloud infrastructures are PQC-ready and shifting the research focus toward IoT integration [26]. Alongside the transition to PQC, for instance, Hazber et al. propose a framework that leverages blockchain and AI-driven threat detection to enhance data integrity and scalability. This highlights a different but complementary approach to supporting IoT security [27].

Collectively, these studies show that Kyber is the most promising KEM for constrained environments. However, PQC adoption still faces challenges in terms of efficiency and scalability, particularly in IoT-to-cloud communication. This review identifies this as a primary gap for future research.

Table 3. Synthesis of Prior Studies and Identification of the Research Gap.

Study	Focus Protocol	Device Benchmark	End-to-End Test	Network Condition Analysis	Key Contribution	Remaining Gap
Fitzgibbon et al. (2023) [4]	(Implicitly TLS)	✓	✗	✗	Kyber benchmarked on Raspberry Pi, the fastest KEM among candidates.	Limited to device-level tests and not IoT protocols
Sajimon et al. (2022) [5]	TLS/IoT devices	✓	✗	✗	Implemented PQC finalists on Linux-based edge devices; Kyber efficient	Did not include network or protocol-level performance
Bürstinghaus et al. (2020) [6]	TLS	✓	✓	✗	Integrated Kyber + SPHINCS+ into mbedTLS, and it has faster handshakes than ECC	Signature scheme overhead too high for IoT
Mayes (2020) [15]	N/A (standalone Kyber)	✓	✗	✗	Demonstrated Kyber-768 on ultra-constrained MULTOS (13 KB RAM), and its encapsulation is feasible but slow (~10 s without co-processor and ~100 ms with)	Shows Kyber’s practicality floor and no IoT protocol integration
Kumari et al. (2022) [17]	Survey	✗	✗	✗	Comprehensive survey of PQC for IoT microcontrollers	No implementation results, and it is theoretical
Chung et al. (2022) [19]	TLS	✓	✓	✗	Benchmarked Kyber on Cortex-M4 and Pi4, and it is feasible for IoT.	No MQTT/CoAP evaluation
Mahdi & Abdullah (2025) [18]	General IoT	✗	✗	✗	Highlighted optimization, energy, scalability challenges	No protocol-level or experimental validation
Tasopoulos et al. (2022) [20]	TLS 1.3	✓	✓	✗	Showed PQC increases execution time, memory, bandwidth	Limited to TLS and no IoT protocols
Blanco-Romero et al. (2024) [22]	CoAP, MQTT-SN	✓	✓	✗	Integrated PQC into lightweight IoT protocols	No adverse network analysis
Paul et al. (2021) [23]	TLS with TPM	✓	✓	✗	Demonstrated PQC in TLS with TPM offloading	Performance hit with TPM hash offload
Achoe (2025) [16]	MQTT/CoAP	✗	✗	✗	Called explicitly for PQC-secured lightweight protocols	No implementation, and it is only a call for research
YoungBeom et al. (2025) [28]	MQTT	✓	✓ (partial)	✗	First KEM-MQTT implementation on 8-bit AVR nodes.	Excluded network performance
Abbasi et al. (2025) [21]	TLS (multi-platform)	✓	✓	✓	Systematic TLS benchmarks across devices	TLS only and missing IoT protocols
Identified Gap	MQTT/CoAP	✓	✓	✓	-	No existing study systematically evaluates Kyber over MQTT under adverse network conditions.

✓ indicates the gap or area is covered or benchmarked. ✗ means that it is not covered. N/A indicates that the item is not applicable.

highlights a specific gap in current PQC research. While the device-level performance of CRYSTALS-Kyber is well established and its integration into TLS has been extensively benchmarked [20,21], lightweight IoT protocols remain largely overlooked. Several studies explicitly call for securing protocols such as MQTT and CoAP [16,22], yet the few available implementations are incomplete. For example, the only published study of a Kyber-secured MQTT variant [28] evaluated computational performance on sensor hardware but missed network-level factors such as latency, packet loss, and handshake reliability. To date, no work has systematically assessed the end-to-end performance and resilience of PQC-secured IoT protocols under the unreliable conditions common in real-world deployments.

3. Methodology

This article is a structured narrative review. Nevertheless, it follows key elements of the PRISMA 2020 framework to ensure transparency and reproducibility of the literature selection process.

3.1. Research Focus

This review builds upon the research questions defined in the Research Questions Section. It specifically focuses on synthesizing empirical evidence on CRYSTALS-Kyber performance and implementation feasibility in IoT-to-cloud communication. The objective is to unify measurable results (latency, memory, bandwidth) and identify continuous deployment challenges in constrained environments.

3.2. Eligibility Criteria

Included studies had to: (i) be peer-reviewed articles or conference papers published between 2017 and 30 April 2025; (ii) report empirical measurements of Kyber on IoT, edge, or embedded platforms; (iii) present at least one comparator cryptosystem. Exclusion criteria were non-English language, theoretical analyses, and studies lacking device-level metrics.

3.3. Information Sources and Search Strategy

A comprehensive search for desired studies was conducted in August 2025 across multiple databases. It is important to note that overly broad search terms such as “IoT-Cloud Security”, “Post-Quantum Cryptography”, and “Communication” were intentionally avoided, as they yield thousands of results that are not relevant to the specific implementation challenges in IoT. Instead, our search strategy was designed to be highly targeted. We used a primary search string (“CRYSTALS-Kyber” OR Kyber) AND (“Internet of Things” OR IoT OR edge) to identify practical work on Kyber in IoT contexts. A secondary, even more specific search (Kyber OR “post-quantum”) AND (MQTT OR CoAP) AND (performance OR resilience OR “packet loss” OR latency) was performed to precisely identify literature addressing the research gap involving lightweight protocols under negative network conditions. This focused approach ensures the relevance of the identified studies.

3.4. Selection Process and Data Extraction

The selection process strictly followed the PRISMA 2020 framework to ensure transparency and reproducibility. Our eligibility criteria were designed to filter for studies that presented empirical, device-level measurements of Kyber on IoT platforms. Studies that were purely theoretical or lacked performance data were excluded. This strict filtering is the stamp of a systematic review and explains why the initial 102 records were narrowed to 13 core studies for synthesis. The strength of this review lies not in the quantity of papers surveyed but in the quality and synthesized evidence, which directly addresses the defined research questions. Figure 3 presents the PRISMA 2020 flow diagram reflecting these search results.

3.5. Synthesis Approach

Because benchmarking platforms and metric definitions varied, a formal meta-analysis was not feasible. Quantitative data were normalized to common units (milliseconds per key-pair and bytes per ciphertext). Qualitative findings on implementation challenges were grouped by category.

4. Performance Comparison: PQC vs. Traditional Crypto (RSA/ECC)

This section synthesizes comparative findings from existing literature on Kyber and classical schemes (RSA, ECC) across key dimensions. These are execution speed, communication overhead, symmetric encryption compatibility, and practical feasibility in IoT environments.

4.1. Execution Speed

Multiple benchmarks show that Kyber can meet or even exceed the performance of RSA/ECC at comparable security levels. Demir et al. (2025) conducted comprehensive tests of Kyber vs. RSA-2048 and ECDH (P-256 ECC) [1]. Their results indicate that Kyber-512 (offering 128-bit security) completes key exchange roughly three times faster than RSA-2048 or ECDH-P256. Even Kyber-1024, the highest-security variant, outpaced RSA-3072 by a similar margin. The reason is that Kyber’s math (lattice polynomials with number-theoretic transforms) can be computed much faster than RSA/ECC’s large-integer exponentiations on general-purpose CPUs. For IoT devices, this translates into lower CPU usage, reduced energy consumption, and faster key exchange completion. All of which are vital for battery-powered and limited-resource environments. These findings are consistent with prior research, such as embedded TLS experiments where Kyber outperformed ECDH by an order of magnitude in handshake speed [6,29]. This counters the common misconception that PQC is naturally heavier or slower [1].

4.2. Communication Overhead (Key/Ciphertext Sizes)

The trade-off comes in data sizes. PQC generally has larger key and ciphertext sizes than traditional schemes, which can impact network bandwidth and memory usage. For instance, Kyber-512’s public key is 800 bytes, and its ciphertext is ~768 bytes [1]. In contrast, a 2048-bit RSA public key is only 256 bytes, and an ECC P-256 public key is ~64 bytes. Thus, a Kyber handshake transmits more data, often in the kilobyte range, compared to a few hundred bytes for RSA or ECC. While this is manageable in high-bandwidth networks, it could pose challenges in IoT settings such as Low-power WAN (LPWANs) or devices with strict data quotas.

Also, memory usage is a consideration. Kyber requires around 1–2 KB of memory for key storage and math on a polynomial. However, most modern IoT devices (e.g., Raspberry Pi or Cortex-M4/M7 class microcontrollers) have sufficient resources to accommodate these needs. For example, a Raspberry Pi 4 can execute Kyber operations in microseconds, while even a constrained device with just 13 KB of RAM managed to run Kyber-768, with an encapsulation latency of just over 100 ms when using a co-processor [1,5,30]. Although Kyber’s key sizes are larger, they remain practical as network protocols and hardware continue to evolve. Still, it is crucial to measure and report message sizes and memory usage to verify the actual overhead. For example, recording the exact bytes exchanged during key exchanges (Kyber vs. RSA/ECC) and tracking each algorithm’s memory footprint on the simulated device. Prior studies mainly focus on speed, with limited analysis of memory or bandwidth impact [14]. This highlights an important gap that future research should address through a comprehensive evaluation of PQC schemes under constrained IoT conditions [31].

4.3. Symmetric Encryption Throughput

After key exchange, both PQC and traditional cryptographic protocols rely on symmetric encryption (e.g., AES-GCM) for actual data transmission. Notably, symmetric encryption performance remains unaffected by the choice of public-key algorithm [4]. One difference is that with PQC KEMs like Kyber, the key exchange produces a shared secret of (e.g., 256 bits), which can be directly used as an AES-256 key. With RSA/ECC, often a 128- or 256-bit secret is agreed and used similarly. There is no inherent performance difference in using the key for AES. As highlighted in prior studies, the performance difference between classical and PQC is largely limited to the handshake phase (i.e., key exchange), not the symmetric encryption itself. Therefore, future practical evaluations of post-quantum performance should focus on handshake latency, CPU utilization, memory load, and time-to-first byte rather than AES throughput [29].

4.4. Overall Feasibility

Current research presents a promising outlook: Kyber and other PQC schemes can outperform RSA/ECC in key exchange speed, even under constrained conditions [1]. Although they introduce larger key sizes and ciphertexts, these are well within the capabilities of many IoT-class devices. Moreover, PQC offers forward secrecy and quantum resistance, making it a more future-proof solution. For instance, an IoT sensor that currently takes 50 ms to complete an ECC-based handshake might complete a Kyber-based handshake in 20 ms. These performance gains, as documented in existing benchmarks, suggest strong potential for PQC in resource-constrained deployments. However, further research is needed to comprehensively measure and compare encryption times, message sizes, and memory usage across Kyber, RSA, and ECC, particularly in the context of IoT-to-cloud secure communication.

In addition to speed, PQC types differ in data size. For example, Kyber-512 uses an 800-byte public key and produces a 768-byte ciphertext, compared to just 256 bytes for an RSA-2048 public key or ~64 bytes for ECC P-256. While these size differences are manageable for most modern networks, they could affect bandwidth and packet loss in constrained IoT systems [1,14].

Table 4. Key differences between classical cryptosystems and the CRYSTALS-Kyber.

Algorithm	NIST Security Level	Public Key Size (Bytes)	Ciphertext Size (Bytes)	Relative Speed (Key Exchange)
ECC (P-256)	1	~64	N/A	Baseline (1×)
RSA-2048	1	256	N/A	Slower (~0.7×)
Kyber-512	1	800	768	Much Faster (~3–5×)
Kyber-768	3	1184	1088	Much Faster (~3–5×)
Kyber-1024	5	1568	1568	Much Faster (~3–5×)

N/A indicates that the item is not applicable.

provides a detailed summary of these performance metrics.

5. Discussion: Identified Research Gaps and Challenges

This review addressed the four research questions (RQs), synthesizing findings from 13 studies on PQC in IoT-to-cloud communication. The results highlight both progress and continued gaps.

5.1. The Primary Research Gap: Network Resilience in Lightweight Protocols Under Unreliable Network Conditions (RQ4)

The most critical gap identified is the absence of systematic evaluations of PQC-secured lightweight IoT protocols (MQTT, CoAP) under the realistic, often ‘messy’ network conditions. Current benchmarks overwhelmingly focus on TLS, which differs basically from MQTT/CoAP in terms of handshake mechanisms and packet overhead [20,21].

•

Existing efforts: Ref. [22] integrated PQC into CoAP and MQTT-SN, ref. [28] tested KEM-MQTT on AVR sensor nodes, and ref. [16] called for lightweight PQC protocols.

•

Limitation: These studies focused only on computational feasibility and explicitly excluded network-level factors such as packet loss and high latency.

•

Research needs: PQC’s larger key sizes and ciphertexts are most impactful in lossy IoT environments. No existing study has quantified how handshake success rates, retransmissions, and latency evolve under degraded conditions. This review asserts that the central unanswered question for the field is: What happens when these IoT protocols are tested in more realistic network environments? Therefore, future work should utilize simulation-based and real-world testbeds to evaluate the performance of PQC-resilient MQTT/CoAP under constrained networks.

5.2. Related Challenges and Future Work

While the focus is on network resilience, several related challenges remain important for the broader adoption of PQC in IoT.

5.2.1. Practical Integration Challenges (RQ1 and RQ3)

While Kyber has emerged as the dominant PQC KEM, protocol integration remains immature. TLS 1.3 extensions exist, but no standardized approaches are available for MQTT/CoAP. Temporary hybrid schemes (classical + PQC keys) are widely used to ensure backward compatibility [6,21]. Authentication is another bottleneck, so replacing RSA/ECC-based certificates with PQ signatures like Dilithium significantly increases handshake size (2–5 KB) and processing cost. This highlights the need for lightweight PQ signature schemes and standardization of PQC at the IoT protocol layer. Ultimately, these integration issues force developers to navigate a critical trade-off: implementing the strongest post-quantum security versus maintaining minimal overhead. This challenge is especially found in resource-constrained IoT systems.

5.2.2. Resource Constraints and Optimizations (RQ2 and RQ3)

PQC is feasible on mid-range IoT hardware (Cortex-M4/M7), but ultra-constrained devices face trade-offs. By synthesizing the findings from the literature, a clear picture of these trade-offs emerges. In practical comparisons, Kyber consistently offers lower latency than RSA/ECC, but at the cost of a larger memory footprint and increased bandwidth for its keys and ciphertexts. Mayes showed Kyber-768 running on a 13 KB RAM smart card, but encapsulation required ~10 s without a co-processor [15]. More promising results with vectorized optimizations (ARM Neon) show potential for reducing CPU cycles and energy costs [18,32,33]. However, no extensive research has yet focused on optimizing CRYSTALS-Kyber specifically for ultra-constrained microcontrollers in practical IoT deployments. This represents a clear technical gap, as it is unknown if default PQC libraries are sufficient for such environments. Future studies must benchmark energy and memory usage across representative IoT devices to determine if targeted optimizations are required to meet performance and energy constraints [30].

5.2.3. Security Analysis in IoT Context (RQ3)

Performance is only part of the challenge; security in deployment is equally critical. Although Kyber is cryptographically secure under lattice assumptions, real-world IoT implementations are vulnerable to side-channel attacks. The KyberSlash timing attack demonstrated key leakage in lab settings [34,35]. Current IoT PQC research rarely addresses resilience against timing, power, or cache-based side channels.

Moreover, IoT devices are exposed to man-in-the-middle attacks, protocol downgrades, and other threat vectors. PQC’s main strength is resisting quantum decryption of intercepted data and addressing only part of the threat landscape (e.g., it prevents an attacker with a quantum computer from decoding intercepted data in the future, unlike RSA/ECC [1]). Also, a complete security model must account for randomness quality, key reuse policies, and endpoint trust models. Comprehensive IoT-specific threat models and side-channel PQC libraries are urgently needed.

Furthermore, securing real-world deployments requires addressing specific implementation vulnerabilities beyond pure algorithmic strength. While Kyber’s security is mathematically strong, its performance on different architectures, such as 64-bit ARM processors, must be optimized to prevent timing variations that could be exploited [36]. Therefore, a comprehensive security model must defend against a wide range of implementation attacks, including the side-channels discussed previously, which remain a significant threat to all PQC deployments [37]. While hardware acceleration on platforms like FPGAs can improve performance, this also introduces new potential vulnerabilities that must be carefully considered [38].

Table 5. Summary of Identified Research Gaps and Future Directions.

Gap Area	Description	Supporting Studies	Insights and Recommendations
PQC Resilience in Lightweight IoT Protocols	Most evaluations focus on TLS, but MQTT/CoAP is largely unexplored. One KEM-MQTT study excluded network resilience.	[16,22,28]	This review highlights the lack of studies on PQC resilience in MQTT and CoAP protocols, particularly under high-latency and lossy conditions, and recommends focused practical evaluation.
Integration Challenges	PQC is feasible in TLS, but signatures (SPHINCS+) cause high latency. Hybrid schemes are temporarily used.	[6,21]	Explore Dilithium or hybrid TLS and standardization for IoT protocols.
Resource Constraints and Optimization	Ultra-constrained devices can run Kyber, but slowly without co-processors. Energy is still an issue.	[15,18]	It identifies the need to measure how PQC algorithms affect speed, memory, and energy use on ultra-low-power microcontrollers. Also, it recommends future work on creating optimized versions for embedded systems.
Security Evaluation in IoT Context	Some side-channel risks were identified in Kyber (e.g., Kybe-Slash) and a few IoT-specific threat models.	[34,35]	It points out the gap in side-channel analysis of Kyber in IoT and recommends that future work address timing attacks and power analysis risks in constrained environments.

summarizes the main research gaps identified through this review and offers recommendations for addressing each area.

6. Conclusions

This review synthesized current research on the deployment of post-quantum cryptography in IoT-cloud communication, with a particular focus on CRYSTALS-Kyber. Evidence shows that Kyber offers faster key exchange and lower computational cost than RSA and ECC, which makes it promising for constrained IoT devices. However, significant challenges remain. This review confirms the existence of a critical and underexplored gap in the transition to quantum-safe security, which is the lack of resilience testing for PQC in lightweight IoT protocols. Our synthesis of the available evidence demonstrates that until the performance of Kyber-secured MQTT and CoAP is systematically evaluated in lossy and high-latency networks, a significant barrier to secure IoT deployment will remain. Beyond this central gap, additional barriers include the lack of standardized integration pathways, the performance hurdle of PQ signatures in authentication, resource constraints on ultra-low-power devices, and emerging side-channel vulnerabilities in PQC implementations. Addressing these issues requires simulation-based and real-world evaluations of Kyber-secured MQTT/CoAP under lossy and high-latency networks, optimization strategies for energy-constrained hardware, and the development of PQC libraries tailored for IoT. By systematically identifying these gaps, this review not only clarifies the current state of PQC research but also charts a roadmap for future investigations that are essential for a secure transition to post-quantum IoT infrastructures.