MQTT Across a Raspberry Pi 5 IoT Network Utilizing Quantum-resistant Signature Algorithms
Source: arXiv:2605.13698 · Published 2026-05-13 · By Ray Feingold, Chansu Yu
TL;DR
This paper addresses the challenge of integrating post-quantum cryptography (PQC) into Internet of Things (IoT) networks secured by the lightweight MQTT messaging protocol. Given the looming threat of quantum computer attacks that break classical cryptography (e.g., RSA, ECC) via Shor's algorithm, the authors evaluate the deployment of a quantum-resistant digital signature scheme, FALCON, on resource-constrained devices. They implement an MQTT-based publish-subscribe network composed of three Raspberry Pi 5 devices with a connected motion sensor. Using the FALCON-1024 lattice-based signature algorithm standardized by NIST, they secure message authenticity and integrity without modifying MQTT application logic. Performance measurements focus on certificate generation latency and overall system responsiveness.
The key novelty lies in applying a compact and computationally efficient lattice-based signature scheme in a real Raspberry Pi IoT testbed running a complete MQTT sensing application, rather than relying on simulated or containerized setups. Their experiments demonstrate that FALCON's certificate generation time (approximately 68-70 ms) is substantially faster than RSA-2048 (over 300 ms) on the same hardware, counter to the common perception that PQC is always more expensive. The system remains stable and functional, indicating PQC can be deployed proactively in IoT environments to future-proof security against quantum adversaries. The authors provide full source code to facilitate reproducibility and encourage wider adoption.
Key findings
- FALCON-1024 certificate generation time averages 68-70 milliseconds on Raspberry Pi 5 nodes, compared to over 300 milliseconds for RSA-2048.
- The MQTT-based IoT network with three Raspberry Pi 5 devices successfully transmits quantum-safe signed messages from a motion sensor publisher through a broker to a subscriber.
- FALCON demonstrates consistent performance across both publisher and subscriber devices despite limited embedded hardware resources.
- Integration of PQC using OpenSSL, liboqs, oqs-provider, and mosquitto was accomplished without modifying MQTT application layer code.
- The quantum-safe FALCON signature scheme provides not only long-term cryptographic security but practical improvements in certificate generation latency.
- The motion sensor system operated with secure message authentication and near real-time communication under PQC constraints.
- Lattice-based digital signatures leveraging Fourier sampling (FALCON) provide more efficient cryptographic operations than traditional large integer modular arithmetic in RSA on embedded devices.
Threat model
The adversary is a future quantum-capable attacker able to break classical public-key cryptography such as RSA and elliptic-curve schemes, potentially compromising IoT device communications retroactively. They cannot yet break lattice-based post-quantum schemes like FALCON. The adversary cannot tamper with securely provisioned keys or interfere physically with devices after initial secure setup.
Methodology — deep read
The authors target an adversary capable of exploiting future quantum computers to break classical public-key signatures (RSA, ECC) that authenticate MQTT messages in IoT deployments. The adversary cannot yet realistically break lattice-based PQC methods such as FALCON. The threat model assumes long-lived IoT devices at risk of retroactive compromise if quantum attacks materialize.
Data consists of a live MQTT network with three Raspberry Pi 5 endpoints connected on a local network. One Pi acts as a publisher attached to a PIR motion sensor circuit, one as a broker managing topic-based message routing, and the last as a subscriber receiving notifications. The sensor triggers digital payloads published to a motion-sensor topic. A heartbeat message is periodically sent to verify system health.
The core algorithm deployed is the NIST-standardized lattice-based FALCON-1024 digital signature scheme, which uses NTRU lattices and fast Fourier transform-based Gaussian sampling to generate compact, quantum-resistant signatures and keys. Certificates for MQTT client authentication are generated using FALCON, enabling TLS 1.3 connections enhanced with post-quantum security. The system uses OpenSSL compiled with the oqs-provider plugin, liboqs for PQC primitives, and mosquitto as the MQTT broker and clients. Software dependencies are built via a custom bash setup script.
Training per se is not applicable. Instead, certificate generation latency is measured empirically by running 25 iterations each of RSA-2048 and FALCON-1024 key and certificate generation scripts on both publisher and subscriber nodes. Timing results are logged to CSV for statistical analysis.
Evaluation metrics focus primarily on certificate generation time measured in milliseconds and overall system responsiveness. Comparisons between RSA and FALCON are made directly on identical hardware. The authors do not present adversarial evaluations or measure network throughput or latency beyond functional correctness. No explicit cross-validation is relevant; dataset is real-time sensor data.
The system is fully reproducible with all source code, setup scripts, and configuration files openly available in a public GitHub repository. This includes the PQC-enabled mosquitto broker, device provisioning scripts, and motion sensor interaction code. The physical sensor circuit design is documented. However, external dependencies on liboqs, oqs-provider, and customized OpenSSL are required. The paper does not report random seeds or low-level compilation flags for cryptographic libraries, limiting exact replication of timings in other environments.
A concrete example: The publisher Pi runs a script to generate a FALCON-1024 certificate signed by the broker’s CA. Once signed certificates are installed, the motion sensor monitors GPIO pins for events, producing message payloads. These are signed under TLS with FALCON keys, sent to the mosquitto broker, which routes to the subscriber subscribed to motion-sensor topic. Subscriber validates authenticity and prints detection events in near real time.
Technical innovations
- Integration of the FALCON-1024 lattice-based PQC signature scheme into a real MQTT IoT network using Raspberry Pi 5 hardware.
- Demonstration that FALCON can outperform classical RSA-2048 in certificate generation latency on embedded devices, contradicting general PQC overhead assumptions.
- Use of standardized modular cryptographic libraries (OpenSSL + oqs-provider) and MQTT broker (mosquitto) to enable PQC without modifying application messaging logic.
- Practical evaluation of full IoT sensing workflow and publish-subscribe communication secured with quantum-safe digital signatures.
Datasets
- Live real-time sensor data from a PIR motion sensor connected to a Raspberry Pi 5 — small-scale IoT testbed deployed by authors — not publicly archived
Baselines vs proposed
- RSA-2048 certificate generation time on Raspberry Pi 5 (publisher): ~300+ ms vs FALCON-1024: ~68-70 ms
- RSA-2048 certificate generation time on Raspberry Pi 5 (subscriber): ~300+ ms vs FALCON-1024: ~68-70 ms
Figures from the paper
Figures are reproduced from the source paper for academic discussion. Original copyright: the paper authors. See arXiv:2605.13698.
Fig 1: Motion detecting circuit attached to publisher Rasp-
Fig 2: High-level architecture of MQTT IoT system
Fig 3: Comparison of certificate generation time by cer-
Limitations
- Evaluation focuses on certificate generation latency only; no end-to-end impact metrics such as message latency or throughput under PQC load are reported.
- Security analysis does not include adversarial testing, side-channel attack resistance, or resilience under network or device compromise scenarios.
- Small network size (three devices) limits generalization to larger, heterogeneous IoT deployments with diverse hardware.
- Potential side-channel vulnerabilities of FALCON due to floating-point Gaussian samplers noted but not mitigated in this study.
- The setup depends on manual IP configuration and static local networks; suitability for dynamic or remote environments is untested.
- No quantitative measurement of power consumption or memory overhead on the embedded devices during PQC operations.
Open questions / follow-ons
- How does the integration of PQC impact overall MQTT message latency, throughput, and resource consumption under typical IoT workloads?
- What are effective countermeasures and practical implementations to mitigate side-channel leaks inherent in FALCON’s Gaussian sampling on embedded hardware?
- Can newer lattice-based schemes like SOLMAE offer improved side-channel resistance and efficiency in IoT scenarios compared to FALCON?
- How scalable and maintainable is PQC-enabled MQTT infrastructure in more complex, large-scale heterogeneous IoT deployments with constrained update mechanisms?
Why it matters for bot defense
For bot-defense and CAPTCHA engineers, this work highlights critical considerations when securing low-power, resource-constrained IoT devices using modern quantum-resistant cryptographic standards. While MQTT is widely used in IoT for low-latency messaging, the adoption of PQC signatures like FALCON can alter system performance characteristics such as certificate provisioning latency. Understanding these trade-offs helps ensure that bot-defense mechanisms relying on authenticated device communication remain robust against emerging quantum threats.
Implementing PQC at the communication protocol level can complement bot-detection techniques by protecting message authenticity and integrity in a future-proof manner. However, the potential computational and memory overheads must be carefully evaluated to avoid unintended degradation of network responsiveness, which could affect challenge-response timing or reliability. This study’s demonstration of PQC feasibility on real hardware provides a practical reference point for developers planning cryptographically agile bot mitigation strategies in IoT ecosystems.
Cite
@article{arxiv2605_13698,
title={ MQTT Across a Raspberry Pi 5 IoT Network Utilizing Quantum-resistant Signature Algorithms },
author={ Ray Feingold and Chansu Yu },
journal={arXiv preprint arXiv:2605.13698},
year={ 2026 },
url={https://arxiv.org/abs/2605.13698}
}