[refset]

There has been research on the intersection of IoT and PQ signatures specifically at least, e.g. see "Short hash-based signatures for wireless sensor networks" [0] [1]. Unlike SPHINCS+ which is mentioned in the article, if you're happy to keep some state around to remember the last used signature (i.e. you're not concerned about accidental re-use) then the scheme can potentially be _much_ simpler.

[0] https://web.archive.org/web/20110401080052/https://www.cdc.i...

[1] https://news.ycombinator.com/item?id=33925383 I wrote about this "Dahmen-Krauß Hash-Chain Signature Scheme" (DKSS) algorithm previously in a comment a couple of years ago

[bdamm]

The state is enormous. Dedicating megabytes and megabytes to key state is painful. And so is tracking state across components and through distribution channels. If you’re not afraid of that then just use symmetric crypto and be done with it.

[refset]

> use symmetric crypto

To be clear my comment is specifically only relating to signature schemes, not encryption.

> The state is enormous

The scheme I linked to points towards efficient "pebbling" and "hash chain traversal" algorithms which minimize the local state required in quite a fascinating way (e.g. see https://www.win.tue.nl/~berry/pebbling/).

> tracking state across components and through distribution channels

Assuming you have reliable ordering in those channels I don't see how the stateful nature of such schemes makes it hugely more complex than the essential hard problem of key distribution.