I've come across something out of Philips Research called HIMMO Key Pre-Distribution Scheme (https://eprint.iacr.org/2016/410.pdf and https://www.ietf.org/proceedings/96/slides/slides-96-cfrg-2.pdf) that seems to solve an IoT need I have. It also seems too good to be true. It appears I can get rid of the hardware and power expense of a public key exchange with HIMMO. What Am I missing? I've not been able to find any critiques of the approach. I've also not seen any verilog or software implementations of the HIMMO lattice so it is hard to estimate the silicon cost to implement the whole solution without doing the work. I would value any feedback, pointers to reviews of HIMMO and alternatives for lightweight devices.
My specific challenge: I need to build security between a family of IoT devices with limited bandwidth (ZigBee or Bluetooth BLE) that has severe power restrictions. My messages text will usually be small, about 10 bytes and have limited time value (seconds). During these few seconds there could be minor financial loss and perhaps a minor theoretical safety risk. But I do need to occasionally send some secure account info that will be larger (~16 bytes) that needs stronger authentication and there would be some benefit from non-repudiation. My security will be re/authorizing a time limited "services" between an IC (an ASIC without an on chip CPU) built into each network node. The ICs do the "service" so if I can secure the ICs to IC link I should be golden. We can not trust the CPUs supplying underlying communications in the nodes so we will must build security into the ICs. Provisioning at manufacturing-time is perfectly acceptable. Adding the gates for a public key infrastructure would be expensive so HIMMO seems attractive on its surface.
