The rapid growth of internet of thing (IoT) has increased the need for secure communication among resource-constrained devices using lightweight protocols such as message queuing telemetry transport (MQTT) and message queuing telemetry transport for sensor network (MQTT-SN). Traditional certificate-based solutions introduce significant computational and memory overhead for low-power devices. This paper proposes the hybrid lightweight protocol (HLP), a certificate-free approach combining elliptic-curve key exchange, hash-based message authentication code (HMAC)-based authentication, and ChaCha20-Poly1305 encryption. HLP uses pre-shared keys to reduce handshake complexity while maintaining confidentiality, integrity, and mutual authentication across MQTT and MQTT-SN environments. A Python-based implementation using paho-mqtt was evaluated in a constrained-device testbed. Experimental results show that HLP achieves lower handshake latency (-20–24 ms) and reduced bandwidth overhead (-130 bytes) compared with elliptic curve Diffie-Hellman ephemeral-pre-shared key (ECDHE-PSK) and elliptic curve Diffie-Hellman ephemeral-elliptic curve digital signature algorithm (ECDHE-ECDSA), while still supporting forward secrecy. These findings demonstrate that HLP is an efficient and practical solution for securing IoT communications on constrained devices.

Cryptography; Internet of things security lightweight; Message queuing telemetry transport; Message queuing telemetry transport for sensor networks; Pre-shared key authentication