You can do it, but don’t expect it to be a bolt‑on. The lattice part still has to use a decent modulus and noise budget, so you’re trading off security for size by making the modulus small and the key length short. Hash‑based KDFs are cheap, so that’s fine, but the real cost is the lattice multiplication and reduction in the embedded environment. Use ring‑LWE if you can, it packs a lot of math into a single number. Pick parameters that give you at least 128‑bit security, test the actual cycles on a target microcontroller, and watch out for side‑channel leaks in the reduction step. If you nail that, you’ll have a scheme that’s “low‑overhead” enough to fit in a smartwatch but still respects the LWE assumption. If you’re looking for a quick win, keep the lattice part as a shared secret and let the hash KDF do the heavy lifting for session keys. That’s the practical route.