Quantum-Resistant Cryptography for the Internet of Things Based on Location-Based Lattices

An important enabler of the Internet of Things (IoT) is the Narrow-Band Internet of Things (NB-IoT) technology, which is a 3GPP standards compliant connectivity solution. Quantum computing, another emerging technological paradigm, promises novel compute opportunities but is also able to compromise cybersecurity ciphers. Therefore, improved methods to mitigate such security threats are needed. In this research, we propose a location-aware cryptographic system that guarantees post-quantum IoT security. The ultimate value of a location-driven cryptosystem is to use the geographic location as a player’s identity and credential. Position-driven cryptography using lattices is efficient and lightweight, and it can be used to protect sensitive and confidential data in many critical situations that rely heavily on exchanging confidential data. At the best of our knowledge, this research starts the study of unconditional-quantum-resistant-location-driven cryptography by using the Lattice problem for the IoT in a pre-and post-quantum world. Unlike existing schemes, the proposed cryptosystem is the first secure and unrestricted position-based protocol that guards against any number of collusion attackers and against quantum attacks. It has a guaranteed authentication process, solves the problems of distributing public keys by removing a public key infrastructure (PKI), offers secure NB-IoT without SIM cards, and resists location spoofing attacks. Furthermore, it can be generalized to any network – not just NB-IoT.


I. INTRODUCTION
The internet of things (IoT) is popularly referred to as the large interconnection that exists between visible objects with the ability to communicate and perform computations. It also has the capacity to control, supervise and identify over the internet. In light of this fact, it is estimated that approximately 75.44 billion devices, sensors, and actuators, among others, will be connected to the internet by the end of 2025 [1]. These devices will aim to collect data concerning the real world, which must be transferred to a predominant supply for the purpose of data processing and storage. There are many available IoT technologies, and one of the major technologies is the Narrow-Band Internet of Things (NB-IoT). It was developed to enhance energy and range efficiencies. On the premise that devices such as medical or vehicles play an essential role in our lives, it is therefore important to ensure The associate editor coordinating the review of this manuscript and approving it for publication was Junaid Arshad . that strong security requirements associated with the IoT are put in place.
The main IoT security goals are confidentiality, integrity, and authenticity. Confidentiality assures no information leaks out of the transmission channels and hierarchy, integrity maintains the original form of data and information, and authenticity enhances proof of identity. For the information to be certified as clear, the three major traits should not be tampered with to provide secure information. A challenge encountered in the process of ensuring the security of the IoT is that IoT devices are mostly prone to be constrained on the basis of limited resources and memories. Therefore, there are many encrypting systems and methodologies developed and otherwise articulated that propose an alternative set of solutions to IoT security threats. The most common techniques used for such encoding and decoding purposes are the use of cryptography and implementation of cryptosystems.
The IoT uses many protocols and most of these are configured with cryptographic algorithms such as the advanced VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ encryption standard (AES) to cater to confidentiality and integrity and elliptic curve cryptosystems (ECCs), which incorporate other digital signature algorithms to facilitate integrity and authentication [2]. Undeniably, there are numerous problems associated with the usage of symmetric algorithms. The major problem is the key exchange problem and a requirement for a new key for each correspondence. The safety of the current asymmetric (public key) cryptography depends on the degree of difficulty of mathematical problems, which include discrete logarithm and integer factorization problems. It is therefore popularly affirmed that these mathematical problems can effectively be solved using quantum computers. Quantum computers encounter key exchange, encryption and digital signature approaches used in modern society that are likely to be broken [3]. However, the estimated period for the first reliable quantum computer remains uncertain; however, some forecasts show that this scenario will probably occur in the next 5-10 years. In mathematics, there are also some problems that have been stubborn for both traditional computing and advanced quantum computing and simultaneously do not inherit the flaws of quantum computer implementation. These problems have recently prompted research interest. Based on research on asymmetric cryptography, lattice-based cryptography has been considered one of the postquantum cryptography techniques, in lattice-based cryptography: an integration of short keys and fast and high-level effectiveness [2]- [4]. Lattice-based cryptography is promising since it combines small keys and robust security measures that are complex to trace and break. The security of such a system is often linked to the closest shortest vector or learning with error (LWE) problems in lattices to enhance the difficulty of breakage. The major examples of such cryptography include the Nth Degree Truncated Polynomial Ring Units (NTRU) encryption system.
In general, the concept of location-based cryptography was initiated by Chandran et al., although some tasks have appeared previously under several names [5]. The ultimate purpose of location-based cryptosystems is to utilize only the geographic location of a player as its identity and credential. For instance, an individual might be interested in composing and sending a message to a player (receiver) in a different geographic location, guaranteeing that the receiver can decrypt and read this message only if he/she is at pos p [5]. It is important to note that such a setting can be applied in several scenarios in the real world, especially for the security of wireless networks, which allow access to resources under a condition that the party is at a specific position [6]. To the best of our knowledge, this research initiates the study of unconditional quantum-resistant location-driven cryptography by using lattice theory for the Internet of Moving Things (IoMT) in the pre-and postquantum world.
The major function faced by location-based cryptosystems is the implementation of a verification mechanism (secure positioning). One element called prover P at a certain point Pos p connects to another set of components called referees (verifiers) V 1 , V 2 , V 3 and V 4 at different geographical positions Pos 1 , Pos 2 , Pos 3 and Pos 4 , respectively; thus, this claimed prover P is bounded by referees in the quadrangle. The prover P convinces the honest referees using an applicable interactive protocol that verifies the authenticity of the prover P that his geographical location is at Pos p [5], [6]. For example, this scheme bears similarity to familiar distance bounding schemes [7], [8]. According to the distance bounding scheme, a referee transmits a message to the player and estimates the average time used by the player to return a reply with a certain message in its array of feedback. It is assumed that the signal can be transmitted at light speed. As a result, this scheme gives the distance between the player and the referee.
The task of secure localization has been under study in wireless sensor networks (WSNs) [9]- [12], [13], [14]. From those studies, several proposals have been articulated. Although the protocols have been studied with much effort, researchers [5], [6] stated that protocols for secure position-based verification that can offer security against collaborating attacks without assuming hard hypotheses do not exist. This is because the referees cannot differentiate if the requesters are honest or if they are working with collaborating-location-spoofing adversaries that are not actually at position Pos p . In other words, there are demerits associated with the implementation of secure positioning. This conclusion excludes other cryptographic mechanisms based on location [6].
Considering the impracticality of implementing positionbased cryptography in the standard (vanilla) model, Chandran et al. [5] introduce schemes for secure positioning and key exchange based on location that assume constraints on the attacker's memory size based on the ''Bounded Retrieval Model (BRM)''. Although these schemes give us an approach to determine the possibility of position-based cryptography, they are impracticable where inputs must not fit into the attacker's memory size, and the referees may require broadcasting large packets; thus, this requires high bandwidth and frequency. Consequently, an open research issue arises: how can unconditional position-driven cryptography be tractable for the Internet of Moving Things (IoMT) in the pre-and postquantum world?
The main contributions of this paper are as follows: • A new lightweight cryptographic in terms of 3D position and lattices as a suitable alternative key for fifth-generation and sixth-generation systems and beyond is proposed by taking into account the performance and energy consumption.
• The main benefit of the proposed cryptosystem is solving public key distribution problems and the ridding of public key infrastructure (PKI) because of the very expensive cost and complexity of building PKIs. We solve problems of public key distribution and management by using position-based cryptography, i.e., we do not need to use digital certificates, certificate authorities, a private key generator or a key generation center in our proposed cryptosystem, unlike existing protocols.
• Although worldwide quantum computers are not built sufficiently and qubit (quantum bit) counters are still limited, they will seriously compromise the security of all current cryptographic algorithms. However, it may take many years to re-encrypt massive amounts of previously stored data for a second time via more robust schemes, so it is important to apply this now. Consequently, it is important to improve postquantum cryptography. Because cryptography is an essential fraction of most systems, the necessity of its development has risen dramatically. Furthermore, the implementation of efficient cryptosystems requires a tremendously long time. According to the rapid development of quantum computers, the world has little time before it encounters this novel cybersecurity threat. As a result, we propose a protocol that is secure against quantum attacks.
• We demonstrate that for attackers that are not restricted to any state or condition, secure localization is practicable.
• To the best of our knowledge, the proposed cryptosystem is the first secure position-driven cryptosystem without any restrictions, and it is secure against any number of collusion attackers in the pre-and postquantum IoMT world, unlike existing schemes. Furthermore, it guarantees a mutual authentication process. This means that the proposed cryptosystem not only enhances the level of confidentiality but also enhances the level of authentication.
• The proposed position-based cryptography resists location spoofing attacks, unlike global positioning systems (GPSs).
• The proposed cryptography offers secure NB-IoT without attached SIM cards to the NB-IoT during its manufacture for purposes of security. This leads to resisting SIM swap fraud, SMS attacks or any attack in which NB-IoT is exposed to because of vulnerabilities in the SIM card. In addition to SIM swap fraud, other attacks on SIM cards, such as SimJacker and side-channel attacks that exploit the leak of information, typically by the use of variation in electromagnetic waves or electric current, as well as other vulnerable SIM technologies, such as the S@T (SIM Alliance Toolbox) browser and WIB (Wireless Internet Browser), could be exploited. These vulnerabilities in the SIM card cause serious harm because the attacker can exploit them to control the victim's device remotely to achieve harmful behaviors, such as stealing all of the victim's information, obtaining the victim's location, tracking the victim, sending messages, and making calls. Another drawback is losses resulting from fraud or cloning opportunities. The average cost of a SIM card is $3, so the cost of replacing it is $30 because of changes relative to databases, customer care, administration systems, etc. Furthermore, investigating suspected cloning is more costly because it demands equipment, technical staff, etc.
• The proposed cryptographic approach is not only for NB-IoT but also a generic cryptosystem for any network.
• The proposed position-based cryptographic protocol could produce more secure communications between devices, in particular in critical (mobile/static) situations established by using only a party's physical location as its credential. For instance, the worldwide coronavirus (COVID-19) pandemic profoundly affected everyday activities. There is an increasing need for automation and electronic services to fight outbreak epidemics, such as e-health applications, e-learning, work from home and geographical tracking of COVID-19. However, internet hackers have exploited these difficult circumstances and have stolen tens of millions of dollars assigned by the German government to counter the spread of COVID-19 [15]. Moreover, an increase in cyberattacks in the next few months and years are expected to come as a result of the COVID-19 outbreak [16]. Consequently, in post-COVID-19 society, IoT applications have a rising influence.
• Our simulation compares NB-IoT without/with proposed cryptography to prove that the proposed cryptography improves IoT security without compromising its performance metrics (i.e., energy consumption, time consumption/delay, stability period and throughput). Consequently, the results indicate an optimized trade-off between security and performance. As a result, the efficiency and reliability of the proposed cryptosystem are proven.
• Combining position verification processes and lattice theory with the internet of (moving) things (IoMT) leads to an efficient protocol to improve security for the IoT in the pre-and postquantum world.
The rest of this research is arranged as follows: Section II describes an overview of problem statement. In Section III, literature reviews related to this work are provided. We propose an unconditional-quantum-resistant-locationdriven cryptosystem by using the Lattice problem for the IoMT in pre-and postquantum world in Section IV. Section V discusses analytical-based evaluation and simulator-based results. Finally, Section VI demonstrates concluding remarks and future works.

II. PROBLEM STATEMENT
Security in IoT deployments is very important, as has been shown by various IoT surveys [17]. Whenever criminals take control of IoT devices, they can cause massive losses first by stealing data for malicious gains and tampering with the data stored and other remote assets. This is one of the worries of enterprises regarding the use of IoT devices and their reliability and convenience in business. Although it is possible to ignore such devices as useless and does not make any sense to protect them, hackers have directed their tricks to such devices because of this vulnerability and will greatly interfere with them. Such devices include smart pins and smoke alarms. It is important to keep such devices secure. If hackers decide to empty all the bins in the city by convincing authorities, trigger many smoke alarms or interfere with soil sensors to cause farmers to apply many fertilizers to their farms, chaos will arise [17].
NB-IoT falls under the category of the 3GPP standard and obtains all its security features from the long-term evolution (LTE). The NB-IoT SIM card has a built-in key that is secretly encoded to this device during manufacturing and is used to authenticate the device and network alternately. This will allow encryption of traffic in the device as well as in the core networks because it generates session keys that are frequently updated [17]. It is, however, very clear that LTE has been considered one of the latest technology standards in mobile networks, with a subscriber rate of over 85% worldwide [18]. The information that has been offered by the Global Mobile Suppliers Association (GSA) has indicated that toward the end of 2017, there were approximately 2.36 billion LTE subscriptions, a very inflated number compared with the 1.48 billion subscriptions that were recorded in 2016 [19].
Moreover, LTE is a worldwide standard that is applied in fourth-generation cellular networks after being presented in 3GPP Release 8 as an imperative direction toward future wireless telecommunications. For proper LTE network operation, the use of two standardized algorithms is always required to offer radio frequency. The algorithms are the EIA: EPS integrity algorithm and the EEA: EPS encryptions, all of which have been made and standardized for LTE networks. LTE has three sets of algorithms. These sets are 128-EEA1 and 128-EIA1, whose operations are dependent on the SNOW 3G cipher, 128-EEA2 and 128-EIA2, whose operations are developed on the AES cipher, and 128-EEA3 and 128-EIA3, whose operations are built using the ZUC cipher [18]. The introduction of LTE and NB-IoT seemed to be the solutions by implementing authentication and encryption algorithms; however, the technologies are vulnerable to attacks.
Bikos [20] reported that LTE is exposed to several challenges on the basis of reliability and security. The heterogeneous nature of LTE and operation with IP-based open networks acts as one of the major contributors to vulnerabilities to attacks. Additionally, there are some notable vulnerabilities existing in the current LTE security framework that need adequate and emergent responses [21], [22]. First, flat IP-based 3GPP LTE networks raise risks of eavesdropping, injection, modification and other vulnerabilities greater than those in the previous systems. Second, weaknesses arise from the LTE system base stations, which are regarded as an All-IP network that offers a direct path for malicious attackers to the base stations. This also indicates weak resistance to attackers in the various base station configurations. Third, new challenges associated with handover authentication procedures have emerged [21], [22]. All these security vulnerabilities indicate that there is a need to improve and enhance future LTE and NB-IoT models for better security outcomes.
For cryptography to be implemented correctly, certain elements will be contained in a set of credentials that tend to portray the identities of receivers/senders. Such information will correspond to unique attributes such as biometrics, shared keys, digital certificates from the third party, etc. In most cases, identity is determined by geographical position. For instance, the role of a bank teller is known behind a bulletproof window not because of showing his credential but because of his location behind the bank's bulletproof window [23]. The geographical position of an element is a valuable source of information when the matter of identity is concerned [23]. Therefore, the geographical location of an object can be used as one of the credentials [23]. An open research issue that remains is how can unconditional position-driven cryptography be tractable for the IoMT in the pre-and postquantum world?

III. LITERATURE REVIEW
In location-based cryptography, the main focus is looking at an environment where the only necessary requirement for a player (prover) is its physical position. In other words, with the current advancement in technology, for any entity, it is only required to know its exact location on the Earth's surface to obtain the required credentials. However, position-based cryptography has various problems, although most of these problems have not been unraveled. In the area of wireless network security, secure positioning is one of the challenges that has been widely studied [23], [24]. Some of the protocols that were proposed include [25]- [30], which are prone to location-spoofing attacks by collusion. Perazzo et al. [12] proposed secure localization via enlargement miscontrol disclosure (SPEM) in wireless sensor networks. Their localization scheme uses a multilateration and distance bounding protocol used in the IEEE 802.15.4a ultrawideband (UWB) standard. In [31], the researchers suggested three algorithms for drone path planning: first, LocalizerBee produces paths for positioning purposes; second, VerifierBee verifies a set of locations of devices; and third, PreciseVerifierBee verifies with accuracy, i.e., it is the expansion of VerifierBee. However, in [12], [31], they forced a preshared secret key to mitigate the attack. This means that they have restricted the security of their schemes to the secret keys; thus, the potential of compromising these shared secret keys is a highly realistic threat.
Circumventing the issue of multiple cloning adversaries may require the involved parties to assume a given setup phase characterized by unclonable tamper-proof verifications to every possible future prover [23], [24]. However, one of the most stringent quantum principles is that cloning quantum information is impossible (i.e., there is no operation in physical quantum law that accepts a single instance of quantum information as input and yields two copies of this input as outputs). For example, given a single qubit copy that is set to a combination of the two states of zero and one (superposition) |ψ ≥ C 0 | 0 > +C 1 |1 >, since qubit measurement disturbs its state, it is impossible to ''extract'' a complete classical definition of C 0 and C 1 [32]. Although it cannot be fully concluded, there are verifiers that are anonymous to hostile parties and players in [33], [34] that present secure localization in a wireless network with radio or ultrasound where the verifiers cannot be easily detected by adversaries or players. When various hostile entities collude, they might be able to subvert the verifiers. Reference [35] focused on a situation where there is a key exchange between Bob and Alice and message authentication in an environment where the two completely understand the presence of the other party within the transmission scope. However, to completely develop secure protocols, an assumption of the adversarial parties not being close to both Bob and Alice should be taken. As such, Bob and Alice should perfectly understand that they are conversing with each other and not to the enemy beforehand. This consequently improves the possibility of a key exchange occurring based on the style of protocol that was developed by Diffie-Hellman [23], [24].
Chiang et al. [36] are credited scholars who study the effects of colluding hostile parties in the area of secure localization. In the classical model, one important procedure for secure localization has been postulated to combat the challenge of colluding-location-spoofing attacks. From their investigation, they developed a protocol that can withstand attacks from two colluding hostile provers. When the colluding-location-spoofing adversaries exceed two and advance to three or four, executing attacks becomes possible. It is clearly shown that in addition to any protocol, it is possible to develop a classical model assault through an equivalent number of adversaries, similar to the verifiers found in the protocol [23], [24].
Despite the security of the proposed schemes having been proven against specific attackers, it is very possible to break them using colluding-location-spoofing attacks. The use of multiple attackers that work in unison has the potential of sending a string copy using the closest verifier to all the other attackers. In this case, each attacker is considered to have the potential to emulate the honest actions of a prover to its nearest verifier [37]. Additionally, studies have indicated that there is always a possibility for an attack to occur in the classical world setting after dropping some of the extra assumptions [6], [23]. The researchers in [23] also found that secure localization can be attained by assigning the memory size for attackers [37].
The results of [23], [38] are linked to impossibility due to imposing restrictions on collaborating attackers' devices (i.e., the assumption that an attacker cannot accumulate every bit of information received); however, an attacker actually has the potential to keep all the information received. In addition, the verifiers, in this case, must broadcast large bursts of data, which may be difficult [39]. As a result, quality-ofservice (QoS) assurance decreases and a high bandwidth is required, which diminishes utility in the case of IoT or tactile internet applications given the dependence on limited sensors. Furthermore, Brody et al. [40] highlighted the negative results for this strong additional restriction in [23]. Based on the localization algorithm, a multiproxy multisignature protocol was introduced in [41]. Dziembowski and Zdanowicz [42] proposed location-based authentication and location-based key exchange in a noisy channel paradigm with essential timing and geometric information. The participating entities gain access to bit sources transmitted to them through autonomous noisy channels. Unfortunately, in [41], [42], the implementing process is challenging in an attempt to satisfy the complicated assumptions, where inputs must not fit into the attacker's memory or the restriction of the adversary's position to be their protocols are secure. In contrast to the literature, we do not enforce any hard conditions for adversarial parties' memory size, location or number.
It is, however, important to note that assuming a bounded retrieval may not be ideal in different settings, thus leading to the development of the question of whether developing extensions may be a possible contributor in achieving top-notch security [37]. A proposal to use quantum information instead of using classical information was then developed to address some of the challenges identified above. This proposal is underpinned by the fact that the classical attack always depends on the adversary's ability to keep and send information simultaneously with the other adversaries, where the researchers believe that copying quantum information is impossible and complex [37]. This complexity and impossibility make it difficult for attackers to penetrate the system [37]. Quantum theory and cryptography have been connected since 1968, and as the first use for a relationship between physical law-based quantum and cryptography, quantum money was suggested [32].
Buhrman et al. [6] argue that 'quantum tagging' is a term that was proposed by Kent in 2002, where the first incidences of using quantum schemes to verify the positions were taken into account. With the help of other researchers, a patent that was presented to the Labs of HP in 2004 ended up being reimbursed in 2006 [43]. Scholars' conclusions did not appear in research paper sources until 2010 [44], [45]. In these papers [44], [45], they advanced various concepts on how to disintegrate several schemes by utilizing teleportationbased attacks. Moreover, these teleportation attacks could not break some of the variations they proposed (schemes IV-VI in [45]) but without proving they were unconditionally secure. The attacks that Buhrman et al. discussed in [6] have confirmed that schemes IV-VI in [45] are also not secure. In the quantum random oracle model, Unruh [46] presents a localization method and location-based authentication. Additionally, the author claims that the proposed protocols resist colluding attackers and do not need bounded memory/retrieval/entanglement restrictions, unlike previous studies. According to [32], the need for effective methods that do not depend on random oracles remains a significant open issue.
Malaney [47] proposed that it is possible to perform unconditional position verification using quantum channels. This VOLUME 9, 2021 scheme has been stated to be secure despite there being no deep provision of mathematical proof, efficient threat model or effective hardware implementation. However, Malaney's protocol, with the use of teleportation-based attacks, can be broken [6]. By using quantum particle swarm optimization (QPSO), Wu et al. [48] presented a range-free localization algorithm for nonhomogeneous wireless sensor networks that is relatively accurate. In [49], analysis of the location-based quantum cryptography used in distributed measurement systems, implementation issues and technical difficulties in quantum communications were discussed. Gao et al. [50] proposed quantum position verification with a hard constraint in which the frequency of operations of attackers is bounded. As a negative result, these schemes [48]- [50] may be broken by colluding teleportation-based attacks and side-channel attacks (information leakage attacks). Quantum teleportation attacks can be carried out by proper measurement of the qubit using shared entanglement resources [51].
However, there is a high probability that eavesdroppers exploit the flaws of quantum computing and quantum cryptography, for example, teleportation-based attacks, man-inthe-middle attacks, and denial of service attacks, to threaten security for a system if not resolved. Moreover, these threats involve laser seeding, information leakage attacks (Trojan-horse attacks), source flaws, side-channel attacks, pulse-energy monitoring, laser damage, device calibration and timing attacks [52]. Quantum cryptography, an effective technology to accomplish secure communication, must bridge the gap between theory and actual implementation to avoid vulnerabilities [53]. Therefore, quantum computers are in theory reliable, but in realistic processing of implementations, they still require research and refinement [52], [54]. This means that at present, there are major differences between real and theoretical quantum cryptosystems. In [32], several quantum cryptography shortcomings and problems were discussed. For instance, quantum bit commitment impossibility and secure two-entity computation using the quantum connection are impossible and zero-knowledge against quantum-based attacks. Because of these serious shortcomings and limitations, the search for classical cryptography approaches that resist quantum attacks is a rapidly rising research area. Lattice-based cryptography holds much promise for secure and practical postquantum cryptography [2]- [4], [55].
Furthermore, it is concluded that the work of location-based cryptography occupies several attempts in quantum computing. However, studying a number of different attacks about protocols [43], [45], [47], [51], [56], Buhrman et al. [6] cited in [23], [24] concluded that the safe positioning (locationverification) task, as well as cryptography based on position, are unattainable in cases where the involved parties exchange quantum data. Although studies such as [6], [23], [32], [37], [51], [56], [57] have mentioned that it is impossible to propose secure position-based cryptography in a typical model or quantum model without constraints, we can propose a secure and advanced position-driven cryptosystem without any constraint by using the lattice problem for the Internet of Moving Things (IoMT) in the pre-and postquantum world and simultaneously resisting quantum attacks and flaws. The proposed cryptographic protocol in this research not only solves the abovementioned problems but also improves the security of wireless networks.

IV. PROPOSED CRYPTOSYSTEM
Using only the geographical location of a player as a credential rather than an ID or biometrics is the aim of positionbased cryptography. It is supposed that Alice (mobile node, e.g., unmanned aerial vehicle collects data from anywhere) needs to send a message to Bob (mobile node) called a prover at a specified three-dimensional location (X P , Y P , Z P ) with the guarantee that this message is read only by the player who is located at position (X P , Y P , Z P ). This means claimed prover P, who claims that his position at Pos p (X P , Y P , Z P ) connects to another set of components called referees (verifiers) V 1 , V 2 , V 3 and V 4 at these different known geographical positions and Pos 4 (X 4 , Y 4 , Z 4 ), respectively, so that this claimed prover is in the quadrangle bounded by referees. Definitely, there is the potential for numerous adversaries. In fact, a verifier V m can send a message to claimed prover P at a specific time and can additionally record each message that is received from P together with the time it is received. It can be assumed that a message travels at speeds equal to the speed of light, referred to as C, as is the case in a global positioning system (GPS) [23].
Both Alice and Bob are limited resource devices in the IoMT system. By using any localization method, such as range-based localization or nonrange-based localization techniques [10], [58], [59], Alice can recognize his region, so it can also be supposed that the lattice public keys of verifiers, which are in Alice's region, are downloaded on Alice's device, and these keys will be updated when Alice moves from region to another, such as an updating process for any application. Nonetheless, the positioning accuracy of nonrange-based techniques is typically lower than that of range-based techniques, so in this protocol, we focus on range-based methods to achieve very accurate 3-D location information. However, the verifiers can be sinks, base stations (BSs), gateways or even satellites. The prover's position is given to the adversaries and the verifiers [23]. Consequently, Alice sends to the nearest verifier a message containing his lattice public key and a request Bob's public key (intended prover's public key) encrypted by lattice public key of this closest verifier, i.e., Alice → Nereast V m : PK A , Request Bob's PK PK Vm . The verifiers have secure channels among themselves, allowing them to secretly communicate [23]. Figure (1) shows the proposed model structure.
However, the claimed prover (player) P needs to convince the honest verifiers that he is located at the position (X P , Y P , Z P ) by applying the following three verification tests: TDoF (time difference of flight)-based test, RSS (received signal strength)-based verification and AoA (angle of arrival)-based verification process. Because of these signal features, TDoF, RSS and AoA are widely used for localization. Furthermore, the integration of these three localization schemes leads to high location accuracy while maintaining low energy and time consumption at a low cost of implementation for verifier devices. These measurements only rely on the physical and hardware environment, which means that malicious nodes cannot easily forge, tamper or manipulate these measured values.
Many ways exist for positioning the user of a wireless network. The most frequently used method is by using GPS, the accuracy of which can achieve every requirement of a location-dependent application. The central issue with GPS is that, apart from the user terminal needing to be enabled for GPS, there is the heavy power demand of the unit, latency, and the potential limitations of coverage. Additionally, GPS can be less reliable in towns and cities in proximity to tall structures and in the inside of a tunnel. Another important disadvantage of GPS is vulnerability to location spoofing attacks [60]- [63]. An additional method is to rely on wireless networks themselves through the use of cell ID information, which is extensively utilized in the GSM (Global System for Mobile Communications), despite drawbacks of its accuracy. Additional accuracy can be achieved by using alternative network resources, such as TDoF (hyperbolic localization) [64], RSS or AoA [58], [65], [66]; thus, we combine these three resources to reduce location error, generate high-level security and increase the accuracy of positioning efficiently. Table (1) shows the notation summary of the proposed protocol.

A. FIRST TEST: PROPOSED TIME DIFFERENCE OF FLIGHT-BASED ALGORITHM
In this test, we develop Chandran's protocol [23], which is performed by four verifiers and is detailed in Figure (2) as the following steps.
Step 1: Let T 1 , T 2 , T 3 and T 4 be the timestamps of radio waves taken to reach points V 1 , V 2 , V 3 and V 4 , respectively, from the claimed prover P. Let C be the speed of light in a vacuum (299,792,458 meters/sec.). To determine the electromagnetic wavelength C f = C ÷ f , where f = 200 kHz, NB-IoT works on the frequency band of licensed 3GPP (200 kHz employed). The derivation is applied to obtain the distance between P and V m , Step 2: V 1 picks up a random number denoted as key K 1 . Additionally, V 2 , V 3 and V 4 pick up random challenges R 1 , R 2 and R 3 , respectively, and then transmit these messages K 1 , R 1 , R 2 and R 3 over the secure channels among themselves.
Step 3: Step 4: At timestamp T , verifiers V 1 , V 2 , V 3 , and V 4 send K 1 , R 1 , R 2 and R 3 , respectively, to claimed prover P at location (X P , Y P , Z P ) in the space.
Step 5: The claimed prover P at location (X P , Y P , Z P ) computes K 2 = R 1 K 1 , K 3 = R 2 K 2 , K 4 = R 3 K 3 in that order. As a result, the claimed prover P returns K 4 and attaches his lattice public key PK p to all verifiers V 1 , V 2 , V 3 , and V 4 .
Step 6: The verifier V 1 receives this reply {K 4 PK p } PK v 1 from the claimed prover P within timestamp T 1 , the verifier V 2 receives this reply {K 4 PK p } PK v 2 from the claimed prover P within timestamp T 2 , the verifier V 3 receives this reply {K 4 PK p } PK v 3 from the claimed prover P at timestamp T 3 and the last verifier V 4 receives this reply {K 4 PK p } PK v 4 from the claimed prover P within timestamp T 4 . Therefore, the referee V m can guarantee that this message was transmitted by the device that is located at distance D TDoF m = C f × (T m − T ) ÷ 2.
Step 7: Each verifier V 1 , V 2 , V 3 and V 4 decrypts the received message via his lattice public key (PK V m ), then checks that the received K 4 equals the K 4 that he precomputed and checks that the distances D TDoF 1 , D TDoF 2 , D TDoF 3 and D TDoF 4 are equal to the actual distance between him and the intended position (X P , Y P , Z P ). If this verification process succeeds, it means that the claimed prover P passes the first test (TDoF-based verification) and then moves to the second test (RSS-based verification). Otherwise, the claimed position/prover is rejected.

B. SECOND TEST: ADAPTIVE RSS-BASED MATHEMATICAL MODEL
In wireless communications, RSS represents the average power that a node receives, where the power originates from the source of the emitter. RSS measures the distance between any two nodes from the received signal strength measurement between each node [66], [67]. The majority of wireless devices can measure received signal strength without requiring extra system modification, hardware or overhead from communication. According to Daiya et al. [68], the RSS results present the estimated location of the sensor nodes with an estimated error of between 5% and 10%. The widespread exponential path-loss form is a frequent strategy and is the easiest to organize and use. The path-loss exponent form is a log-power scale, which states that the rate of RSS declines linearly with the value of the distance between nodes. This is an approximate estimate; for example, noise levels are high and are dependent on nonline-of-sight (NLOS) and multipath conditions. Because most wireless devices can measure received signal strength, RSS-based localization algorithms have increased in popularity. However, integrating the information from all the verifiers reduces the location error and effectively increases the positioning accuracy.
In contrast to the other localization methods, RSS is representative of the relationship between an obtained power and communication. It is used to determine the distance between a receiver and sender when most propagates of electromagnetic waves in an LOS link. This method is used to handle the mobility of devices in several protocols of mobility-aware media access control (MAC).
When the direct path of transmission exists between two devices and is put into environments where there is no interference of signals, then the received power of signal P r forms a relationship to the distance, D RSS , between the receiving and transmitting devices in the law of inverse square [69].
However, equation (1) states the correlation between the relative distance and RSS. In reality, there are multiple influences on the received signal strength value. For instance, diffraction, refraction, reflection, and scattering of waves are a result of nearby objects and obstacles between receivers and transmitters. It has been discovered through experimentation that walls can lower the signal strength by up to 3 dBm (decibel-milliwatts) on average [69]. In other words, the received power of signal P r declines more gradually because of shadow fading, nonuniform propagation and multipath propagation. This causes a transfer of the relationship between D RSS and P r to: where n refers to exponential path loss and P t is transmitted signal power. To express P r and P t in dBm, since dBm is a logarithmic unit to measure power, it is taken as 10 times the logarithm function for both sides in (2) as follows: 10 log 10 P r = 10 log 10 P t − 10 n log 10 D RSS (3) However, 10 log 10 P is the expression of the converted power to dBm. At a distance of one meter, the received power is almost equal to the transmitted power; thus, P t (dBm) can be measured as the received signal power at a distance of one meter. Consequently, the correlation between the value of distance D RSS and received signal strength P r (dBm) can be written as the following log-formula given in equation (4): where P r (D RSS ) is the received wireless signal power in decibel-milliwatts (dBm) at the distance D RSS , P 0 (D 0 ) is the reference signal power in dBm from the sender at a reference distance D 0 . For most applications, D 0 generally equals one meter, D RSS denotes the real distance between the sender and receiver, n refers to the path-loss or signal decay exponent, which is defined as the rate at which the RSS declines with distance, W is the weight of the power shadow, Var denotes the expected noise variance in the received signal and γ is expressed as the ratio of the received to reference signal powers, i.e., P r / P 0 . δ best will increase the probability that the scheme converges to better localization, ε denotes a random value in the range [0, 1] generated by Rand(), and M is the maximum number of verifiers [70], [71]. In fact, both n and Var depend on the environment. However, n, Var and P 0 can be retrieved for each verifier V m by using an uncomplicated supervised learning procedure, and we can use intelligent techniques such as deep learning, a nonquantum particle swarm optimization approach and a genetic algorithm to increase the accuracy of RSS-based localization. Both are the most promising techniques for optimization because they combine high accuracy and low computational time. Table (2) illustrates the path-loss exponent value (n) based on the building type and surroundings because it can be determined using the premeasurements [72], [73]. RSS is assessed between the readers and the tag. Wireless signal strength is transformed to distance, giving four distances required for 3D multilateration. In other words, the distance between unknown prover P and the verifiers can be calculated by V 1 , V 2 , V 3 and V 4 using equations (5), (6), (7), and (8), respectively:  Once each distance has been computed, then they are inserted into a set of quadratic formulas, which is termed trilateration or multilateration. Trilateration enables the finding of the position of claimed prover P on the XY plane, while the multilateration method permits the finding of the position of claimed prover P on the X , Y , and Z axes. Multilateration has the implication of additional reference nodes, which reduces the uncertainty of the position of the mobile node based on the measured distance accuracy. The four verifiers' locations are known along with the distance between each verifier and the unknown prover P for 3-D multilateration to function perfectly. The intersection between all four verifiers is the unknown prover's location, as shown in Figure (3). Before computing 3D multilateration quadratic equations, the average of the resulting distances from the TDoF-based test and RSS-based test is required to reduce the error estimation using the following equations. The verifiers V 1 , V 2 , V 3 and V 4 compute the average of distances D avg1 , D avg2 , D avg3 and D avg4 respectively as the following equations ((9) -(12)) and then transmit these distance averages and 3D position of themselves, i.e., these messages Y 4 , Z 4 )} over the secure channels among themselves.
By using the Euclidean distance between the position of each verifier and the claimed prover's position, each verifier can obtain equations (13), (14), (15) and (16) for 3D multilateration and then compute the 3D position of the claimed VOLUME 9, 2021 prover as follows: To simplify the above quadratic equation set, equation (13) is subtracted into equations (14), (15) and (16). As a result, the following three linear equations will be produced.
The X Prss , Y Prss and Z Prss coordinates are obtained by resolving the linear equations (17), (18) and (19) using Cramer's rule of 3 × 3 matrices as equations (20) - (22), as shown at the bottom of the next page.
If this verification process succeeds, it means that the measured position (X Prss , Y Prss , Z Prss ) is equal to the intended position (X P , Y P , Z P ), and the third verification can proceed, which is the AoA-based verification. Otherwise, the claimed position is rejected.

C. THIRD TEST: ADAPTIVE AoA-BASED MATHEMATICAL MODEL
Many future systems of localization will utilize the AoA technique, as the coming fifth-generation networks may be provided with arrays of an antenna that allow assessing the AoA of the received signal [74] from a mobile node. The concept of AoA measurement is utilized in VOR/VORTAC systems for navigation of aircraft. Figures (4), (5) and (6) illustrate the structure of the AoA positioning system in the context of the elevation (vertical) angle θ and the azimuth (horizontal) angle ϕ of received electromagnetic signals at the verifiers, where the azimuth angle ϕ is from 0 to 2π and the elevation angle θ is from 0 to 90.
The verifiers V 1 , V 2 , V 3 and V 4 rely on the relationship between AoA and coordinates [25], [75]- [78] to estimate the horizontal location first via formula (23) and then estimate the vertical location via formula (24) to obtain the three-dimensional location (X Paoa , Y Paoa , Z Paoa ) of claimed prover P. In terms of noise elimination, we use a Gaussian filter (G X ,Y and G Z ) with zero mean to reduce the noise in the received signals at the verifiers. Thus, this leads to enhanced AoA-based positioning as follows: , m = 1, 2, 3, 4 and σ is standard deviation m 2 Var and m = 1, 2, 3, 4 Moreover, to obtain a very high accuracy of AoA-based localization, optimization techniques could be used. Therefore, the verifiers V 1 , V 2 , V 3 and V 4 transmit these measurements of the elevation angles θ m and the azimuth angles ϕ m over the secure channels among themselves. The equation (23) can be expressed as equation (26).
Expressing (27) in matrix form we will have (28) and (29), as shown at the bottom of the next page: As a result, equation (24) can be solved easily to obtain the third coordinate Z P aoa of the claimed prover's location.

VOLUME 9, 2021
On average, we can evaluate the suggested localization algorithms as follows (30)- (32), as shown at the bottom of the next page: If this verification process succeeds, it means that the claimed prover P is verified, and he proves that his position at (X P , Y P , Z P ), then the closest verifier to the sender will send the prover's lattice public key encrypted by Alice's lattice public key to sender (Alice) i.e. Nereast V m → Alice : PK p PK A . After that, the verifiers will delete PK p and PK A from their devices because in case any verifier is attacked in the future, the attackers cannot obtain the PK p and PK A . Otherwise, the claimed position is rejected.
All entities use lattice theory (lattice-based cryptography) to generate public/private keys and encrypt/decrypt messages [79]- [83]. Hence, we develop the NTRU and Goldreich-Goldwasser-Halevi (GGH) algorithms as follows: We define an equilateral triangular lattice (hexagonal lattice) L over p − adic integers to form a subring of Q p such that L ⊂ Z i×j p good prime integrated polynomial entropies with dimensions i and j. The integral of the polynomial is employed to encrypt the message, whereas the derivative of the polynomial (differential polynomial) is applied to decrypt the message. We select prime modulus p and highest exponent (truncation index) N [84] based on our simulation-based evaluation equal to 2 and 17.5, respectively. N can be increased to obtain more security, but this value is nominated to achieve a relative balance between security and performance, especially for limited resource devices such as in the case of the IoT/IoMT environment. N must not be equal to zero because zero yields infinite order. This evaluation is implemented on a laptop with an Intel Core i7-1165G7 processor (12 MB cache, up to 4.7 GHz) and 16 GB LPDDR4x RAM (up to 4267 MHz) by using MATLAB R2018b. Here, arithmetic operations are performed in the p − adics [84]. However, the number of p−adic integers associated with terminating p−adic integers is a countable set, particularly a countably infinite set [85].
To obtain a high cryptographic quality and information leakage prevention with less complexity time, shifting [86] and Henon shuffling maps [87]- [91] are applied. Therefore, it is effective for the IoT/IoMT system and impossible to break. The Henon shuffling map is a discrete-time dynamical system to shuffle the point position (X τ , Y τ ) to a new position in the plane in a chaotic manner as follows: The iteration number for the Henon shuffling map here is 100. For chaotic behavior, parameter a is 1.4 and parameter b is 0.3, whereas other values for a and b make the Henon map intermittent, chaotic or converge to a periodical orbit [89].
A message (i.e., plain text) Msg ∈ L. An example of an equilateral triangular lattice (hexagonal lattice) L is shown in Figure (7).
Keys generation: Select prime β, α, ξ ∈ Z p good integrated polynomial entropies over the p − adic number field.
Select matrix S1 ∈ L good prime integrated polynomial entropies.
Select matrices , ∈ L ⊂ Z i×j p good prime integrated polynomial entropies over p − adic number system Q p .

V. ANALYTICAL-BASED EVALUATION AND SIMULATION-BASED RESULTS
This section depicts the robustness of the proposed cryptographic scheme in the context of cybersecurity and the effectiveness of performance features, including the energy consumption of normal and advanced sensor devices, stability period of the NB-IoT device-to-device network (NB-IoT D2D), time consumption at the BS, elapsed time for the whole NB-IoT D2D network, and throughput. We demonstrate that the proposed cryptosystem resists key attacks that are highlighted in the state of the art and works efficiently without compromising the performance of the NB-IoT D2D attocell.
Notably, all three verification processes (TDoF, RSS and AoA) are applied by verifiers (V m ) rather than IoT devices (p) in the proposed cryptosystem. As a result, a large part of the energy consumption and time cost is the responsibility of the verifiers V m , which are gateways, sinks, base stations or even satellites; thus, the proposed 3D-locationdriven cryptosystem is effective, especially in the case of IoT or tactile internet applications that contain restricted-resource devices.
The functionality comparison between the proposed cryptosystem and some related schemes is depicted in Table (3). The proposed cryptosystem not only provides communications confidentially but also fulfills all criteria of security without complex conditions or equipment. From these descriptions and simulation outputs, in the next section, it is concluded that our cryptosystem is more practical.

A. SECURITY ANALYSIS VIA THREAT MODEL
To analyze the proposed efficient location-driven cryptosystem, threat modeling is applied. It is assumed in threat modeling that two entities communicate over an untrusted communication channel.

Claim (1): The proposed cryptosystem resists any number of colluding-location-spoofing attacks.
Proof: Colluding positioning spoofing attacks is a case where a number of colluding attackers surrounding the intended position (X P , Y P , Z P ) spoof successfully to cheat V m that their locations at the location of P via a data forgery to obtain illegal advantages. In the proposed cryptographic protocol, the colluding spoofer adversaries must persuade the four verifiers V m that their locations are at actual 3D coordinates of the aimed location (X P , Y P , Z P ) (i.e., receiver's location) to spoof/fraud the aimed position (X P , Y P , Z P ). These colluding spoofer attackers cannot persuade the V m because they do not pass all three tests: TDoF-, RSS-and AoA-based location verification algorithms. These measures are based exclusively on the hardware and physical environment such that these measured values cannot be readily manipulated or forged by location spoofing attacks even by colluding.   Furthermore, the integration of these three adaptive localization schemes leads to reliable locations in the presence of colluding spoofers. However, GPS is exposed to location spoofing attacks because it depends deeply on the time information [60]- [63], [94]- [96]. The colluding spoofing location attacks are solved by using adaptive RSS and AoA-based mathematical models.

Claim (2): The proposed cryptosystem solves the problems for public key distribution and public key infrastructure (PKI).
Proof: Unlike conventional public-key cryptography, there is no real PKI in our cryptosystem, where V m is responsible for sending public keys between users (IoT devices) after three location verification processes, and these V m are trusted. PK A and PK p are encrypted by PK V m such that Alice → Nereast V m : PK A , Request Bob's PK PK Vm and P → V m : {K 4 PK p } PK vm . In addition, the V m will delete PK p and PK A from their devices because in case any V m is attacked, the attackers cannot obtain PK p and PK A . This means that the process of public key transmission is only performed among the sender, verified receiver and V m , all of which are trusted. Each device generates its lattice private and public keys. For all these reasons, no requirement is necessary to revoke or change these keys per period. However, V m may change their keys after a long period depending on the sensitivity of the application. This does not matter because V m are sinks, base stations, gateways or even satellites, i.e., superstrong equipment. Hence, there is no obligation to distribute the public keys between users' devices via a hierarchy of certificate authorities (path of certification/trust chain), as in traditional PKI, which suffers from multiple issues, such as central authority, validation problems, and certificate revocation, as well as threats to PGP certificates. In other words, in our proposed cryptosystem, there is no need to use digital certificates signed (using a digital signature algorithm) by trusted authorities, certificate authorities, a key generation center or a private key generator.

Claim (3):The proposed cryptography offers resisting SIM swap fraud, SimJacker and side-channel attacks to which NB-IoT is vulnerable, as well as other vulnerable SIM technologies, such as the S@T browser and WIB, that may be exploited.
Proof: Cybersecurity for IoT Technologies in the third-generation partnership project (3GPP), such as NB-IoT and long-term evolution for machine-type communication (LTE-M), and some of the cybersecurity in the context of 5G involve SIM/USIM cards for security purposes, for instance, mutual authentication between a user device (SIM/USIM) and network and encryption features [55]. This leads to SIM swap fraud, SimJacker, SMS attacks and side-channel attacks because of vulnerabilities in the SIM cards. Additionally, there are other vulnerable technologies in SIM that may be exploited, such as the S@T browser and WIB. However, the proposed cryptosystem uses the physical geographical location of the device as an identity rather than a SIM/USIM card; thus, it resists all these attacks, vulnerabilities and impersonation.
Claim (4): The proposed cryptographic scheme resists replay attacks. Proof: While adversaries eavesdrop on the communication channels between the V m and sender, between the V m and receiver or between the sender and receiver, only encrypted (i.e., unreadable form) data are available that cannot be reused. Furthermore, the proposed cryptosystem uses timestamps T and T m to prevent replay attacks. Therefore, there is no successful replay attack against the proposed cryptosystem.

B. SIMULATION RESULTS
In this section, an averaged simulation-based evaluation concerning the proposed cryptosystem is provided. We use our open-source NB-IoT D2D simulation [93] to compare an insecure NB-IoT D2D network (without any security consideration) and a secure NB-IoT D2D network (via the proposed cryptosystem). This implementation-based evaluation involves not only the cost of cybersecurity operations but also the cost of telecommunications. However, all the performance metrics affected by security operations are studied to achieve a comprehensive evaluation of the proposed cryptosystem. The number of sensor nodes in the NB-IoT D2D attocell network is 300 and distributed randomly in a macrocell of an urban area. The simulator outputs demonstrate the reliability and robustness of the proposed cryptosystem.
The comparison of elapsed time for two cases in the urban macrocell, the first case, insecure NB-IoT D2D attocell (without any security consideration), and the second case, secure NB-IoT D2D attocell (via the proposed cryptosystem), is depicted in Figure (9). This comparison is evaluated until more than half of the sensor devices in the NB-IoT D2D network are dead (800 rounds). In the insecure NB-IoT D2D network, only plain messages were sent regardless of the existence of attackers (eavesdroppers) and without security considerations in such a public network. All communication costs for the insecure NB-IoT D2D network as well as computation and transmission costs of the proposed cryptosystem were taken into consideration in the secure NB-IoT D2D network. With the suggested cryptosystem, the operat-  ing and transmitting costs are 88.819458 minutes, whereas without any security consideration, they are 84.641032 minutes. This indicates that only 4.178426 minutes is increased in the presence of the proposed cryptosystem. As a result, such a small delay is negligible compared to achieving a secure NB-IoT D2D network.
In view of the wireless communication principles, the stability period is one of the most performance metrics, especially for IoMT. Therefore, it is measured to present an effective evaluation of our proposed cryptosystem. The stability period is defined as the duration of time between the beginning of the network operation and the death of one of the resource-constrained devices in the network [97]. Figure (10) shows the comparison of stability periods for insecure and secure NB-IoT D2D networks. The stability periods for the insecure NB-IoT D2D network and secure NB-IoT D2D network are 638 rounds and 625 rounds, respectively. This means that stability periods are very convergent.   The comparison of the power dissipation profile for normal sensor and advanced sensor is explained in Figure (11) and Figure (12), respectively in insecure and secure NB-IoT D2D attocell networks. This demonstrates that the State of Health (SOH) and State of Charge (SOC) of a sensor's battery are managed proficiently. In other words, there is no significant overhead cost in secure NB-IoT D2D attocell network in exchange for resisting adversarial attacks in such public networks. Figure (13) depicts the comparison of insecure and secure NB-IoT network throughputs. Accordingly, the successful received packets rate considering the proposed cryptography is still effective. Figure (14) shows the comparisons of delay time at BS No. 24 in insecure NB-IoT D2D network and secure NB-IoT D2D network. However, there is no significant delay time in the second situation.

VI. CONCLUSION AND FUTURE WORK
In this paper, we proposed an unconditional quantum-resistant cryptography for the IoT/IoMT based on location-based lattices in the pre-and postquantum world. We compare the proposed cryptosystem and some related schemes. Threat modeling is employed to prove the robustness of the proposed cryptosystem. Additionally, our simulation results compare an insecure NB-IoT network (without any security consideration) and a secure NB-IoT network (via the proposed cryptosystem). These results prove that the proposed cryptography improves IoT security without compromising its performance features, including the energy consumption of advanced and normal nodes, time consumption at the BS, stability period, throughput and elapsed time for the whole network in the presence of cybersecurity computational costs and transmission costs. This expresses an optimized trade-off between security and performance. In the future, we will implement the proposed cryptosystem in the real world using real embedded devices and wireless network hardware (5G infrastructure) to examine its actual productivity and performance.