A Lightweight Post-Quantum Lattice-Based RSA for Secure Communications

Conventional RSA algorithm, being a basis for several proposed cryptosystems, has remarkable security laps with respect to confidentiality and integrity over the internet which can be compromised by state-of-the-art attacks, especially, for different types of data generation, transmission, and analysis by IoT applications. This security threat hindrance is considered to be a hard problem to solve on classical computers. However, bringing quantum mechanics into account, the concept no longer holds true. So, this calls out for the modification of the conventional pre-quantum RSA algorithm into a secure post-quantum cryptographic-based RSA technique. In this research, we propose a post-quantum lattice-based RSA (LB-RSA) for IoT-based cloud applications to secure the shared data and information. The proposed work is validated by implementing it in 60-dimensions. The key size is about $1.152\times 10^{5}$ -bits and generation time is 0.8 hours. Furthermore, it has been tested with AVISPA, which confirms security in the presence of an intruder. Moreover, the proposed LB-RSA technique is compared with the existing state-of-the-art techniques. The empirical results advocate that the proposed lattice-based variant is not only safe but beats counterparts in terms of secured data sharing.

This alarming security situation poses a serious threat to public-key cryptography because it cannot adapt quantum attack by increasing the key-length to outpace the degree of growth of quantum computing. Such security threats would compromise two major aspects of cryptography of digitalcommunications, especially, when IoT-based cloud applications are considered: confidentiality and integrity over the internet and elsewhere. This security threat hindrance is a great deal of worriment [2], [3].
In 1994, Peter Shor presented the notion of quantum computing; performing physical properties of matter and energy-based calculations and being able to break the RSA cryptosystem within polynomial time whose security relies on integer factorization. Moreover, the publication of Shor's algorithm claims that a powerful quantum computer would be able enough to conquer all sorts of modern techniques VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ of communication security; from key-exchange to digital authentication of data. So, all the traditional public-key cryptosystems were rendered as impotent [4]. For instance,: • When quantum computing will become reality, it will become a signal for the end of traditional cryptography [5].
• With the construction of the first quantum-factoring device, the security of the public-key cryptosystem will become extinct [6].
Post-quantum transition raises many fundamental challenges for public-key cryptographic system such as RSA, which need to be addressed to avoid future intimidations. In 2030, quantum computers will be capable of breaking 2000-bit RSA [7]. Moreover, those cryptosystems which are offering 80-bits or less security, which were phased out in 2011 − 2013, are also at risk [8]- [11]. Even though, the post-quantum RSA's [12] use-cases rely on the faint possibility of considerable improvements in attacks against widespread alternatives and the same criticism is also applied strenuously as discussed in [13]. Hence, there is a need to design a protocol that shows resistance to quantum computers. Among all computational problems that believed to be quantum-safe, lattice-based problems emerged as more economical and quantum-safe encryption providers due to its strong security proof, simplicity, and efficient implementation [14]. In this paper, we have proposed the variant of RSA, which is based on lattices rather than integer factorization problem. In lattice-based cryptography, key selection is not just strong but also hard to break [15]. The private-key for these schemes is a lattice point while the public-key is an arbitrary location in space, which can be the nearest point.
Concluding all, our proposed study has the following contributions: • Introduction of RSA problem based on lattices rather than integer factorization.
• Security enhancement for communication by increasing key dimensions instead of increasing key-size.
• There are three key facets of our protocol: vector factorization, vector mapping, and finding the shortest vector within n-dimensional lattice.
• Proposed protocol uses the shortest vector problem and vector mapping as a security assumption.
• We have performed a comparison with state-of-the-art algorithms and performed security verification of lattice-based RSA (LB-RSA) using the AVISPA tool.
Initially, this research work implemented the proposed protocol for n = 60 dimensions, but to make the protocol resilience against quantum computers, we realized to work in higher dimensions i.e., 100 × 100. Owing to this fact, we have used matrices for calculating higher dimensions. The proposed scheme motivates researches that rather than increasing the key-length like in post-quantum RSA [12], use the lattices concept i.e., increase security by increasing key dimensions. However, the proposed protocol generates the key of 60-dimension for all types of messages; therefore, this scheme is suitable for long messages.
The rest of the paper is organized as follows. In Section II, we review existing literature, while Section III includes preliminaries. In Section IV, we define methodology along with our new proposed algorithms. In Section V, a discussion about the proposed protocol is given. Security Proof is covered in Section V-B. Section V-C and V-D cover the security analysis and experimental statics of the proposed technique, respectively. Section VI uncovers comparison and contrast with pre-quantum and post-quantum RSA. Finally, Section VII provides conclusion.

II. LITERATURE REVIEW
In the last 30-years, the most widely deployed asymmetric algorithm that provides communication security over a network as discussed above is RSA. Its hardness lies in the integer factorization problem and is considered the most secure algorithm against classical computers [15].
A plethora of research work exists in this domain. In [19], [20] RSA-based security systems have been discussed while in [22], they surveyed three variants designed to speed up RSA decryption. Conventional RSA is believed to be hard for a classical computer to solve [23], but it is not quantum-safe because it cannot adapt quantum attack by enhancing the length of the key to beat the degree of growth of quantum computing.

A. QUANTUM CRYPTOGRAPHY
Quantum computers and quantum cryptography have been extensively discussed in literature [26], [42]. Quantum cryptography devices and methods for communication between two stations are discussed while delivering quantum keys in a single photon is discussed in [28]- [30]. Similarly, David et al. [31] discussed Quantum Key Distribution (QKD) protocol for a number of users through a switch. Xu et al. [32] suggested that for secure communication, quantum-safe encryption can be achieved using Post Quantum Cryptography and Quantum Cryptography. In another study, [33], the authors have discussed the state-of-the-art advances in Quantum Cryptography, both theoretically and experimentally.
Here we are discussing generally, the schemes whose security lies in the hardness of lattices and how they become resilient to quantum attacks. The purpose of discussing such practical schemes is to bring focus towards the new theories of post-quantum cryptography.

B. LATTICES BASED CRYPTOGRAPHY
Lattice-based cryptography appeared as a better substitute to the existing public-key cryptography because of its quantumresilience, low key sizes, and versatility. Hamid et al. [34] have been well documented the trends in lattice-based cryptography and state-of-the-art applications of lattice adoption in computer security and implementation challenges in software and hardware in their study. 99274 VOLUME 8, 2020 1) NTRU Later in 1995, Joe Silverman devised a scheme called NTRU which was more efficient than RSA and Diffie-Hellman protocols. This scheme was based on cyclic lattices which were generated by vectors that could rotate in any direction and still land on a lattice point. By 2011, Stehle and Steinfeld proposed (SS − NTRU), which is a variant of NTRU encryption scheme, it has reduced the problem to ideal lattices which are closely related to cyclic lattices. These NTRU schemes outperform classical cryptography in terms of performance; however, they have larger key sizes.

2) FULLY HOMOMORPHIC ENCRYPTION (FHE)
In 1997, IBM researcher Cynthia Dwork introduced a first lattice-based scheme, until the worst-case Learning with error (LWE) instances remain computationally hard to be solved. The major difference between classical and present-day encryption scheme is that we don't transform our message instead of noise is added to it. LWE security is based on the hardness of the Shortest Vector Problem (SVP), which requires an efficient quantum algorithm to find it. To hide our message with the error and to avoid computational growth of error, we make our error/message combination small. This proves to be helpful in decryption in a way that if the norm is too high one can find a false point in the lattice and can produce the wrong message. Gentry's Somewhat Homomorphic Encryption (SHE) scheme, which has been improved to FHE scheme through bootstrapping, is based on this concept [35]. However, nowadays, FHE is adopted for various applications, especially for cloud security as a powerful cryptosystem that can carry out computation on encrypted data [36]- [38].

3) RING-LWE
Cryptosystem such as Ring learning with error is also used in practice to boost efficiency however, there exists efficiency-security trade-off. That is because LWE is much versatile and secure than NTRU but not efficient enough. To find the shortest non-zero vector is the core problem in all lattice problems i.e., SVP and contrary to factorization and discrete logarithmic problems no such quantum algorithm exists to solve it. Hence, it is an NP-hard [39].
Motivated by these concepts, in this paper we have proposed a scheme for modifying the conventional integer-based RSA to a LB-RSA, thus help in coping with the future standards of quantum computing and provide a quantum-safe public-key cryptosystem. ''Lattice-based RSA'' public-key cryptosystem could be considered as a strong encryption algorithm replacement of Integer-based RSA.

III. PRELIMINARIES
In this section, different terminologies and definitions related to lattices and prime vectors are discussed. These terminologies are used in later sections of this paper. This section will be quite helpful for the reader to understand the proposed LB-RSA scheme.

A. VECTOR SPACE
A vector space is a set of vectors for which two operations; + and ×, are delineated as 'vector-addition' and 'vectormultiplication', respectively. In vector-multiplication, the resultant vector 'C' is known as cross-product or vectorproduct of the multiplication of two vectors 'A' and 'B' as: where C is a vector product of two vectors A and B The vector-product 'C' is the multiplication-result of vectors' magnitudes time the Sine of included angle as in Equation 2.
Besides this, scalar-product; another multiplication-result of two vectors, can be determined by taking a vector's component in the direction of other one.
where C is a scalar product of two vectors In the proposed scheme we have taken two primitive vectors V 1 and V 2 ; where V 1 = v 1 and V 2 = sv 1 . These vectors are used to construct the product vector N where N = n 0 . Since vectors are quantities that are described by taking both the magnitude and direction. Each vector has a magnitude and a specific direction. The vectors V 1 , V 2 and N have a magnitude as well as direction. In XY-plane we have a maximum angle of θ = 180 • . If V 1 has angle θ 1 and the maximum angle is θ then the V 2 has angle θ 2 and it can be calculated as:

B. SINGULAR VALUE DECOMPOSITION
As the product of two vectors is either a scalar or a vector. If we calculate the normed vector, we get a scalar value. This value is helpful in finding the pub key and pri key key. The calculated normed value can be used again to find the actual vector. As a single normed can be mapped to different values; for instance, lets first calculate norm of a vector. We can denote the normed vector by ||u||. The norm of a vector for two dimension can be calculated by: The normed of V 1 and V 2 is: Similarly, to calculate the normed of V 2 : where Bx is the usual matrix-vector multiplication [49].
An input to SVP is a lattice B, and the goal is to find a lattice vector of length precisely λ(B) [44].

E. PRIMITIVE VECTORS
An n-tuple [x 1 , . . . , x n ] ∈ Z n is called primitive iff its coordinates are relatively prime as an n-tuple [45], i.e., [8,12,17] is a primitive-vector in Z 3 : they are said to be relatively prime as a triple but not pair-wise relatively prime.

F. ONE-WAY FUNCTION
One-way functions are quite simple to compute but it is hard to compute their inverse functions. Hence, having data x it is simple to calculate f (x) while knowing the value of f (x), it is quite hard to find the value of x.

IV. PROPOSED LB-RSA
The proposed LB-RSA algorithm has four subsystems: keygeneration, encryption, decryption, digital signing and verification. However, Table 1 shows the symbols that are used in the protocol.

A. KEY-GENERATION
The key-generation subsystem uses three distinct primitive vectors from n-dimensional lattice as input and it generates the pub key and pri key as output. Flowchart of LB-RSA Key-Generation is represented by Fig 1. However, steps include in Key-generation are given below: • Pass these three n-dimensional vectors where n = 60 to Gauss-Sieve (GS) algorithm, which returns a shortest vector SV i.e., sv 1 = (x , . . . x n−1 ) which itself is a NP-hard problem where GS algorithm can solve SVP upto 128-dimensions.
• Compute n 0 by performing vector cross product of v 1 and sv 1 .
• By using angle θ, convert y into vector c 1 ← n T 1 . • c 1 having 60×60 dimensions, which is our private key d.
• Compute e such that (µ)µ −1 = I , where µ = d.κ and κ is the large random prime scalar value returned by maxPrime() function and I shows the identity matrix.
• Take a message m and convert the message into n-dimensional space and take cross product of e × m to get m , where m is the encrypted message.

B. ENCRYPTION & DECRYPTION
To perform encryption, take a message m ∈ Z n and convert it into m × n matrix to obtain the ciphertext m as shown in Alg 2.
If message length is long, sparse it up and encrypt separately. Let e, d, κ be the vectors points ∈ Z n with (e) as the encryption and (d, κ) the decryption key, n = v 1 × sv 1 . Where, n 0 is public, it will not reveal v 1 and sv 1 . Since, the SVP is the basis of security for potentially post-quantum RSA lattice based cyrptosystem. We offer our lattice based sequence for creating a challenge that is able enough to assist determining appropriate sv 1 as SVP for the scheme. Hence, to factor n 0 is NP-hard which assures that d is practically impossible to derive from e. For decryption of C m use equation m = (κ · m ) × d in Alg 3.

C. GAUSS SIEVE ALGORITHM
In the proposed protocol, we have used a parallel Gauss-Sieve algorithm [24] in order to find the shortest vector. It was implemented as gsieve library by Voulgaris to find the shortest vector sv 1 by passing it sample vector v 1 , v 2 and v 3 . We used GS as it gives more efficient results as compared to other approaches [24]. In GS (extension) implementation they have solved the SVP Challenge over 128-dimensional lattice, which is currently the highest dimension ever that has been solved.
The Gauss Sieve algorithm comprises a list L of lattice's vectors along with a reduction algorithm giving an output of a shorter vector from two input vectors. The GS algorithm runs a subroutine, Gauss Reduce, which updates v, L, S. Number of collisions of the zero vectors ( a = 0) assist determining the GS algorithm's termination condition that appears in L. The variable K in Alg 4 is the total number of collisions. When the value of K exceeds the threshold condition α | L | +β, then the GS algorithm is terminated. In the gsieve library, α = 1 10 , and β = 200 are chosen as the threshold values. The theoretical upper bound of GS algorithm's complexity has not been proved yet. Rather, it outperforms its counterparts in terms of speed.
The key aspect of using this algorithm is that it does not use perturbation, therefore, its space complexity is reduced, and allowing with lattice points only. It builds a list of lattice vectors that are shorter like List Sieve while on an addition to the list of a new-vector v. The Guass Sieve reduced the norm of v using the list vectors. Moreover, it also reduces the VOLUME 8, 2020 Algorithm 1 Key Generation Algorithm 1:procedure KEYGEN 2: Convert x into − → n 1 9: c 1 ← n T 1 10: then K pri formed is, 11: d = [c 1 ] column vector having 60 − dimensions 12: Call maxPrime() function to choose κ 13: Perform scalar matrix multiplication of κ · d 14: Compute e such that (µ)µ −1 = I 15: K pub ← (e) 16: K pri ← (d, κ) 17: end procedure Algorithm 2 Ciphertext Generation Algorithm 1: procedure: CIPHERTEXT_GEN 2: Input: m ∈ Z n 3: where Z n is set of integers from 1 to n − 1 5: Call Algorithm 1 to obtain e 6: Compute m ← m × e 7: end procedure pop from stack S to v 8: else 9: (v', L, S) ←Gauss-Reduce (v, L, S) 10: if v = 0 then 11: K ← K + 1 12: else 13: L ← L ∪ {v } 14: return a shortest vector in L. 15: end procedure length of those vectors, using vector v that is already in the list.
replace v, u having larger length with shorter v ± u. Hence, list L always contain pairwise reduced vectors.
We made a few changes in GS, to use it with our proposed scheme. However, Alg 4 is a main algorithm of the Gauss Sieve, and Alg 5 and Alg 6 are its subroutines. reduce_flag ← true 5: while reduce_flag = true do 6: reduce_flag ← false 7: for l ∈ L 8: v ←Reduce(v, l) 9: if v' =v then 10: reduce_flag ← true 11: v ← v 12: while l ∈ L do 13: l ←Reduce(l, v) 14: if l = l then 15: S For Digital Signing and Verification, we have taken only 3-dimensions. Due to some limitation of the hash function, for instance, if the hash function returns 64-bits, in this case, one needs 264 objects on which that hash function can be called else it won't be collision-free. Hence, we are not considering higher dimension for digital signing. But in future work, we will extend it. We take a file of arbitrary length and compress it into a short string. We used a cryptographic hash function BlAKE2b, optimized for 64-bit platforms, and generate digests of any size ranging from 1-64 bytes. In such a way one cannot find n messages that hash to the same value. So, signing the hash value is as good as signing the original message-content without limitation of length. While before generating digest, we pad our message. So that we split it up into multiples of η where η is dependent on our number of dimensions n in which we are working. For 3-dimensions our η will be 9. Let Alice is a sender and she performs following steps to sign the message: • Generate a message digest using cryptographic hash function BlAKE2b of the data to be sent.
• Sends this signature to the recipient Bob. where Z n is set of integers from 1 to n − 1 5: Call Algorithm 1 to obtain K pri 6: Compute S e = (S × κ) × d) 7: end procedure For signature-verification Bob perform following steps: • By using Alice K pub = (e) he compute, σ = S e × e • Compute, independently the message-digest H of the data that has been signed.
• Computes the expected representative σ by encoding the expected message digest H .

V. DISCUSSION, SECURITY PROOF AND SIMULATION RESULTS
This section first presents a detailed discussion about the proposed lattice-based RSA protocol for secure communication and then it uncovers security proof and security verification using AVISPA. In the end, we present a simulation setting and results along with comparative analysis.

A. DISCUSSION ABOUT LB-RSA
We are about to enter the information era, where secure information transmission over the internet is a major concern. Cryptographic protocols are used for this purpose. The existing in-practice cryptographic primitives are either symmetric or asymmetric.
Symmetric primitives have much smaller key-size than the message size and achieve reasonable security in practice but not the perfect security. Besides some symmetric primitives having key-size as long as the message size for one-time-usage achieves perfect security. However, the onetime-usability of such schemes' long keys, puts a question over their applicability. Rather the asymmetric cryptographic primitives have public and private keys.
The public key cryptography primitives are widely deployed in most of the protocols like SSH, OpenPGP, etc., as they achieve confidentiality as well as digital signing function. The hardness of these security primitives lies in integer factorization and logarithmic function etc [53]. Such security primitives would become impotent with the advent of quantum computing [16]. The quantum computers using Shor's and Grover's algorithm would break these algorithms within polynomial time [4], [18]. This serious issue has attained the researchers' attention to have a protocol; resistant enough to quantum computers.
Hence, in the proposed cryptographic protocol, we have used a lattice-based encryption scheme. It is one of the candidates that is considered secure against quantum computers by offering strong security proof, simplicity, and efficient implementation. In lattice-based cryptography, one of the presumed hardness of lattice is the shortest vector problem SVP and in literature various algorithms have been proposed combating this problem. So, one of the security perspectives of our proposed protocol is the hardness of SVP as there is no known polynomial-time algorithm that can be used to solve the exact SVP within polynomial time. The hardness of SVP is discussed in Section V-B3.

B. SECURITY PROOF
More importantly, different vectors lead to the same normed value. So, the exact components of a vector cannot be calculated. However, in our proposed scheme, we have taken the vectors from a lattice. Each vector in a lattice holds a specific location. So, vector V 1 and V 2 are different. They have assigned a different location in a lattice. The normed of the vector is unique for each specific position. It means that for each normed there is a unique position and from this norm, we can divert to a specific location. In the above two vectors V 1 and V 2 , both have the same normed value. So if we want to find the dimension of the vectors given this normed value, we cannot find the exact vector. Hence, for the proposed scheme we use the concept of vector location.
Given the same normed value for different vectors, we can only locate the exact vector because of the vectors' location. For any two vectors V 1 and V 2 , having normed value γ , the decryption of the whole process is only possible when the normed value locate to the exact vector. If γ returns to V 1 (exact location for γ ) γ −→ V 1 . The decryption process returns the exact message m. If γ returns to some other vector γ −→ (V 2 , V 2 . . . ..V n ), then the decryption process will return some garbled value instead of m.
Given a set of vectors V = V 1 , V 2 , V 3 , . . . . . . ..V n , finding the exact vector in V for the given normed value, is based on a number of vectors having the same normed value. Let's suppose we have two vectors V 1 and V 2 , whose normed value is the same i.e., where γ is the normed value. The probability (Pb) to find the exact normed value for a given vector is: where 1 is the maximum probability. The probability of each vector having the same normed value is equal. Since the maximum probability is 1 and there are only two vectors. The probability of each vector is 0.5.
Pb(V 1 ) = 0.5 (6) Pb(V 2 ) = 0.5 In the case of two vectors, the probability of each vector for a given normed value is half. We are not able to locate the exact vector for given normed value. If we have multiple vectors having the same normed value, then the probability of each vector is further reduced to 1/4. As a result, for a given normed value, the location of the exact vector depends on a number of vectors having the same normed value.

1) INVERSE OPERATOR
Not for all operators, the inverse exists. To check whether it exists or not for an operator, two conditions are need to be checked. τ X −→ Y is called one-to-one mapping of X into Y if and only if x 1 , x 2 ∈ X and x 1 = x 2 −→ τ (x 1 ) = τ (x 1 ) we can say that that τ is one-to-one if inverse of any point y ∈ Y is at most a single point of X , i.e., τ X −→ Y is called on-to mapping if every element of X is mapped to at least one element of y, such as: If τ : X −→ Y is one-to-one and onto then an inverse exist for τ denoted by τ −1 , such as: If a linear operation A : X −→ Y (for vectors X and Y) has an inverse, then that inverse A −1 is also linear. Suppose then by linearity of A, we have: A(αx 1 + x 2 ) = (αAx 1 + Ax 2 ) = αy 1 + y 2 therefore, A −1 (αAx 1 + Ax 2 ) = αx 1 + x 2 = αA −1 y 1 + A −1 y 2 .

3) SVP-HARDNESS
There is no known polynomial-time algorithm that is used to solve the exact SVP, as it is an NP-hard problem [49]. The LLL algorithm is the first available algorithm to solve the SVP with running time of 2 O(n 2 ) . To solve the exact SVP problem one of the latest algorithms is Discrete Gaussian Sampling that requires 2 n time [51].

4) VECTOR LOCATION
Similarly, RSA is one of the public key encryption schemes and is considered secure against classical computers. Its hardness lies in integer factorization. However, Shor's algorithm can break these cryptographic techniques within polynomial time. Since in our scheme we have discussed the concept of vector factorization and vector location within lattices. Factorizing the vector into two same vectors is one of the difficult problems in lattices as discussed in ''Singular Value Decomposition''. Vector location is used to solve the problem of vector factorization in lattices. If the same vectors are generated from the resultant vector, then it can lead to a possible solution else it will generate a garbled value, and decryption to the original message is not possible. The AVISPA (Automated Validation of Internet Security Protocol and Application) is an extensive tool, that has been designed and used for security protocols' automatic falsification. The protocol falsification refers to the detection of security attacks against the testing protocol unlike the protocol verification; where the correctness of the protocol is more concerned. One of the four backends of AVISPA executes that low-level intermediate code for finding security vulnerabilities in the protocols. Due to its modular approach, AVISPA is a robust tool. There exists a variety of automated falsification tools for security protocols, but the problem is; most of them do not perform well for relatively large-scale security protocols, unfortunately. Alternatively, AVISPA; having a huge library of specification-collections for security protocols and is able enough to specify the large-scale security protocols.
AVISPA provides four back-ends: OFMC, CL-AtSe, SATMC, and TA4SP. OFMC refers to 'On-the-Fly Model Checker'. It takes typed and untyped both protocols models in its consideration. It also provides on-the-fly falsification of protocol and bounded verification. The modeling language used in AVISPA is known as HLPSL. It is used to specify the security properties of the protocols in AVISPA. It is a role-based language in which all participants are represented with some roles.
In our case, we define two roles Alice and Bob. Our Intruder model is based on two critical aspects that are the perfect encryption and the network (intruder). For this reason, we have formulated two Hypothesis. According to the first claim: H1: Perfect encryption guarantees that intruder can decrypt m with k if it has the opposite of that key.
H2: Intruder has complete control over the communication channel between participants.
such as, he can modify, block any message passing over the network. We have checked our LB-RSA protocol against OFMC model. The protocol and intruder simulation result shows that our protocol is ''SAFE'' against active and passive attacks including replay and man-in-the-middle attacks as shown in Fig 3 and Fig 4. Due to space limitations, we opted not to add the detail. But LB-RSA.hlpsl code is available on demand.

D. SIMULATION SETTING
Initially, we have implemented a library based on 60-dimensional lattices. In this approach firstly, we divided the file into chunks i.e., 60 × 60 matrix. Each chunk is then encrypted. The above process of encryption and decryption is run multiple times as per the number of the chunk. Preliminary results have been drawn for encryption and digital signing. Our key size is, roughly 115200-bits where key-generation time is 0.8 hours for (no. of threads = 32).
The computations were carried out on a system running Ubuntu 18.04.3 LTS, (Intel Core i5−8250U), 8GB DDR4 RAM, 256GB SSD. We have implemented our library in Python-3.6 with Komodo Edit 11 IDE and the code requires fpylll for shortest vector computation. Ideally, it should be setup within a python virtual environment. So, we install virtualenv and the pre-requisite packages https://github.com/Iqramustafa293/RSA.

VI. RESULTS AND COMPARISON WITH PRE-QUANTUM AND POST-QUANTUM RSA
With the advent of smart everything and information era, the information appeared as an eminent asset for any organization that needs to be secured through information security measures, i.e., encryption. Up till now, data encrypted under existing schemes were supposed to be secure when transacted across networks. However, with the advent of the latest research in the field of quantum computing, several severe threats have emerged to this supposition. To combat this issue, cryptography researchers toiled to propound ideas of upgrading from simple integer-based methods to lattice-based complex mathematics.
Here we discuss our protocol for 60-dimensional space. Notably, in our proposed scheme, without increasing the key-size ranging from millions of bytes-terabytes, we are able enough to achieve the same level of security that makes our scheme quantum-safe. The proposed scheme is relatively simple, efficient, and scalable, also it is provably secure under worst-case hardness assumption.
• Like pre-quantum RSA, the security of post-quantum RSA designed by Bernstein et al. [12] based on integerfactorization, but in lattices-based RSA we have used the concept of vectors factorization.
• We have generated a lattice basis, and from these, we pick some random vectors to generate a K pub and K pri . So, it is quite impossible for someone to guess the generated lattice basis.
• In LB-RSA we replace the product of 2-large prime integers with a cross-product of 2 n-dimensional vectors. Product of 2 numbers is commutative, while cross-product is non-commutative. It means we can compute the cross-product of 2-vectors but cannot split into 2-independent vectors.
• In post-quantum RSA the authors have generated 1 terabyte exponent-3 RSA key consisting of 4096-bit primes, moreover, the cost of each encryption or decryption takes 1$ of processor time which one would not incorporate in lightweight cryptography. While the key-size of LB-RSA = 14.4 KB. It comes under lightweight cryptography and is suitable for low-cost scenarios.
• In our protocol, it is even easy to compute N but quite impossible to factorize N into 2 independent n-dimensional vectors. Probability to guess each dimension of vector is: Pb(a ij ) = 1/n (where n depends on number of vectors − → n lie in the space, as both vectors v 1 and v 2 are perpendicular to the resulting − → n ).
• In vector mapping, we have discussed location at which angle exactly a vector is mapped on, we will have a track on its real predefined angle i.e., the encrypted value is decrypted only when this normed value is factorized into exact vector dimensions, which is difficult for a system to break down.
• LB-RSA key transmission rate and cost is less as compared to post-quantum RSA. A bitter fact about Post-quantum RSA is its computational, storage, and communication cost that makes it highly complex in case of encryption of large contents. Alternatively, our proposed scheme outperforms in terms of simplicity and efficiency.
• The matrix factorization is different from integer factorization, so if one is able enough to break public-key then he must factorize the matrix to guess the security parameter κ. Shor's algorithm is used for integer factorization but does not work for matrix factorization.
• LB-RSA function is indeed a one-way function and is quantum resistive as well with a quadratic attacking cost; because of high dimensions and Singular Value Decomposition of vectors III-B.
• LB-RSA qualifies as secure under archaic security definitions required asymptotic security against polynomial-time adversaries, but it could only be achieved when we increased its dimensions i.e., up to n; where n would represent a larger dimension, providing ultimate as quantum computing becomes reality. So, the current scheme opens the direction towards a path where we don't need to increase the key-lengths to make the algorithms quantum-safe. By changing the security assumptions, we can bring drastic changes in the field of public-key cryptography. The newly developed LB-RSA efficiency has been tested against [21] and [52] for different file-sizes. Notably, the key-size of LB-RSA is constant for both encryption and decryption. Fig. 5, 6 shows that the encryption and decryption speed of LB-RSA is highly optimized as compared to [21].  Whereas, LB-RSA vs NTRU encryption and decryption time (ms) against different file sizes is illustrated in Fig 7 and 8. Experimental analysis shows that LB-RSA is efficient as compared to NTRU.
Proposed LB-RSA key-generation algorithm runs in exponential time 2 O(n) and space 2 O(n) for n-dimensional lattices, it means the time complexity of LB-RSA increases with the increase in number of dimensions. However, the constraint of proposed protocol is the constant key-size i.e., 60-dimensions  for all type of messages. Therefore, the adaptability of this scheme is apt for long messages.

VII. CONCLUSION
In this paper, we have presented a novel approach for secure communications by introducing the variant of pre-quantum RSA called lattice-based RSA. The LB-RSA public-key cryptosystem can be considered as a strong encryption algorithm which is the replacement of pre-quantum RSA for IoT-based cloud applications. It is one of the candidates that is considered secure against quantum computers. The reasons for choosing the lattice-based encryption scheme are; the provision of strong security proof for IoT data transmission, simple and efficient implementation for all scenarios, scalability, and efficiency regarding time complexity. Moreover, several security issues could potentially damage the security of integer-based RSA, which are now covered by LB-RSA, such as timing attacks and problems with key distribution.
The comparison of LB-RSA with recent counterparts based on encryption, decryption, key generation time, and total execution time shows that LB-RSA outperforms in terms of operational efficiency and security. Initially, we implemented a library in 60-dimensions for encryption, but for digital signature, we were confined to 3-dimensions only. In the future, we will work on cryptanalysis for digital signing for higher dimensions, e.g., up to 60 × 60. SYED MUHAMMAD MOHSIN is currently pursuing the Ph.D. degree with COMSATS University Islamabad, Pakistan. His research work appears in impact factor international journals and high ranked national/international conferences. His areas of interest include cyber security, the Internet of Things, edge computing, energy management, and quantum computing. He is also working as a Teaching Assistant with Lancaster University. He has authored over more than 15 articles in technical journals and international conferences. He also serves as a regular reviewer for numerous ISI indexed journals. Additionally, he holds the best paper award certificate in an international conference namely EIDWT 2019. He is passionate about Smart Grid, Routing in Underwater Wireless Sensor Networks, the Internet of Things-enabled WSNs, Blockchain-based Systems, Data Science-based WSNs, and the Internet of Things enabled Underwater Sensor Networks.
MUHAMMAD BILAL QURESHI is currently working as an Assistant Professor with SZABIST, Islamabad, Pakistan. He has worked with HPC lab KAU, Saudi Arabia on many funded projects. He is also working on the 2030 Vision project with IAU, KSA. He is the author of many research publications in SCI-E journals, including IEEE ACCESS, the Journal of Grid Computing, Parallel Computing, the Journal of Parallel and Distributed Computing, and Sustainable Cities and Society. His research interests include the areas of data-intensive real-time systems, resource allocation problems in HPC systems, and energy-efficient IoT. Dr. Qureshi was a recipient of many prestigious awards, including Gold Medal in undergrad degree, Higher Education Commission Pakistan Indigenous Scholarship for M.S. and Ph.D. studies, research productivity awards, in 2014 and 2015. VOLUME 8, 2020