Identity-based encryption is an important cryptographic system that is employed to ensure confidentiality of a message in communication. This article presents a provably secure identity based encryption based on post quantum security assumption. The security of the proposed encryption is based on the hard problem, namely Learning with Errors on integer lattices. This construction is anonymous and produces pseudo random ciphers. Both public-key size and ciphertext-size have been reduced in the proposed encryption as compared to those for other relevant schemes without compromising the security. Next, we incorporate the constructed identity based encryption (IBE) for Internet of Things (IoT) applications, where the IoT smart devices send securely the sensing data to their nearby gateway nodes(s) with the help of IBE and the gateway node(s) secure aggregate the data from the smart devices by decrypting the messages using the proposed IBE decryption. Later, the gateway nodes will securely send the aggregated data to the cloud server(s) and the Big data analytics is performed on the authenticated data using the Artificial Intelligence (AI)/Machine Learning (ML) algorithms for accurate and better predictions.

1. Introduction

According to [1], it is projected by 2027 the market of Internet of Things (IoT) industry will grow by $2 trillion annually, which has already a market of $520 billion in 2022. In the connected world, the IoT makes an environment where various smart devices are interconnected with each other. The advancement of information and communications technology (ICT) makes the IoT technologies and their solutions rich that have great impact to the society for improving the human life advanced and easy. There are enormous applications of IoT, such as Industrial IoT (IIoT), smart cities, healthcare monitoring, smart home, and so on. In an IIoT, various IoT smart devices are connected in an industry to collect manufacturing data in order to predict the failure rates to increase productivity and efficiency [2]. In healthcare application, various smart devices like smartwatches and medical sensors are connected in the body of a patient to collect vital information and provide appropriate health condition of that person. Furthermore, in recent days, smart home application is in limelight where the smart devices like smart locks and home appliances are connected with each other via the internet and they can be also controlled via the mobile devices. Though IoT has transformed the human life easier, there are various serious threats associated with IoT applications. For instance, it was found by HP that 70% of the devices connected IoT devices are vulnerable to various attacks [3].

In IoT applications, the smart devices exchange the sensitive data among each other and also with various other entities. In such a scenario, an unauthorized user or an attacker may take the advantage to compromise the data by eavesdropping, modifying, updating and deleting the information during the communication [4]. According to broadcom [5] in the year 2017, it was found that there was an approximately 600% hike in attacks against IoT devices in various applications. Therefore, there is a great need to design a secure IoT system to protect the data from the attackers [6].

Once the sensing information from the deployed smart devices in an IoT environment is aggregated by the nearby gateway node or access point, the gathered data needs to be also stored in semi-trusted cloud servers. Now, the stored data at the cloud is huge in volume and it needs data analytics. As a result, it is preferable to used some Big data analytics using traditional Artificial Intelligence (AI)/Machine Learning (ML) algorithms for accurate and better predictions [7, 8].

Ahanger et al. [9] provided various Machine Learning (ML) and Deep Learning (DL) based mechanisms for IoT paradigm. They also provided a taxonomy based on several IoT vulnerabilities, respective attackers and effects, as well as various threats. Iwendi et al. [10] pointed out the important of deep learning (DL) for detecting attacks in IoT paradigm. They suggested DL based mechanism to detect cyber-attacks on IoT using a long short term networks classifier.

Omolara et al. [11] gave an IoT concept and then provided the deep insights into possible solutions to the IoT security challenges due to the heterogeneous nature of IoT, and the respective emerging issues, opportunities, gaps as well as recommendations. Mukhopadhyay et al. [12] pointed out that IoT sensors need to be reliable, safety as well as privacy-aware for the users interacting with them. Thus, they discussed that IoT sensors having advanced AI capabilities will have the potential for identifying, detecting, and avoiding performance degradation as well as discovering new patterns.

Public-key cryptosystem works under a pair of keys (public key and private key), whereas the public key is made public that is accessible by everyone during communication, and the private key is kept secret and only known to the owner (sender/signer). The notion of the “Identity-Based Encryption (IBE)” due to Shamir [13], solves the certificate management problem. The existing Shor’s algorithm [14] is a big threat to the existing number-theoretic identity-based encryptions. The main difference of IBE from certificate based public-key encryption schemes lies in the way how the public and secret keys pair generated for a user. A private key generator, say handles the process of secret key generation, but it executes user authentication process to confirm the validity of a legitimate user. In IBE process, a public key may be an information such as the user’s email address or mobile number. The corresponding secret key is generated by embedding the user’s identity with the ’s master secret. This process removes the need of certificate that is required for verification of a legitimate recipient’s public key. The IBE process also solves the problems related to key generations and distributions in a multi-user settings. In case of limited resources, it can also offer the potential solution to make the process resource efficient.

In the literature, we have three important classes of identity-based encryptions (IBE) (see in Figure 1): 1) IBE based on bilinear pairings [1518], 2) IBE based on quadratic residue [19, 20], and 3) IBE based on lattices [21]. To the best of our knowledge, most of the constructions proposed in the standard model relies on bilinear pairings.

Chamola et al. [22] reviewed that the disruption which the quantum computers have caused in the cryptographic field. They pointed out that the existing public key encryption schemes can be broken by the quantum computers, and as a result, there is a requirement for hunting the new cryptographic mechanisms that need to be secure in the post-quantum era. Hassija et al. [23] provided a review on several quantum computing applications that can be applied in different computer science areas, including “cryptography”, “machine learning”, “deep learning” as well as “quantum simulations”. They also provided several real-life case studies on “risk analysis”, “logistics”, and “satellite communication”. Hassija et al. [24] also discussed that with the help of online cloud services, the first generation of quantum computers can be programmed and accessed using the available software development kits. Moreover, they presented a growing trend in both the investments as well as patents in the quantum computing field. In recent years, the lattice-based cryptography has played a very important role in the post-quantum era for various real-life applications, such as “Vehicular Ad Hoc Network (VANET)” [25], “ medical Cyber-Physical Systems (CPS)” [26] and “mobile communications” [27].

1.1. Research Contributions

There are two reasons to move towards post quantum secure lattice based cryptography: a) simple algebraic operations that are based on matrix multiplication and b) secure against existing quantum assisted algorithms. The main contributions of the work are listed below:This article presents a new identity-based encryption based on lattices without using the random oracles. The proposed encryption is anonymous in nature [28], which means that the cipher does not reveal the recipient’s identity.Our proposed encryption is selective-ID secure [29], and can be converted to an adaptive-ID secure [15, 16, 30] by taking the bit-wise decomposition of the corresponding identities.The proposed encryption is inspired from the Water’s [18] encryption and signature that use only non-zero positions of bits in the decomposition of the corresponding identity. The encryption is secure under “learning with errors” assumption without the random oracles.If is an appropriate security parameter and is the size of a public key, we can relate the computation time in terms of security parameter complexity as , and it can be compared with the size of classic public key (such as RSA [31] and ElGamal [32] cryptosystems) as and computation time in terms of security parameter as , respectively [33].We then incorporate the constructed identity based encryption (IBE) for IoT applications, where the smart devices send securely the sensing data to their nearby gateway nodes(s) with the help of IBE and the gateway node(s) secure aggregate the data from the smart devices by decrypting the messages using the proposed IBE decryption. Later, the authenticated data stored at the cloud server(s) will be used for accurate and better predictions with the help of AI/ML algorithms.

1.2. Paper Outline

In Section 2, the security of an Identity-Based Encryption (IBE) is discussed. Section 3 provides a discussion of basic preliminaries that are needed to analyze the proposed scheme in Section 4. In Section 5, we incorporating our proposed IBE scheme for IoT-enabled AI applications. Next, the security analysis of the proposed scheme under standard models is discussed in Section 6. A comparative study among the proposed scheme and other relevant schemes is given in Section 7. Some concluding remarks are then provided in Section 8.

2. Security of an Identity-Based Encryption

An identity-based encryption (IBE) [15] comprises of four phases (algorithms): a) Set-up, b) Extraction, c) Encrypts, and d) Decrypts. The Set-up algorithm is run under the public parameters and a secret master key. The Extraction algorithm makes use of the master key to create a secret key respective to the given identity. The Encrypts algorithm encrypts a message using the identity. Finally, the Decrypts algorithm decrypts a ciphertext with the help of the corresponding private key.

2.1. Both Selective and Adaptive Encryption

The security model of an IBE [15] defines the “indistinguishable adaptive chosen cipher and chosen identity (IND-ID-CCA2)” security. It allows a probabilistic polynomial time-adversary, say to pick an identity on which it wants to target. A weaker version of an IBE security [34] restricts the adversary to announce the target or identity at advance, that is known as the “indistinguishable adaptive chosen cipher and selective identity (IND-sID-CCA2)” security. We have described this system as a selective identity and chosen cipher secure identity-based encryption. In this version of encryption, we will not allow the adversary to process decryption queries on the target identity, which implies a weaker notion of the “indistinguishable against adaptive chosen cipher and chosen identity (IND-ID-CCA2) and indistinguishable adaptive chosen cipher and selective identity (IND-sID-CCA2)”, respectively. Another important notion is the “indistinguishable cipher against chosen plaintext attack (IND-CPA)”, which is also called semantic security.

2.2. Security Model

We now define an IBE semantic security under the IND-sID-CCA2 with the help of a game that is played between a challenger, say and an adversary . The description of the game is given below.1.Target-phase: declares the target identity in advance.2.Set-up-phase: executes the Set-up-phase, generates the public parameters for , and keeps the master key as secret.

Phase-1. submits queries , , , corresponding to the identities , , , , respectively, where for . Now, runs an algorithm, called Extraction with the master key and identity to obtain the private key corresponding to the identity , , which is the public key. Then, it sends to , where all the queries are processed adaptively meaning that can make queries with the knowledge of the previous queries.3.Challenge-phase: After completion of Phase-1, submits two messages and from the message space on which it executes the challenge. The challenger then picks randomly, and outputs Encrypts(, , ) and sends it to , where , are the parameters relevant to encryption.

Phase-2. submits the adaptive extraction queries , , , corresponding to , , , , where , respectively. Next, replies as in Phase-1.4.Guess-phase: Finally, requires to guess a bit . The game is won by if ; otherwise, looses the game.We call such an adversary as an IND-sID-CPA-adversary, and define the advantage of attacking the identity-based encryption, say asWe can also describe an adaptive phase to the above notion by excluding the target phase, and permitting to wait for the challenge phase to declare as challenge identity. can submit the arbitrary key extraction queries as in Phase-1, and then select an identity , as a target. But, the only condition imposed here is that cannot submit extraction query on , in Phase-1, and the resulting notion is called as IND-ID-CPA security. In Cipher-Anonymity along with semantic security, we have another important notion of cipher anonymity under chosen plaintext attack.

3. Preliminaries

Let be a set of real numbers and be a real number. We denote as the largest integer, but not greater than , whereas denotes the integer closest to , with ties broken upward. We apply a bold big letter to denote a matrix and a bold small letter to denote a column vector of the matrix , where denotes concatenation of the matrix with a vector . Let denote the set of all integers and be a quotient ring under integers modulo a prime , that is, a collection of the (left or right) cosets with addition and multiplication operations in the quotient ring . It is worth noticing that if and only if , which is an obvious fact about the equality of cosets.

3.1. Lattice

A lattice is defined with the following two properties: 1) it is an additive subgroup which implies , and , for all , and 2) it is discrete that implies every possesses a neighborhood in in which is the only lattice point in the neighborhood. More specifically, the successive minima is the smallest Euclidean norm such that possesses number of linearly independent vectors of norm less than or equal to . Due to properties of a discrete group, one can observe that the quotient group of cosets : , , under the usual addition: in the quotient group. A fundamental domain of is a set that contains exactly one representative of each coset .

3.2. Bases and Fundamental Parallelepiped

A lattice (see Fig. 2) is generated by a basis , , , and the integer linear combination of the linearly independent vectors , , , in the basis as . The positive integer is the rank of the basis and represents the dimension of the space under consideration. We can consider to represent a full rank lattice. A lattice possesses infinitely many bases, because if is a basis then is also a basis for a unimodular matrix. If is a basis of the lattice , the fundamental domain is the parallelepiped centered at the origin. Note that parallelepiped is formed by “six parallelogram sides to result in a three-dimensional figure” or a “Prism”, which contains a parallelogram base.

Definition 1. Let , , , be linearly independent tuples, a lattice generated by a basis , , , is denoted , , , :. The integers and denote the rank of the concerned matrix and the dimension of given lattice, respectively.

Definition 2. Let , , , be linearly independent tuples that generate a lattice , , ,  : , its dual lattice be , where can be represented as

3.3. q-ary Lattice

The q-ary lattice satisfying , for some integer , is called -ary lattice because times vectors of lattice also belongs to it. Given a matrix modulo (depends only dimension of lattice), denoted , there are -dimensional -ary lattice : and a coset of the lattice as : , where and are integers and . Here, implies that:and implies that:

These -ary lattices are applied in the construction of cryptographic techniques. Now, if the matrix is chosen randomly, solving the short vector problem on is equivalent to solve a hard problem in random lattice.

3.4. Gaussian Measures

Let and be arbitrary. Then, defines a Gaussian distribution function (see Fig. 3) with center and scaling , where the total measure corresponding to is given by . We can define the discrete Gaussian distribution as , where is an arbitrary lattice point. Note that .

We now introduce an advanced lattice parameter (called the smoothing parameter [35]) related to the Gaussian measures on random lattices as follows.

Definition 3. Let be a lattice of dimension and be an arbitrary small real number. The smoothing parameter is defined by to be the smallest such that holds.

3.5. Hard Assumptions Based on Learning with Errors

The “learning with errors” was introduced by Regev [36], which is secure against quantum computing. In the following, we state the assumption with respect to the Gaussian error distribution [35] and its parameterizations.

Definition 4 (see [36]). Let , , and be a secret. Then, is a distribution of over with is an arbitrary random and is chosen from , where is the Gaussian distribution.

Definition 5 (see [37]). The “Learning with Errors” decision problem is to distinguish betweenwhich is the distribution ofoverwith randomand the uniform random distribution over, given access to the random samples from the given distribution.

Regev [37] proved that the decision problem (learning with errors) under a suitable prime modulus and Gaussian distribution is as hard as solving the worst-case lattice problem, known as “short independent vector problem” and “decision short vector problem” in Euclidean norm, using quantum algorithms. Suppose is a group with respect to modulo one operation. Let be the Gaussian distribution on with mean 0 and standard deviation , under modulo one, where is a real number.

Theorem 1 (see [37]). Letbe a real number, andbe a prime such thatholds. If there exists a quantum algorithm that can solve, there also exists a quantum algorithm to solve “short independent vectors problem” and approximate “decision short vector problem”, in Euclidean norm, under the worst-case with infactors.

3.6. Regev’s Dual Cryptosystem

If is a lattice, its dual is the set consisting of tuples , that is, a linear span of such that inner product is an integer for all . Following the definition, one can easily observe that the dual of is . The inner product between two -tuples and is defined as , where , , , and , , , are tuples with the real entries.

The dual space has the same dimension as its primal space , and both are essentially isomorphic to each other. Therefore, a dual space lies in the same space as the primal , and not necessarily be a sub-lattice of . The lattice contains non-integers even contains only integers entries. The dual space is necessarily defined as follows in abstract vector space. If is a vector space, a function : is called a linear function if it satisfies the following conditions: 1) , and 2) , where and . The dual space of an abstract vector space is then the set of all linear functions, where a function is represented as a tuple such that , whereas the dual lattice is considered on the set of integers instead set of reals one . The dual of lattice is the collection of linear functions of the forms: represented as tuples in span . Each vector generates a linear function satisfying and partitions into the layers as : , where each layer : is necessarily a shifted copy of : , that is, a lower dimensional sub-lattice orthogonal to with distance between layers implies that the sparser lattice has denser dual and vice-versa. Therefore, the dual of is , where is an arbitrary real.

Under the hard assumption “learning with errors”, one can construct a public key cryptosystem under indistinguishable property of pseudo-random tuple from a random sample. The pseudo-random is used to mask a bit of the message in Regev’s cryptosystem [37]. Furthermore, the dual Regev’s cryptosystem consists of three phases: a) D-key-Gen, b) D-Encrypt, and c) D-Decrypt, which are discussed below.1. Let be a random matrix, where , . Choose an error . It then computes its syndrome as , where the secret vector and the public key is .2. Let be a bit to be encrypted. Choose a random with an error scalar and an error vector . It then outputs , where and .3. To perform the decryption on using the secret under the matrix , this phase computes and outputs 1 if is closer to ; else, it is 0.

3.7. Pre-image Samplable Family of Functions

Gentry et al. [21] defined a family of pre-image samplable functions that plays a very important role in the construction of the proposed encryption described in Section 4.

Definition 6. A family of pre-image samplable functions [21] consists of three phases: a) Trap-Gen , b) Sample-Dom , and c) Sample-Pre , which are given below.Trap-Gen: Trap-Gen takes input as the parameter, and outputs a pair, whereis utilized in the function:with recognizable domainand range, andis a trapdoor for the function.Sample-Dom: Under function description , it will sample over the domain in such a way the distribution of is uniform over , and outputs accordingly.Sample-Pre: Under a trapdoor and a value , it will sample an element from the distribution under the criteria that , and it then outputs .

3.7.1. Correctness

It is worth noticing that Sample-Dom samples over the domain such that follows a uniform distribution over the range , and Sample-Pre samples as in Sample-Dom under condition .

3.7.2. Security

The security of the pre-image samplable functions [21] is discussed below. The samplable functions [21] must satisfy the following properties:1.One-way without trapdoor: If is a probabilistic polynomial time adversary, the advantage is negligible, where the advantage is considered over all the possible choices of , the value is random, and tosses the coin randomly.2.Pre-image minimum entropy: If , the conditioned minimum entropy of is least under the condition .3.Collision-free without trapdoor: If is a probabilistic polynomial time adversary, the advantage results in the distinct with is negligible.

Theorem 2 (see [37]). Ifis an arbitrary large prime and, there exists a probabilistic polynomial time algorithm [38] that takes input as, and outputs a matrixand a full rank set, where the distribution corresponding tois statistically close to a uniform distribution overunder the length.

Another algorithm is known as the sampling Gaussian, denoted by Sample-Gauss, discussed by Gentry et al. [21], plays a very important role in cryptographic construction. The Sample-Gauss uses a random basis in sampling from the Gaussian distribution centered at with the standard deviation over the lattice .

Theorem 3 (see [37]). The probabilistic polynomial time algorithm provided in [21] with inputs as a basis, a lattice , an appropriate parameterand arbitrary, results in a sample distribution that is statistically close to .

The function defined in [21] is a sample pre-image consisting of three phases: a) Trap-Gen, b) Sample-Dom and c) Sample-Pre. Let be a security parameter, , be a large prime, , and Gaussian parameter , respectively. Then,Trap-Gen: Under the algorithm in Theorem 3, choose a matrix and a trapdoor . Consider : and and : such that . This phase then results .Sample-Dom: Assuming as a standard basis for , use Sample-Gauss to get sample from .Sample-Pre: Let be an arbitrary number under condition . Then, use Sample-Gauss [21] to sample from .

Theorem 4 (see [37]). Assume that the columns ofspan,, and. Then, the syndrome’s distributiondiffers by a statistically distance equal to at mostfrom the uniform distribution over.

To prove the correctness of the distribution , for a given and is a solution to , the conditional probability distribution of under matches perfectly with . The correctness of the distribution is as follows. It can be observed that is indistinguishable from the uniform distribution over , assuming the columns of spans [21] with the probability . Since , and , the result in [21] implies . Thus, as a result, Sample-Pre is distributed under under the condition .

In the proof of security, we use the functions described in [21], which are one-way and collision resistant functions. A brief discussion of these two properties are given below.One-way without trapdoor: The process of inversion of under a uniform random is equivalent to solving “in-homogeneous short integer solution” problem, say [21].Pre-image minimum entropy: Since all the pre-images follow the discrete Gaussian, it has minimum entropy [21].Collision-free without trapdoor: Let . Then, a collision implies , which actually solves the “short integer solution” problem, say .

4. Proposed Identity-Based Encryption (IBE) Scheme in Standard Model

In this section, we propose a new provably secure identity-based encryption scheme. Note that such a scheme has a compact public key and also achieves adaptive security in the standard model [39].

Our proposed identity-based encryption scheme consists of four phases: a) Set-up, b) Extraction, c) Encrypts and d) Decrypts. We take an identity as an arbitrary -bits string , where for a given security parameter . In the following, we now discuss the details of these four phases.

4.1. Set-up Phase

It includes the function Set-up. First, choose a suitable large prime , a smoothing parameter depending on the security parameter and an arbitrary random matrix , under a short basis for , that is, with the help of Ajtai’s construction [38]. Let : be a function defined as . Next, pick a tuple and a random matrix , where and : is the ordered set. The public parameters are , whereas is considered as the master secret.

4.2. Extraction Phase

This phase is accomplished by the function Extraction. A decryption key is extracted related to the identity under the master secret as the trapdoor. The following steps need to be executed:Let and be the set of non-zero positions in the string . After that, assemble an matrix [ , where as or is according to either or , respectively.Now, sample under , where , and consider such that .Let . It can be observed as , where is the non-zero position in the string .Next, apply the Sample-Pre under the trapdoor to find the pre-image of satisfying , and outputs the private key .

4.3. Encrypts Phase

In this phase, we involve the function Encrypts. In order to process the encryption on a bit under the identity using the master key , the following steps are necessary:Let [ , where because or is based on either or .Choose an arbitrary .Pick , , , , and , , , which are sampled from the distributions , , and , respectively, based on the Regev’s cryptosystem.Now, calculate , and .Finally, the initiator sends the output as the cipher to the responder.

4.4. Decrypts Phase

This phase is implemented by the function Decrypts(,,,,,). After receiving the cipher , with the private key , the responder executes the following steps:Compute , and then compare with in .If , it results bit ; else, it outputs the bit .

5. Incorporating Proposed IBE Scheme for IoT-Enabled AI Applications

In this section, we first discuss the network model for IoT-enabled AI applications, which is used for incorporating our proposed IBE scheme described in Section 4. Next, we describe the various phases where the proposed IBE scheme has been applied for IoT.

5.1. Network Model

The network model considered for IoT-enabled AI applications using our proposed IBE scheme is presented in Figure 4. The model expresses various applications of IoT, such as traffic monitoring, smart home, and IIoT. In this model, different types of smart sensors, say are connected with each other via the nearby gateway node(s) , where and denote the number of smart sensors and gateway nodes to be deployed for each IoT application, respectively. Note that there might be multiple nodes that are connected with a particular application and the gateways are further connected with the cloud server(s), say , where is the number of cloud servers. Before initiating any secure communications between and , they need to complete their registration process which is performed by a fully-trusted registration authority . Similarly, the also performs the registration of each smart sensor node to be deployed in various IoT applications. Next, a gateway node needs to perform the secure data aggregation where the data is collected through secure communication among the smart sensors and the gateway node. In this case, we apply the proposed IBE scheme for encryption/decryption of the data. After that the gateway nodes send the data securely to the cloud server(s) for secure data storage purpose. Finally, the cloud servers can perform the Big data analytics using AI/ML techniques with the data stored at .

5.2. Description of Various Phases

We have the following phases:In the pre-deployment of IoT devices phase, the trusted will perform the registration of each IoT smart device prior to their deployment in respective application. After deployment of the IoT devices, they need to communicate with their nearby gateway node(s). For avoiding various attacks by an adversary, we use the proposed IBE scheme for secure data transfer among the sensor nodes and their gateway node(s).In the registration of gateway nodes and cloud servers phase, the , also performs the registration of the deployed gateway nodes and cloud servers. For secure communication, we again use the proposed IBE scheme for secure data transfer among the gateway nodes and the cloud servers.The secure data aggregation at gateway phase allows a gateway node to collect the data from its associated IoT smart devices securely using the proposed IBE scheme.The secure data storage at cloud servers phase permits storage of data at the cloud servers securely from the gateway nodes with the help of the proposed IBE scheme.Finally, the Big data analytics using AI phase is needed because the cloud servers store a huge volume of data from various IoT applications. Since the Big data analytics provides numerous advantages, such as better decision making and preventing fraudulent activities, it is preferable to do the Big data analytics on the data stored at the cloud servers.

A high-level description of various phases related to IoT-enabled AI applications is given in Figure 5.

5.2.1. Pre-deployment of IoT Devices

Before deploying the IoT smart devices (smart sensors) in their respective application, the trusted , executes the Set-up phase described in Section 4.1 in order to select the system parameters. The steps are as follows:Step 1. The selected public parameters are , whereas is as the master secret.Step 2. For each , the , assigns a unique identity .Step 3. Next, for each , the , executes the Extraction phase described in Section 4.2 to extract a decryption key related to under the trapdoor master secret . The private key for is considered as .

5.2.2. Registration of Gateway Nodes and Cloud Servers

The registration process for the deployed gateway nodes and cloud servers is also based on the execution of the Set-up phase, where the public parameters are , and is the trapdoor master secret. This phase involves the following steps:Step 1. For each , the , assigns a unique identity . In a similar way, for each , the , also assigns a unique identity .Step 2. For each and , the , executes the Extraction phase. After executing this process, the private keys for and are selected as and , respectively.

5.2.3. Secure Data Aggregation at Gateway

In this phase, the following steps are involved:Step 1. Suppose the IoT smart sensors are deployed in their respective IoT applications as shown in Figure 4. The gateway nodes and cloud servers are also placed accordingly in the network. Let a smart sensor sense the information (data), say from its deployment area and want to communicate it securely with its gateway node , . For this purpose, the , generates a current timestamp, say , prepares a message of the type and encrypts bit wise using the public parameters, identity of , and trapdoor master key to create the ciphertext as done in the Encrypts phase described in Section 4.3, where , and are the encrypted bit strings corresponding to the bit strings of the . Next, sends the encrypted message {, } to its destination , via a public channel.

5.2.4. Secure Data Storage at Cloud Servers

In this phase, a cloud server , receives the encrypted data from the respective gateway nodes residing in an IoT application, and stores the encrypted data in its database for further processing. In order to do this, the following steps are executed by the , :Step 1. Once the message , is received at time , for checking replaying attacks, , checks the validity of the received timestamp by the condition: . If the condition fails, the process is immediately terminated.If the timestamp validation is satisfied, the encrypted data is then stored in the database of , .

5.2.5. Big Data Analytics using AI

It is worth noticing that a cloud server , receives the encrypted data generated by the IoT smart sensors residing in various applications via the aggregator nodes (gateway nodes). , can then decrypt the stored data bit wise using its own private key and performs the Big Data analytics steps using AI/ML techniques, such as “data acquisition and filtering”, “data extraction”, “data aggregation and representation”, “data analysis” as well as “data visualization”. The results of this phase will provide some useful conclusions and predictions on the stored data.

The overall mechanism of the proposed IBE scheme for IoT-based AI applications is also illustrated in Figure 6. The pre-deployment and registration phases are performed through the steps 1, 2 and 3. Step 4 explains about the data aggregation phase. While the steps 5 and 6 are about secure data storage, Step 7 explains the Big data analytics using the AI techniques.

Step 2. After receiving the message from , , first checks the validity of the received timestamp by the condition: , where and represent the time when the message was received and the maximum transmission delay, respectively. If the condition is satisfied, , proceeds to decrypt bit wise using its private (secret) key with the help of the Decrypts phase described in Section 4.4 to obtain . After that if the checking condition: is valid, , considers the data is fresh. Thus, no replay attack has been there during this process with the timestamping mechanism. Of course, for this purpose, it is reasonable to assume that the network entities are synchronized with their clocks [8].Step 3. Now, , generates a current timestamp , encrypts the prepared message = bit wise using the public key of its corresponding cloud server to obtain the ciphertext as done in the Encrypts phase, and sends the encrypted message {, } to its respective , via a public channel, where , and are the encrypted bit strings corresponding to the bit strings of the .

6. Security Analysis

In this section, we analyze the security of the proposed encryption scheme by using a sequence of games played between an adversary, say and a challenger, say , namely the games , for . The initial game is considered as the real attack, whereas the final game is the game that cannot be cracked by the adversary . Each transition from a game to another game is indistinguishable with a negligible advantage under some hard assumption. If there are polynomial time games, each of the transitions is also indistinguishable with the negligible advantage meaning that the advantage of in real attack is negligible. We now define the games in order to ensure the indistinguishable transitions.

6.1. Games Descriptions

The following games are discussed below.Game: This game is played between the adversary and the challenger with both honest and indistinguishable properties under the IND-sID-CPA property. We have defined as earlier that, under “selective identity chosen plaintext attack IND-sID-CPA” property, needs to submit target identity at advance to the , before runs the Set-up algorithm.Game: This game is same as except in the Set-up phase, computes the matrices , for and not directly, but as an arbitrary public key of random GPV trapdoors [21] corresponding to the trapdoor .Game: This game is same as , except neither uses the master secret nor the Extraction phase to answer the queries to private keys, but it uses another Trapdoor-Extraction phase and trapdoors for and . The trapdoors are represented as , , : , .

Trapdoor-Extraction: A key that corresponds to decryption is extracted for the identity , with the help of the trapdoor:1.Let be the position of non zero bit for and . Assemble an matrix , , where , because or is according to either or .2.Sample under Sample-Dom, where , 2, , , that is, from the set .3.Let . It can be then observed as , where is the non zero position in the string , and is the concatenation of all s, except 0, which follows the distribution .4.Using the distribution , sample under the Sample-Dom algorithm.5.Compute and , and then use the Sample-Pre(,,) to sample such that .6.Let including such that . Output a private key .Game: This game is same as , except computes with the trapdoors . It knows only the trapdoor of index, but not corresponding to , -bit of the target .1.Let for , 2, , , be the modulo of non-zero , position declared by to in the Set-up phase.2. generates by taking , , 2, , such that , and executes GPV trapdoors [21] as in the to obtain corresponding to . Furthermore, it takes , such that for a random , , 2, , , , and takes with .3.To extract the private key for , repeats the game , except is picked such that and corresponding to a legal query. If and , executes Trapdoor-Extraction, , , , , to generate the private key.

The challenge cipher then is generated by Encrypts (, , , , ) for an arbitrary , and outputs , , as the challenge.Game: This game is also same as , except gives a challenge to that is not computed honestly, but it is a random cipher, that is, , , is chosen randomly from distribution.

6.2. Games Transitions

In the following, we now show that each of the transitions between the successive games (Game, Game, Game, Game, Game) is indistinguishable as follows.Transition: Game, Game, : Both games are identical with respect to , and possesses the information regarding trapdoor corresponding to which is not known to .Transition: Game, Game, : Both games are identical with respect to , and possesses a different algorithm for key extraction and it is invisible to .Transition: Game, Game, : Both games are identical with respect to , and knows only half of all the hash-trapdoors and answers if the extraction queries are known, and these are invisible to .Transition: Game, Game, : The views are not identical with respect to , but are indistinguishable under “learning with errors” assumption.1.In the beginning, receives samples of “learning with errors” assumption , for , with random , and either for are random or for with a random and Gaussian .2.In the beginning, also receives from to be challenged. By applying the Set-up phase, computes . picks such that for , and executes GPV trapdoors [21] as in to obtain random and its trapdoor as in another and , respectively. Now, picks such that for , random and its -column “learning with errors” instance , and then sets .3. answers the private key queries as in the games and using the corresponding trapdoors. picks random and computes a challenge cipher , : , : .4.Finally, guesses a bit , and returns the correct ; else, returns a random bit as an answer to the “learning with errors” instances.

It is thus worth noticing that is indistinguishable in both the games and with respect to view of , excluding the challenge cipher. The “learning with errors” instance is random for the challenge cipher and components of has same distribution as in the game , and so they will be the components in .

6.3. Anonymous Cipher and Indistinguishablity

In this section, we discuss the notion of semantic security that is discussed in Section 3. It is observed that the proposed identity-based encryption scheme provides indistinguishable property of the ciphers from random strings of equal lengths, although an adversary can presume the identity of the receiver. The challenge cipher is then pseudo-random under the “learning with errors” assumption, which implies indistinguishability.

7. Performance Comparison

This section provides computation costs and recommended bit-size of the proposed identity-based encryption scheme and compares them with the other relevant approaches, such as discrete logarithm-based schemes, RSA public key cryptosystem [31] and ElGamal cryptosystem [32].

7.1. Comparison on Recommended Bit-size

Let be an appropriate security parameter and be the size of public key. We can then relate the computation time in terms of security parameter complexity , . It can be compared with the size of classic public key cryptosystems (RSA and ElGamal) which is and computation time in terms of security parameter as [33, 36].

We take , and as the parameters, where is the security parameter. Furthermore, we consider , and as the parameters to simplify the computation. The storage cost is and the communication cost is in the proposed scheme. The cipher is computed as , and , that is, in the form of triplet , , . The size of public keys involves the security parameters , , , which is roughly , that is, . In Table 1, a comparative study on recommended bit-size with respect to Lattice and classical discrete logarithm due to the “discrete logarithm problem (DLP)” intractability.

7.2. Comparison on Computation Costs

In Table 2, the relationship between the length of keys in bits and the key generation time in milliseconds has been shown. Based on the results reported in [40], in RSA-based public cryptosystem, the key lengths of 512, 1024 and 2048 bits take 360, 1280 and 4195 milliseconds, respectively. On the other hand, in the proposed lattice-based scheme, the key lengths of 1170, 1841 and 4024 bits require the generation time having 4, 7.5 and 17.5 milliseconds, respectively [40]. This clearly shows that the lattice-based IBE scheme requires less computational time for key generation part as compared to other public key cryptosystems, such as RSA.

Table 3 shows a comparative analysis on the key length in bits with the encryption and decryption speed in terms of blocks per second based on the results reported in [40]. It is noticed that when the key size is smaller, the encryption and decryption processing time for the blocks per second are less. However, the lattice-based cryptosystem performs better than RSA-based public key cryptosystem even if the key size is large.

7.3. Comparison on Security

A comparative study on the key length size and the security aspect between the RSA-based public key cryptosystem and lattice-based cryptosystem has been presented in Table 4 based on the results reported in [40]. Million instructions per second (MIPS) is taken as an “approximate measure of a computer’s raw processing power”, which is considered in the comparative study. It is observed that in both the cases when the key size is large, the security of the system increases. Moreover, even for a smaller key size the lattice based cryptosystem provides significantly better security as compared to that for an RSA-based cryptosystem.

In summary, the lattice-based cryptosystem has several advantages, such as: (a) “cryptographic resistance compared to RSA”, (b) “faster key generation”, and (c) “faster encryption and decryption of the messages”. In addition, the prime advantage of the lattice-based cryptosystem is its resistance to quantum computer attacks.

8. Concluding Remarks

In this work, we attempted to design an advanced identity-based encryption that is a very important cryptographic tool to ensure confidentiality in the current quantum era. The proposed encryption is a provably post-quantum secure without random oracles. Since lattices depends on algebraic operations that are typically matrix addition and multiplication, they make the encryption much efficient as compared to other public key cryptosystems, such as RSA. In addition, the proposed scheme is also anonymous and it produces the pseudo-random ciphers. Finally, we incorporated the constructed identity based encryption (IBE) scheme for IoT applications and described how the Big data analytics using the AI/ML techniques will be helpful in such applications.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this article.


The authors would like to thank the anonymous reviewers and the Associate Editor for their valuable comments and suggestions which helped us to improve the presentation and quality of the paper.