A Comparative Study of Post-Quantum Cryptographic Algorithm Implementations for Secure and Efficient Energy Systems Monitoring

Abstract

The Internet of Things (IoT) has assumed a pivotal role in the advancement of communication technology and in our daily lives. However, an IoT system such as a smart grid with poorly designed topology and weak security protocols might be vulnerable to cybercrimes. Exploits may arise from sensor data interception en route to the intended consumer within an IoT system. The increasing integration of electronic devices interconnected via the internet has galvanized the acceptance of this technology. Nonetheless, as the number of users of this technology surges, there must be an aligned concern to ensure that security measures are diligently enforced within IoT communication systems, such as in smart homes, smart cities, smart factories, smart hospitals, and smart grids. This research addresses security lacunae in the topology and configuration of IoT energy monitoring systems using post-quantum cryptographic techniques. We propose tailored implementations of the Rivest–Shamir–Adleman (RSA), N-th degree Truncated Polynomial Ring Units (NTRU), and a suite of cryptographic primitives based on Module Learning With Rounding (Saber) as post-quantum cryptographic candidate algorithms for IoT devices. These aim to secure publisher–subscriber end-to-end communication in energy system monitoring. Additionally, we offer a comparative analysis of these tailored implementations on low-resource devices, such as the Raspberry Pi, during data transmission using the Message Queuing Telemetry Transport (MQTT) protocol. Results indicate that the customized implementation of NTRU outperforms both SABER and RSA in terms of CPU and memory usage, while Light SABER emerges as the front-runner when considering encryption and decryption delays.

1. Introduction

The Internet of Things (IoT) is the newest convergence technology, integrating the sensing and transmission capabilities of things to collect useful data [1,2,3,4]. Devices with IoT capabilities can be utilized to observe and monitor important people or other various parameters such as physical, electrical, environmental, etc. This information is then used to examine, recognize, and determine different problems related to daily activities e.g., smart home [5], smart city [6], smart factory [7], smart hospital [8], smart grid [9], etc. Electrical power management is one of the problems to be addressed for achieving efficient power operation. Intelligent and IoT-enabled power monitoring devices can help to overcome this problem by giving detailed information about electricity consumption. A supervisory control and data acquisition system (SCADA), which is now called an intelligent electrical power management system [10,11], is used to improve cybersecurity [12,13] and commercial readiness in power plants [14,15,16,17].

Smart grids can be embraced as a mechanism of various interconnected systems such as virtual power plants, transmission grids, distribution grids, etc. Each one of them has its own set of devices and communication technologies, intelligent devices, automated control elements, and algorithms. However, the hurried deployment and poor management of smart grid technology could render critical infrastructures vulnerable to cybercrime [18,19,20]. On the other hand, due to the limited computational power of client processors in an IoT system (i.e., smart grid), the focus of security provisioning shifts from hardware-based to software-based in terms of both effectiveness and efficiency. Several physical layer security (PLS) techniques have also been proposed to safeguard future wireless communications [21,22,23]. Therefore, it becomes imperative to implement a lightweight encryption algorithm [24,25,26,27] that ensures both security and authentication of sensitive information, all while minimizing overhead in terms of computation, memory, time, and power.

The cybersecurity status of a smart grid can be assigned as dangerous when it threatens the confidentiality, integrity, or availability of information and communication technology (ICT) [28,29,30,31]. Therefore, the organizations involved must ensure good function of their smart grids, including their market, customers, operation, distribution, etc. Future computation technologies might bring risks to cybersecurity, along with the development of quantum computers, which are believed to be capable of breaking most of the commonly used encryption systems nowadays. This has brought an urgency to develop and examine many candidates for post-quantum cryptographic systems to secure data transmission in energy systems monitoring (ESM) [32,33].

The secure energy monitoring system proposed in this research has been implemented internally in buildings N, O, and P of Telkom University, as depicted in Figure 1. This implementation utilized four Raspberry Pi-4 (RPi-4) units, one AP, and one HPE ProLiant server equipped with an HTTPS service. Three of the RPi-4 units served as registered IoT devices, while the fourth acted as an unregistered IoT device. This setup was designed to simulate an insider attack scenario, where the attacker could be an employee, contractor, or any external party with physical access to the system. Specifically, there is a risk that an adversary could breach the local network when the IoT system operates on its default configuration, even if the message queuing telemetry transport (MQTT) protocol is active. Thus, the IoT system should prohibit access to unregistered devices. A more detailed discussion follows in the next section.

To complement models, techniques, and results from previous works, this research contributes the following:

• Providing an appropriate review of IoT security outcomes and countermeasures;
• Suggesting a secure post-quantum IoT system using a customized MQTT public network protocol;
• Enforcing an optimized MQTT protocol configuration by adding lightweight cryptography from the physical layer to the application layer;
• Evaluating and benchmarking the proposed post-quantum cryptographic algorithms amongst themselves in an energy monitoring system.

The remaining sections are arranged as follows. Section 2 reviews IoT security issues and their countermeasures. Section 3 describes the proposed scheme to improve IoT network security and compares it with conventional encryption systems. Section 4 evaluates details of the unsecure and secure experiments to validate the proposed post-quantum encryption. Finally, Section 5 highlights the key take-away messages of this research.

2. Related Studies

2.1. Secure IoT Monitoring

Privacy in IoT-enabled smart homes is one of the major concerns of the research community. Ali et al. proposed a novel privacy-preserving method for smart grid-based home area networks (HAN) [34]. The proposed approach uses homomorphic Paillier encryption, the Chinese remainder theorem, and a one-way hash function to aggregate data from diverse household appliances. The proposed approach deploys a sink node between the household appliances and the smart meter, which not only filters false data injection attacks, but also provides for early fault tolerance. The smart grid is a network of different entities and different subnetworks working together. Each entity and subnetwork has its own requirements. Therefore, a universal standardized trusted framework is essential for any communication.

Some smart grids are vulnerable to False Data Injection (FDI) attacks in which an attacker manipulates meter data to disrupt grid operations. Reijsbergen et al. presented a threat model in which there are multiple operators, each with a partial view of the grid, and each can be fully compromised [35]. An effective defense against FDI in this setting is to share data between the operators. They proposed a blockchain solution with an incentive mechanism that rewards operators for uploading data but penalizes them if data are missing or anomalous. They also showed a formal analysis of our incentive mechanism and showed that operators are motivated to share data of as many meters as possible as long as the meter’s error probability is sufficiently low. However, the security of blockchain clients is a generic challenge that is not specific to smart grids.

Lightweight encryption algorithms are needed due to resource limitations at the edge nodes of an IoT system. Maitra studied AES both with and without hardware accelerators [36]. The implementation of AES in low-resource embedded platforms was not feasible. The memory, power, execution time, and feasibility of the algorithms were analyzed by using XTEA. The experiment results showed that the energy efficiency and execution time of XTEA on a microcontroller without a hardware accelerator were almost equivalent to that of a device with a crypto engine. The power consumption of XTEA was around 60 times more efficient than the AES on an 8-bit PIC microcontroller.

A collaboration with a third-party service provider demands trust from both the owner and user of sensor data. The fees for their services also must be paid. Manzoor et al. suggested a blockchain-based proxy re-encryption scheme to address those scalability and trust issues, as well as to provide an automatic payment [37]. The scheme consisted of seven polynomial-time algorithms: Setup, CertifiedUserKeyGen, Encrypt, ReKeyGen, ReEncrypt, Decrypt1, and Decrypt2. The IoT data were stored in a distributed cloud after the encryption process. The system shared the collected IoT data by setting up runtime dynamic smart contracts between the sensor and the data user without trusted third-party involvement.

Another approach by Tanveer et al. proffered a secure and anonymous authenticated key exchange (AKE) scheme for smart grids (SG), called SAAS-SG, for establishing a secure communication channel between smart meter (SM) and service provider (SPR) [38]. SAAS-SG utilizes the hash algorithm, Esch256, and authenticated encryption algorithm AEGIS to perform the AKE process. In addition, SAAS-SG ensures the integrity and confidentiality of AKE messages while preserving the anonymity of SMs and SPR because, through informal analysis, SAAS-SG is defended against different covert and fatal security vulnerabilities e.g.,  denial-of-service (DoS), replay, man-in-the-middle (MINM), and service providers (SPRs)/smart meters (SMs) impersonation attacks. Moreover, SAAS-SG requires fewer computational, communication, and storage resources without compromising the security compared to related AKE schemes proposed for the SG system.

Remotely controlled IoT has to deal with challenges, e.g., scalability, secure communication, and privacy preservation. The conventional solutions (e.g., hypertext transfer protocol secure—HTTPS) also display poor scaling problems and privacy concerns. Jin et al. used DNS with privacy preservation to design a novel lightweight, secure, and remote IoT monitoring system [39]. The remote monitoring utilized the DNS protocol, whereas the communication between IoT devices and gateways still used the conventional protocols, i.e., the constrained application protocol (CoAP) and MQTT. The communication between IoT devices and the IoT gateway only occurred in the home network for data transmission. The IoT gateway encrypted the received data using asymmetric cryptography and encoded the ciphertext using base64. The base64-encoded ciphertext was registered to the internal DNS server under the name of the IoT device by using the DNS TXT record. This method ensures that only the designated users receive and decrypt the data, which makes it one of the candidates for solving issues present in conventional solutions.

2.2. Post-Quantum IoT

Kumari et al. presented a robust and lightweight scheme for authentication and encryption in resource-constrained IoT devices, considering the high complexity and vulnerability of conventional cryptographic approaches to quantum attacks [40]. Their approach utilizes post-quantum lattice-based techniques and combines them with code-based hybrid encryption. The authentication scheme, based on Ring-Learning with Errors (Ring-LWE), incorporates Bernstein reconstruction in polynomial multiplication to minimize computational costs. This enhancement enables reliable authentication on resource-limited IoT devices. The security analysis of the proposed method confirms its effectiveness in ensuring security and privacy against specific attacks in IoT systems. Notably, the authentication scheme significantly reduced the time required for signature generation and verification to 13.299 ms and 0.735 ms, respectively, by incorporating Bernstein’s reconstruction in sparse polynomial multiplication.

Liu et al. proposed a collaborative signature scheme with deterrability (MCSD) designed to achieve post-quantum security in the Industrial Internet of Things (IIoT) environment [41]. Their scheme provides formal security proofs based on the assumption that the asymmetric module learning with errors (AMLWE) and asymmetric module short integer solution (AMSIS) problems are NP-hard. They implemented their scheme using Dilithium (Dmcsd) and Aigis-sig (Amcsd) with varying security levels. By increasing the number of signing parties from 5 to 300, they observed changes in the sizes of the public key, secret key, and signature for different security levels, namely, 1024-bit, 1280-bit, and 1536-bit security. The results indicated that the repetition number increased with the number of signing parties, leading to a higher communication round and reduced protocol efficiency. Additionally, their construction, utilizing the Dilithium multiparty signature and double authentication-preventing signature, enables support for both aggregated signatures and public deterrability.

Public-key cryptosystem holds an important role in IoT security. But, due to their complicated encryption and decryption processes, the classic public-key cryptosystems like RSA and ECC are not applicable for IoT. Shuai et al. [42] introduced a group-based NTRU-like public-key cryptosystem called a group theory research unit (GTRU). To obtain high performance of encryption and decryption processes in GTRU, group G must cater to four conditions stated in [42]. For the NTRU, min $L_f$, $L_j$ (with chosen p and q) determines the key security of GTRU while $Lm$ (encrypted message) determines the message security of GTRU. The analysis results showed that the proposed GTRU was more secure than NTRU in countering lattice-based attacks. In other words, the proposed GTRU was proven to be a safe and efficient public-key cryptosystem for IoT.

The Internet of Things (IoT) is a growing paradigm in internet networks that securely connects billions of devices to the Internet. Other well-known paradigms are quantum computing and the Shor algorithm. Both are proven as threats to most cybersecurity cryptographic protocols. Agus et al. proposed an NTRU-based communication protocol to prevent unregistered IoT devices from connecting to the network [27]. The research was carried out using three Raspberry Pi3 B+, one AP, and one server with HTTPS service. The proposed method was deployed in NTRU-401 and $NTRU$-593. The results confirmed that NTRU encryption could effectively secure end-to-end communications in IoT.

Li et al. [43] proposed a lightweight homomorphic encryption-based privacy-preserving scheme for Industrial IoT (IIoT). The study investigated the privacy issues between data owners, third-party cloud servers, and data users. The breach of information is an important matter in many critical IIoT systems, e.g., smart grids, industrial critical systems (ICS)/supervisory control and data acquisition (SCADA) systems, etc. The topics of privacy assurances in critical infrastructures and IoT services have been the focus of the recent literature. Li et al. created an air quality monitoring system. It enabled remote and non-confident cloud computing to run complex computational on encrypted data and allowed data owners and users to justify the decryption accuracy.

Khalid et al. [44] observed the feasibility of deploying various classes of quantum-resistant cryptography schemes, i.e., Lattice-Based Cryptography (LBC). The study evaluated and compared the deployment of novel LBC on low-resource devices in terms of low-power footprint, remote area, and compact bandwidth requirements with high performance including low-power FPGAs and embedded microprocessors. The implementation processes were optimized by using specific techniques for Cortex-M4 in assembly. The results showed that the proposed method had the most suitable key sizes compactness and simplicity compared to other quantum-safe schemes. Nevertheless, the LBC schemes still face challenges to be implemented in real-world systems because they need a larger public-key size than traditional public-key schemes.

3. Proposed Scheme for IoT

3.1. Design Architecture

Figure 2 depicts the IoT system installed in buildings N, O, and P at Telkom University. This IoT system comprises sensors connected to the RPi-4. The RPi-4 collects data, which are then transmitted using the MQTT protocol over a Wi-Fi network to the HPE Server, referred to as the publisher. This study recommends the addition of a message encryption mechanism to the devices of the publisher. The publisher forwards messages to the broker, which then prioritizes these messages in a queue before routing them. Subsequently, the messages are distributed directly to specific receivers, termed ’subscribers’. This system employs the RSA, NTRU, and SABER encryption methods in its encryption process. These methods were selected due to their high-security levels and minimal resource consumption. With this system in place, adversaries cannot alter the sent messages. Although adversaries might predict the MQTT topic dispatched by the original publishers, without the genuine data content, any messages they send will not be processed by the broker.

3.2. Dealing with Public and Private Keys

The public and private keys are generated on the server before being deployed on the RPi-4. The encryption scheme was implemented with moderate (128-bit) and high (196-bit) security levels. The private keys on the publisher’s devices are embedded with the public keys for RSA, NTRU, and SABER encryption systems. The public-key encryption systems for each security level are depicted in

Table 1. Public-Key Encryption (PKE) schemes.

Security Level	Scheme	Artifact Sizes (byte)
		$\mathit{pk}$	$\mathit{sk}$
Moderate: 128-bit	RSA 2048	1678	450
	NTRU 401	557	607
	Light SABER	1568	672
High: 196-bit	RSA 7680	5972	1404
	NTRU 593	821	891
	SABER	2304	992

. The parameters of the SABER encryption system are summarized in

Table 2. SABER’s Security Level.

Scheme	l	n	q	p	T	$\mathit{\mu }$	Security	${\mathit{p}}_{\mathit{fail}}$
Light SABER	2	256	$2^{13}$	$2^{10}$	$2^3$	10	NIST-I	$2^{-120}$
SABER	3	256	$2^{13}$	$2^{10}$	$2^4$	10	NIST-II	$2^{-136}$
Fire SABER	4	256	$2^{13}$	$2^{10}$	$2^6$	10	NIST-V	$2^{-165}$

.

This research customized and adopted the RSA-2048, RSA-7680 [45], NTRU-401, NTRU-593 [46], SABER [47], and Light SABER [48] standards. The NTRU and SABER encryption systems with these standards have a low computational load, but the encrypted character length is limited. The character length that can be encrypted in the NTRU and SABER encryption systems is only 16 bytes for the 128-bit security and 32 bytes for the 196-bit security.

3.3. Developing RSA on RPi-4

This section briefly introduces the RSA. Named after Rivest, Shamir, and Adleman, this method was published in 1977. The security of RSA relies on the practical difficulty of factoring the products of two large prime numbers, also called the ’factoring problem’. Breaking the RSA encryption is known as the RSA problem; whether it is as difficult as the factoring problem is an open question. There are no published methods to defeat the system using a sufficient key.

The public key consists of modulus n and public (or encryption) exponent e, while the private key consists of private (or decryption) exponent d, which must be kept secret. p, q, and $\lambda \left(n\right)$ must also be kept secret because they can be used to calculate d. However, they can all be discarded after d has been computed as RSA key generation. The paramaters for RSA are explained in

Table 3. RSA’s Parameters.

Notation	Definition
$p,q$	Choose two distinct prime numbers
N	The modulus for both the public and private keys
$\varphi \left(n\right)$	Carmichael’s totient function for kept secret p and q
$gcd$	Computing the greatest common divisor $\left(gcd\right)$ of two prime numbers
$pk$	Public key that has been released
$sk$	Secret key that will be used

, the implementation of RSA encryption (in Algorithm 1), and RSA decryption (in Algorithm 2) for securing MQTT payload make use of Algorithm 3.

Algorithm 1 RSA Encryption

1: $m,Message$ 2: $c=m^{e}modn$

Algorithm 2 RSA Decryption

1: $c,Ci pher text$ 2: $c=c^{d}modn$

Algorithm 3 Customized RSA on Publisher

1: INITIALIZE pk, Public Key; m, message;   2: INITIALIZE e, Encryption Byte Capability   3: INITIALIZE  publisher_id   4: INITIALIZE ${\mathcal{C}}_a$, Ciphertext Array   5: INITIALIZE RSA.encrypt, RSA Encryption function   6: INITIALIZE base64.encode, base64 Encoding function   7: INITIALIZE MQTT.publish, MQTT publish function   8: $x=\mathsf{length}\left(m\right)$   9: $i=0$ 10: while$\frac{x-(xmode)}{e}+1>i$  do 11:     $m^{\prime }\leftarrow \mathsf{RSA}.\mathsf{encrypt}(\mathit{c},\mathit{pk})$ 12:     ${\mathcal{C}}_a\left[i\right]\leftarrow m^{\prime }$ 13:     $i=i+1$ 14: end while 15: $\mathsf{MQTT}.\mathsf{Publish}(\mathsf{base}\mathsf{64}.\mathsf{Encode}\left({\mathcal{C}}_a\right))$

3.4. Developing NTRU on RPi-4

A public-key cryptosystem, which is called the NTRU cryptosystem, involves a set of parameters $(N,P,q)$. The key parameters are summarized in

Table 4. NTRU’s Parameters.

Notation	Definition
$\mathbb{Z}$	Integers
$N,q$	Ring parameters [Equation (1)]
p	Message space modulus.
$d_1,d_2,d_3$	Non-zero coefficient counts for product form polynomial terms
$d_g$	Non-zero coefficient counts for private key components g
$d_m$	Message representative Hamming weight constraint

. A prime N and an integer q form a ring of convolutional polynomials, where all arithmetic operations take place according to Equation (1):

$$R_{N,q}=(\mathbb{Z}/\mathbb{Z}q)\left[\mathit{X}\right]/\left({\left[X\right]}^{-1}\right)$$

(1)

The key generation process takes place when all necessary parameters $(N,p,q,d)$ act as the input. In order to obtain the key pair of the NTRUEncrypt, the steps on NTRU key generation have to be performed. The Encryption function takes input message M and public key $h\left(x\right)$, and runs the steps on Algorithm 4 to generate ciphertext $c\left(x\right)$ from message M under the NTRUEncrypt $h\left(x\right)$.

Algorithm 4 NTRU Encryption

1: $m\in R_p$ 2: $r\in T(d,d)$ 3: $c=pr·h+m(modn)$

To perform successful decryption on encrypted $c\left(x\right)$ using $h\left(x\right)$, the receiver party needs a private key $f\left(x\right)$ that correlates with $h\left(x\right)$, while, to recover message M, the procedures in Algorithm 5 should be carried out. Implementation of NTRU encryption for securing the MQTT payload can be seen in Algorithm 6.

Algorithm 5 NTRU Decryption

1: $f·e(modq)$ 2: $r\in T(d,d)$ 3: $c=pr·h+m(modq)$

Algorithm 6 Customized NTRU on Publisher

1: INITIALIZE pk, Public Key; m, message;   2: INITIALIZE e, Encryption Byte Capability   3: INITIALIZE  publisher_id   4: INITIALIZE ${\mathcal{C}}_a$, Ciphertext Array   5: INITIALIZE NTRU.encrypt, NTRU Encryption function   6: INITIALIZE base64.encode, base64 Encoding function   7: INITIALIZE MQTT.publish, MQTT publish function   8:        9: $x=\mathsf{length}\left(m\right)$ 10: $i=0$ 11: while$\frac{x-(xmode)}{e}+1>i$  do 12:     $m^{\prime }\leftarrow \mathsf{NTRU}.\mathsf{Encrypt}(\mathit{c},\mathit{pk})$ 13:     ${\mathcal{C}}_a\left[i\right]\leftarrow m^{\prime }$ 14:     $i=i+1$ 15: end while 16: $\mathsf{MQTT}.\mathsf{Publish}(\mathsf{base}\mathsf{64}.\mathsf{Encode}\left({\mathcal{C}}_a\right))$

3.5. Developing SABER on RPi-4

This section defines SABER as a lattice-based post-quantum key encapsulation scheme (KEM) that can be transformed into a secure public-key encryption (PKE) scheme. As respectively shown in Algorithms 7 and 8, the algorithms used in SABER consist of two moduli q and p, with ${\in }_q$ and ${\in }_p$ bit lengths. On generating public key $pk$ and secret key $sk$, 32 bytes of random $see{d}_A$ is used. It expands inside the $gen$ function in SABER key generation and uses SHAKE-128 to generate a random matrix A. The complete parameters for SABER are explained in

Table 5. SABER’s Parameters.

Notation	Definition
$p,q$	Choose two distinct prime numbers
N	The modulus for both the public and private keys
$\varphi \left(n\right)$	Carmichael’s totient function for kept secret (p and q)
$gcd$	Computing the greatest common divisor $\left(gcd\right)$ of two prime numbers
$pk$	Public key that has been released
$sk$	Secret key that will be used

.

Algorithm 7 SABER Encryption

1: $m\in \mathcal{M};r$ 2: $pk=(b,see{d}_A)$ 3: $A\leftarrow \mathsf{gen}\left(see{d}_A\right)$ 4: $s^{\prime }\leftarrow {\beta }_{\mu }\left(R_q^{l\times 1}\right)$ 5: $b^{\prime }=\mathsf{bits}(A^T{s}^{\prime }+h,{\in }_q,{\in }_p)\in R_p^{l\times 1}$ 6: $v^{\prime }=b^T\mathsf{bits}(s^{\prime },{\in }_p,{\in }_p)\in R_p$ 7: $c_m=\mathsf{bits}(v^{\prime }+h_1+2^{{\in }_p-1}m,{\in }_p,{\in }_r+1)$ 8: Return $c:=(c_m,b^{\prime })$

Algorithm 8 SABER Decryption

1: $c=(c_m,b^{\prime })$ 2: $sk=s$ 3: $v=b^{\prime T}\mathsf{bits}(s,{\in }_p,{\in }_p)\in R_p$ 4: $m^{\prime }=(v-2^{{\in }_p-{\in }_t-1}{c}_m+h_2,{\in }_p,1)\in R_2$ 5: Return $m^{\prime }$

On the Encryption operation in Algorithm 7, the message $m\in \mathcal{M}$ is an element of $R_q$, where $\mathcal{M}$ is the message space range in $\mathcal{M}\in {\{0,1\}}^n$. The ciphertext is generated through matrix generation, binomial sampling, matrix–vector multiplication, and binomial sampling. The decryption in Algorithm 8 is performed by computing the bit switch of vector multiplication. The implementation of SABER encryption for securing MQTT payload can be seen in Algorithm 9.

Algorithm 9 Customized SABER on Publisher

1: INITIALIZE pk, Public Key; m, message;   2: INITIALIZE e, Encryption Byte Capability   3: INITIALIZE  publisher_id   4: INITIALIZE ${\mathcal{C}}_a$, Ciphertext Array   5: INITIALIZE SABER.encrypt, SABER Encryption function   6: INITIALIZE base64.encode, base64 Encoding function   7: INITIALIZE MQTT.publish, MQTT publish function   8:        9: $x=\mathsf{length}\left(m\right)$ 10: $i=0$ 11: while$\frac{x-(xmode)}{e}+1>i$  do 12:     $m^{\prime }\leftarrow \mathsf{SABER}.\mathsf{encrypt}(\mathit{c},\mathit{pk})$ 13:     ${\mathcal{C}}_a\left[i\right]\leftarrow m^{\prime }$ 14:     $i=i+1$ 15: end while 16: $\mathsf{MQTT}.\mathsf{Publish}(\mathsf{base}\mathsf{64}.\mathsf{Encode}\left({\mathcal{C}}_a\right))$

3.6. Data Specification

Transmitted data from monitoring results are shown in

Table 6. Data Stream from 1-Phase Example.

1-Phase Stream Data

"4438ca6fc2a575cfab4fa4f1d4569964", "2022-02-28", "13:59:07", 215.4, 0.03, 3.185766, 5.622129, 6.462, 0.493, 50, 1.49

for one phase and

Table 7. Data Stream from 3-Phase Example.

3-Phase Stream Data

’6cc5dc0059d39c5392784721c78d4bb3’, ’2022-04-13’, ’11:22:03’, ’223.8’, ’223.8’, ’0.0’, ’1.70’, ’3.50’, ’0.00’, ’0.31’, ’0.63’, ’0.00’, ’0.31’, ’0.07’, ’0.35’, ’0.00’, ’0.42’, ’0.31’, ’0.71’, ’0.00’, ’0.52’, ’0.22’, ’0.50’, ’0.31’, ’19265.00’, ’11065.00’, ’30331.00’, ’50.00’

for three phases. The data were processed according to specifications from

Table 8. The 1-Phase Data Specification.

Parameter	Description	Unit
token	Data Token	-
date	Monitoring Date	-
time	Monitoring Time	-
V	Voltage (V)	V
I	Current	A
P	Power	Watt
Q	Reactive Power (VAr)	VAr
S	Appearance Power (VA)	VA
PF	Energy (kWh)	-
F	Frequency (Hz)	Hz
E	Total Energy (kWh)	kWh

for one phase and

Table 9. The 3-Phase Data Specification.

Parameter	Description	Measure Unit
token	Transmission Token	-
date	Monitoring Date	-
time	Monitoring Time	-
$V_a$	Voltage Phase R	V
$V_b$	Voltage Phase S	V
$V_c$	Voltage Phase T	V
$I_a$	Current Phase R	A
$I_b$	Current Phase S	A
$I_c$	Current Phase T	A
$Q_a$	Reactive Power R	VAr
$Q_b$	Reactive Power S	VAr
$Q_c$	Reactive Power T	VAr
$Q_t$	Reactive Power Total	VAr
$P_a$	Active Power R	Watt
$P_b$	Active Power S	Watt
$P_c$	Active Power T	Watt
$P_t$	Active Power Total	Watt
$S_a$	Appearance Power R	VA
$S_b$	Appearance Power S	VA
$S_c$	Appearance Power T	VA
$S_t$	Appearance Power Total	VA
$P{F}_a$	Power Factor R	-
$P{F}_b$	Power Factor S	-
$P{F}_c$	Power Factor T	-
$E_p$	Energy Power	kWh
$F_p$	Forwarded Energy	kWh
$S_p$	Total Energy	kWh
$Freq$	Frequency	Hz

for three phases.

3.7. Formal Security Proof

For security proof of the applied cryptographic method used in this research, we adjust the encryption scheme parameter according to Bernstein’s work on lattice-based security proof comparison [49].

• Table 10. Set of Multipliers for Each of The Target PKEs.

  System	Parameter Set	Type	Set of Multipliers
  NTRU	hps2048401	Quotient	$(\mathbb{Z}/2048)\left[\mathit{x}\right]/({\mathit{x}}^{401}-1)$
  NTRU	hps2048593	Quotient	$(\mathbb{Z}/2048)\left[\mathit{x}\right]/({\mathit{x}}^{593}-1)$
  saber	main	Product	$(\mathbb{Z}/8192)\left[\mathit{x}\right]/{({\mathit{x}}^{256}+1)}^{2\times 2}$
  saber	fire	Product	$(\mathbb{Z}/8192)\left[\mathit{x}\right]/{({\mathit{x}}^{256}+1)}^{3\times 3}$

  shows the set of multipliers G for each PKE;
• Table 11. Distribution of Short Elements for Each of The Target PKEs.

  System	Parameter Set	Short Element
  NTRU	hps2048401	$\mathbf{Z}\left[x\right]/(x^{401}-1);-1,0,1$
  NTRU	hps2048593	$\mathbf{Z}\left[x\right]/(x^{593}-1);-1,0,1$
  SABER	main	${(\mathbf{Z}\left[x\right]/(x^{256}+1))}^3;{\sum }_{0\le i<8}\{-0.5,0.5\}$
  SABER	fire	${(\mathbf{Z}\left[x\right]/(x^{256}+1))}^4;{\sum }_{0\le i<6}\{-0.5,0.5\}$

  shows how short elements a are generated;
• Table 12. An Approximation Key Offset of the Noisy or Rounded Product NTRU PKEs.

  System	Parameter Set	Key Offset
  NTRU	hps2048401	$\mathbf{Z}\left[x\right]/(x^{401}-1);-1,0,1\mathrm{weight}127,127$
  NTRU	hps2048593	$\mathbf{Z}\left[x\right]/(x^{593}-1);-1,0,1\mathrm{weight}127,127$
  SABER	main	$\mathrm{round}\mathbf{Z}/8192\mathrm{to}8\mathbf{Z}$
  SABER	fire	$\mathrm{round}\mathbf{Z}/8192\mathrm{to}8\mathbf{Z}$

  shows how the difference $A_a-G$ is generated; this concludes key generation;
• Encryption generates b and $B\approx G_b$ as in Table 11 and Table 12, respectively;
• For Product NTRU,

  Table 13. An Approximation Cipher Offset of the Noisy or Rounded Product NTRU PKEs.

  System	Parameter Set	Ciphertext Offset
  NTRU	hps2048401	not applicable
  NTRU	hps2048593	not applicable
  SABER	main	$\mathrm{round}\mathbf{Z}/8192\mathrm{to}512\mathbf{Z}$
  SABER	fire	$\mathrm{round}\mathbf{Z}/8192\mathrm{to}128\mathbf{Z}$

  shows how $A_b+M$ is converted to C and

  Table 14. Set of Encoded Messages for Each of The Target Product NTRU PKEs.

  System	Parameter Set	Set of Encoded Messages
  NTRU	hps2048401	not applicable
  NTRU	hps2048593	not applicable
  SABER	main	${\sum }_{0\le i<256}\left\{0.4096\right\}{x}^i$
  SABER	fire	${\sum }_{0\le i<256}\left\{0.4096\right\}{x}^i$

  shows the set of encoded messages M.

4. Evaluation and Analysis

This section discusses the testing and compares the encryption time consumption of RSA 2048, RSA 7680, NTRU 401, NTRU 539, SABER, and Light SABER on the system as explained in the previous chapter along with the reliability tests of the Light SABER encryption system when implemented on the MQTT protocol. The measurements of the encryption time consumption were carried out on IoT RPi-4 devices, while the encryption reliability tests on the MQTT protocol were carried out on RPi-4 publisher devices, Raspberry Pi broker devices, and desktop subscriber devices. The test was performed by calculating the encryption speed of several encryption standards on RPi-4 devices. The object to be encrypted was a file containing electrical energy monitoring for one-phase and three-phase voltages at buildings N, O, and P at Telkom University.

4.1. 1/3-Phase Encryption & Decryption

Each encryption algorithm was successfully implemented on RPi-4 from 27 January 2022 until time of publication. There were only 500 transmitted pieces of data taken from the ESM server for the testing phase. As a comparison with conventional MQTT, Figure 3 shows the examples of ESM transmitted data in one-phase. The generated data were different from the data in the three-phase, but only in the data length. For example, the plaintext data sent from registered RPi-4 were "device_id, voltage, current, and power"; even by enabling MQTT, the message still can be derived as plaintext. This verifies the possibility of eavesdropping by unregistered RPi-4 in a public network. Meanwhile, Figure 4 shows that the adversary still can conduct sniffing, but the messages that have been received will be meaningless without the private key.

4.2. Security Performance Evaluation

This research tested and analyzed the data transmission security system from the publisher to the subscriber. The publisher used 1/3 phase of data power in buildings N, P, and O at Telkom University, while the subscriber used an ESM server that was also sent via Telkom Digital Service Division (DDS). Based on Shodan’s data, as of June 2022, there were still 134,879 brokers or IoT devices in the world that used port 1883, known as the default port for the MQTT protocol, with South Korea being the largest user. Therefore, this research also discusses four types of attacks against ESM systems for end-to-end communication security.

Based on Figure 5, the publishers send data to the subscriber through a broker using the MQTT protocol based on the topics that have been created by the publishers. If the broker and subscriber are streamed through the internet, it is very possible that several attacks may occur and could be harmful to the whole system. Figure 5 also shows the possibilities of adversaries acting as publishers or subscribers. The attacks tested on this ESM were data privacy, authentication, data integrity, and DDoS mitigation.

4.2.1. Attack on Data Privacy

In a scenario where the adversary is in the same network as the publishers, the adversary can sniff the traffic passing through the network, as shown in Figure 6. As can be seen in the screenshot, the data sent by the publisher, “This data should’ve been hidden”, should not be allowed to be seen by unregistered publishers.

To prevent that scenario from occurring, the payload (data content) must be secured using encryption algorithms. This research implemented several comparison algorithms, e.g., RSA, NTRU, and SABER. The example shown in Figure 7 uses a post-quantum cryptography algorithm, namely, NTRU. As seen in Figure 7, the adversary cannot sniff any critical data because the MQTT traffic is now only transmitting NTRU ciphertext. All communications from the publishers to the subscribers are encapsulated with an NTRU post-quantum cryptography header.

4.2.2. Attack on Authentication

Based on Figure 8, the subscribers are able to decrypt if the keys exchanged between the publishers and the subscribers are matched. If the keys match, then the communication can be carried out according to the payload (data content) sent by the publisher. Then, the ciphertext data can be changed into plaintext again and read by the subscriber.

Based on the first authentication attack scenario, the adversary tries to impersonate an existing IoT device (publisher). The adversary also tries to send a tampered payload containing the original payload to the subscriber. Figure 9 shows that an error, “incorrect padding”, occurs when the publisher tries to enter the subscriber and send the payload. The size of the plaintext data sent by the publisher will not affect the ciphertext because it is wrapped again with the base64 encoding method.

The second authentication attack scenario was anyone who tried to subscribe to the network traffic. Legitimate subscribers only receive an encrypted payload. Without using the correct private key, the incoming data are considered as babbles without content. Figure 10 shows that unauthorized subscribers receive data that is completely incomprehensible. This scenario was made to simulate dealing with adversaries originating from the subscribers.

4.2.3. Attack on Data Integrity

Any changes to a valid encrypted payload that are made by the adversary damage its structure. This can happen when the adversary (publisher) performs sniffing on the traffic and retransmits the modified payloads to the subscribers. The modified payload could be malicious. On the subscriber’s side, the decryption process on the malicious payloads fails because it was modified without the correct public key. The effect of this process is the damage to the payload structures and the creation of data that are considered invalid, as addressed in

Table 15. Firewall rule.

Rule No.	Source	Destination	Protocol	Port	Action
1	Unregistered	Subscriber	TCP	MQTT	deny
2	Subscriber	Unregistered	TCP	MQTT	deny
3	Registered	Subscriber	TCP	MQTT	allow
4	Subscriber	Registered	TCP	MQTT	allow

and depicted in Figure 11.

4.2.4. DDOS Mitigation

A whitelist, as shown in Figure 12, is used to overcome DDoS on the broker’s devices. In other words, only devices on the whitelist are allowed to transmit through the broker using the MQTT protocol as shown in Figure 13. Figure 14 shows that the adversary, who is not on the list, performs the DDoS, and the device is automatically rejected with the message, “Error: Connection timed out”. Furthermore, on the firewall side, a schedule can be made to carry out periodic monitoring and show the firewall log on the broker, as shown in Figure 15.

4.3. Embedded System Performance Analysis

Figure 16 and Figure 17 show the average CPU and RAM usage of the RPi-4 while running the RSA, NTRU, and SABER encryption and decryption for more than 500 payload transmissions using MQTT protocol. The average RAM consumption for the encryption process in the 128-bit security level was 37% for RSA-7680, 18% for NTRU-401, and 26% for Light Saber. While in the 196-bit security level, the average RAM consumption was 53% for RSA-2048, 24% for NTRU-539, and 27% for Light SABER. The average CPU consumption for the encryption process in the 128-bit security level was 37% for RSA-7680, 18% for NTRU-401, and 26% for Light SABER. In the 196-bit security level, the average CPU consumption for the encryption process was 53% for RSA-7680, 24% for NTRU-539, and 27% for SABER. The average RAM consumption of the decryption process with a 128-bit security level was 8% for RSA-2048, 3% for NTRU-401, and 4% for Light SABER. With a 196-bit security level, the average RAM consumption was 18% for RSA-7680, 3% for NTRU-539, and 7% for SABER. The average CPU consumption of the decryption process with 128-bit security was 23% for RSA-7680, 18% for NTRU-401, and 16% for Light SABER, while, with 196-bit security, it was 22% for RSA-7680, 19% NTRU-539, and 20% for SABER.

The data transmitted from the publisher to the subscriber were securely encrypted for this scenario. When comparing the average encryption time of each customized algorithm with the RSA-4028 at the 128-bit security level, it can be concluded that Light SABER was 43.556 times faster and NTRU-401 was 4.668 times faster than the RSA-4028. The comparison with RSA-7680 at the 196-bit security level shows that the SABER was 8.123 times faster and the NTRU-539 was 8.889 times faster than the RSA-7680. The average decryption time comparison in the 128-bit security level summarizes that the Light SABER was 16.956 times faster and the NTRU-401 was 9.953 times faster than RSA-2048. In the 192-bit security level, the SABER was 269.955 times faster and the NTRU-593 was 5.301 times faster than the RSA-7680. This proves that a post-quantum encryption system is a feasible scheme for RPi-4 or other low-resource devices on the Internet of Things. As for the validation of RSA, NTRU, and SABER, the average time for the encryption and decryption processes were averaged and are shown in Figure 18 and Figure 19, respectively.

4.4. Discussion

The proposed design was verified by evaluating existing benchmark encryption techniques, e.g., RSA-2048, RSA-7680, NTRU-401, NTRU-593, SABER, and Light SABER. The detailed key specifications for those encryption algorithms are explained in Table 1. The performance evaluation for those encryption algorithms was calculated by using the encryption time (as shown in

Table 16. Encryption time (in s) between publisher and subscriber.

	Moderate Security Level			High Security Level
N-th Data	Light SABER	NTRU 401	RSA 2048	SABER	NTRU 593	RSA 7680
1	0.000154	0.0111	0.0307	0.00027	0.01219	0.1181
2	0.000778	0.0050	0.0487	0.00177	0.014098	0.1499
3	0.000769	0.0085	0.0264	0.00186	0.014003	0.1217
4	0.000774	0.0131	0.0348	0.00162	0.015553	0.1234
…	…	…	…	…	…	…
498	0.000841	0.0109	0.0448	0.00063	0.015934	0.1230
499	0.000776	0.0062	0.0236	0.00041	0.004614	0.1183
500	0.000772	0.0120	0.0493	0.00079	0.006216	0.0930

) and the decryption time (as shown in

Table 17. Decryption time (in s) between publisher and subscriber.

	Moderate Security Level			High Security Level
N-th Data	Light SABER	NTRU 401	RSA 2048	SABER	NTRU 593	RSA 7680
1	0.00004	0.00029	0.00336	0.00006	0.01219	0.07623
2	0.00017	0.00029	0.00295	0.00017	0.01410	0.06292
3	0.00019	0.00030	0.00324	0.00018	0.01400	0.06221
4	0.00020	0.00029	0.00326	0.00021	0.01555	0.06240
…	…	…	…	…	…	…
498	0.00017	0.00031	0.00320	0.00030	0.01593	0.06443
499	0.00017	0.00031	0.00330	0.00008	0.00461	0.06283
500	0.00023	0.00047	0.00346	0.00051	0.00622	0.06269

). The benchmark results of the encryption and decryption with 500 stream data on RPi-4 in a power monitoring system indicate that SABER and Light SABER outperformed both NTRU schemes and the standard encryption (RSA-2048 and RSA-7680), as shown in Figure 18, Figure 19, Figure 20 and Figure 21. Based on the evaluation of CPU and RAM usage, the post-quantum encryptions have been proven to consume slightly fewer resources while maintaining the same security level. Considering the post-quantum encryptions, the NTRU and SABER encrypted the messages sent via the MQTT protocol in less than 100 ms. Thus, the encryption and decryption time have a significant impact on low-resource hardware.

Meanwhile, the reliability of the security system from post-quantum cryptography was evaluated by attacking data privacy, authentication, data integrity, and DDoS. From these four types of attacks, the proposed system was proven to be able to fend off SCADA system cyberattacks and cyber-warfare. Post-quantum cryptography can also help to defend against those risks, protect critical applications and data, and recover from breaches or failures.

5. Concluding Remarks

This research concludes that the IoT data transmission system utilizing the MQTT protocol on RPi-4 devices has the potential for deployment in real-world IoT networks while ensuring secure communications. We recommend that general IoT systems (ARMv8-A) integrate the Light SABER, SABER, and NTRU post-quantum encryption methods. This adoption will enhance their reliability, bringing them closer to real-time operation without demanding additional resources. Our experiments with data transmission in ESMs using SABER encryption affirm that high-security encryption systems are viable for low-resource IoT devices. Messages of both one-phase and three-phase lengths were fully encrypted using the padding feature and then transmitted via the MQTT protocol. Future refinements to the system proposed in this study might involve evaluating the design of an IoT data delivery system, employing the MQTT protocol with alternative cost-effective microcomputer devices. This could pave the way for more affordable IoT technology. In subsequent studies, we will aim to incorporate other post-quantum encryption systems into IoT platforms that utilize the MQTT protocol.