Indistinguishability under adaptive chosen-ciphertext attack secure double-NTRU-based key encapsulation mechanism

In this article, we propose a double-NTRU (D-NTRU)-based key encapsulation mechanism (KEM) for the key agreement requirement of the post-quantum world. The proposed KEM is obtained by combining one-way D-NTRU encryption and Dent’s KEM design method. The main contribution of this article is to construct a D-NTRU-based KEM that provides indistinguishability under adaptive chosen-ciphertext attack (IND-CCA2) security. The IND-CCA2 analysis and primal/dual attack resistance of the proposed D-NTRU KEM are examined in detail. A comparison with similar protocols is provided regarding parameters, public/secret keys, and ciphertext sizes. The proposed scheme presents arithmetic simplicity and IND-CCA2 security that does not require any padding mechanism.


INTRODUCTION
Public-key cryptosystems (PKC) are commonly used for essential purposes such as key sharing, authentication, and data encryption. Today, Diffie-Hellman (DH) key exchange (KE) (Diffie & Hellman, 1976) and RSA encryption/key encapsulation mechanism (KEM) (Rivest, Shamir & Adleman, 1978) are some of the widely used PKC. Shor's algorithm (Shor, 1994) proposed a polynomial-time solution to some computationally hard problems that guarantee the security assumptions of traditional PKC. It provides a solution to integer factorization (IF) and discrete logarithm problems (DLP) in polynomial time on a sufficiently large quantum computer. The requirement for constructing post-quantum secure PKC has emerged. While it will take time to build large-scale quantum computers, many initiatives exist to obtain post-quantum secure communication. In 2016, NIST started a standardization process (National Institute of Standards and Technology (NIST), 2023) to determine the standard PKC for the post-quantum era. One of the post-quantum secure cryptosystem families is the lattice-based constructions that provides worst-case assumptions, strong security guarantees, and relatively efficient applications. The latticebased Number Theory Research Unit (NTRU) encryption scheme was proposed by

Motivation and contribution
The design of post-quantum secure KEM is one of the significant open problems in the literature. The main aim of this article is to provide an IND-CCA2 secure KEM for this requirement. The proposed KEM is obtained following the D-NTRU encryption (Wang, Lei & Hu, 2018) and Dent's construction (Dent, 2003). The contributions of this article are summarized as follows: -This is the first IND-CCA2 secure D-NTRU-based KEM scheme constructed with a oneway encryption function.
-The security analysis of the proposed KEM is given in the ROM. To provide IND-CCA2 security, the hybrid version of Dent (2003) and Shoup (2001) constructions are adapted.
-The proposed D-NTRU KEM is a solution to the IND-CCA2 security of the D-NTRUbased encryption specified as an open problem in Wang, Lei & Hu (2018).
-The constructed KEM provides IND-CCA2 security without any padding mechanism or complex arithmetic operations.
-According to the proposed parameter set, a comparison with similar protocols is also presented.

Organization
The rest of this article is organized as follows: In Section 2, some basic definitions and assumptions are recalled. In Section 3, the proposed D-NTRU-based KEM scheme and its correctness analysis are given. The security analysis against IND-CCA2 and primal/dual attacks are presented in Section 4. The comparisons are given in Section 5. Finally, Section 6 clarifies the conclusions.

MATHEMATICAL BACKGROUND
The notations are summarized in Table 1.
In 2018, an NTRU variant double NTRU (D-NTRU) scheme was proposed in Wang, Lei & Hu (2018). To explain the main properties of the D-NTRU, the composite NTRU (C-NTRU) was also defined. The hardness assumptions of the C-NTRU and the D-NTRU were based on the traditional NTRU scheme. Since this article aims to obtain the IND-CCA2 version of the D-NTRU, the main properties of the C-NTRU and the D-NTRU are recalled in the following.
In Fig. 1, the composite integers are used as moduli to obtain the public key. In step 7, h½i mod q 1 q 2 is computed with the Chinese remainder theorem (CRT), where h½i h 1 ½i mod q 1 and h½i h 2 ½i mod q 2 for i 2 ½N. By following the steps of the key generation function, h and ð f ; f À1 p Þ are generated as the public and secret keys of the C-NTRU, respectively. The ciphertext of the C-NTRU c ¼ F c ðf; mÞ ¼ f h þ m mod q 1 q 2 is obtained by running the encryption procedure with input message m 2 R p . In the decryption phase, c is decrypted to m with the help of the private key f À1 p . Remark 1 If q 1 ¼ q and q 2 ¼ 1, then the C-NTRUNTRU (Wang, Lei & Hu, 2018).
Based on the C-NTRU encryption, the C-NTRU one-way problem was defined in Wang, Lei & Hu (2018). Definition 1 (The C-NTRU One-Way Problem (Wang, Lei & Hu, 2018)). Let hðXÞ ¼ P i2½N h½iX i 2 R q 1 q 2 be the public key and c ¼ F c ðf; mÞ ¼ f h þ m 2 R q 1 q 2 be the ciphertext of the C-NTRU scheme, where ðf; mÞ 2 Lðd; dÞ Â R p . The main purpose is to find another polynomial pair ðf; mÞ under the C-NTRU function F c that produces the ciphertext c.
The C-NTRU one-way problem was obtained by following the NTRU one-way problem (Wang, Lei & Hu, 2018). Definition 2 (The NTRU One-Way Problem (Hoffstein, Pipher & Silverman, 1998)). Let h be the public key and c ¼ Fðf; mÞ ¼ h f þ m 2 R q be the ciphertext of the NTRU scheme, where ðf; mÞ 2 Lðd; dÞ Â R p . The main purpose is to find another polynomial pair ðf; mÞ under the NTRU encryption function F that produces the ciphertext c.
The hardness assumption of the NTRU one-way problem is recalled in Definition 3. Definition 3 (The Hardness Assumption of NTRU One-Way Problem). Any probabilistic polynomial time (PPT) algorithm that solves the NTRU one-way problem is x r X : x is chosen uniformly random from distribution X.
The main security parameter. ?
d 2 Z þ : The parameter of polynomial spaces.
d; f : The failure parameters.
x À1 p : The inverse of the polynomial x in mod p.
Let negligible for j. In other words, for sufficiently large j, it is impossible to develop a PPT algorithm to solve the NTRU one-way problem with a non-negligible probability (Howgrave-Graham et al., 2003).
The relation between the NTRU and the C-NTRU one-way problems is given by Fact 1. Fact 1 Let q 1 . d. Then, the C-NTRU one-way problem is reduced to the NTRU one-way problem in polynomial time (Wang, Lei & Hu, 2018, Theorem 4).
The C-NTRU ciphertext distribution problem is described in Definition 4. Definition 4 (The C-NTRU Ciphertext Distribution Problem (Wang, Lei & Hu, 2018)). Let hðXÞ ¼ P i2½N h½iX i 2 R q 1 q 2 be the public key of the C-NTRU scheme. The main purpose is to distinguish the distributions of uniformly random chosen ciphertext c r R q 1 q 2 and c ¼ F c ðf; mÞjðf; mÞ r Lðd; dÞ Â R p that is produced using the C-NTRU ciphertext function F c .
The relationship between the C-NTRU one-way problem and the ciphertext distribution is summarized Fact 2. Fact 2 If q 1 . d þ 2, the C-NTRU ciphertext distribution problem is reduced to the C-NTRU one-way in polynomial time (Wang, Lei & Hu, 2018, Theorem 4).
By showing reductions to the C-NTRU properties, the D-NTRU scheme was also constructed to obtain more efficient the NTRU-based public-key encryption (Wang, Lei & Hu, 2018). In the proposed scheme, double encryption is provided with the usage of twin primes. The main structure of the D-NTRU is remembered in Definition 5. Definition 5 (The D-NTRU (Wang, Lei & Hu, 2018)). Let p ¼ 3, N, and q 1 þ 2 ¼ q 2 % q. Then, the D-NTRU encryption scheme, using q 1 and q 2 twin primes, is given in Fig. 2.
The proposed D-NTRU was designed as a double version of the NTRU that provide one-time pad encryption. The ct component c 1 allows some parameters, such as r 1 and r 2 , to be shared and recovered, while c 2 provides one-time pad-like encryption. The D-NTRU encryption scheme using q 1 and q 2 twin primes is given in Fig. 2. The relation between secret polynomials and components of the D-NTRU is recalled in Corollary 1.
Corollary 1 Let f and g be secret polynomials of the D-NTRU. If jjf À1 q 1 g mod q 1 jj 1 . 2 and jjf g À1 q 1 mod q 1 jj 1 . 2, the decryption of the D-NTRU scheme will not fail (Wang, Lei & Hu, 2018, Fact 1).
The conditions to prevent possible errors during the decryption phase of the D-NTRU are explained with Theorem 1.
q 1 gÞ þ r 2 Þ mod q 1 ¼ r 1 p g þ f r 2 mod q 1 must be computed correctly to recover the message. Since q 1 . d, Eq. (1) is satisfied.
The distribution problem of the D-NTRU is recalled in Definition 6. Definition 6 (The Distribution Problem of the D-NTRU (Wang, Lei & Hu, 2018)). Let ðh 1 ; h 2 Þ be the public key pair of the D-NTRU scheme. The main purpose is to distinguish the distribution of uniformly random chosen ciphertext ðs 1 ; s 2 Þ r R q 1 Â R q 2 and the distribution of the D-NTRU ciphertext function The relation between Definitions 4 and 6 is summarized with Fact 3. Fact 3 The D-NTRU distribution problem is reduced to the C-NTRU ciphertext distribution problem in polynomial time (Wang, Lei & Hu, 2018, Theorem 6).
The one-way property of the D-NTRU scheme is explained in Corollary 2. Corollary 2 Let the D-NTRU distribution problem is reduced to the C-NTRU ciphertext distribution problem in polynomial time. Then, since the C-NTRU scheme provides the oneway property, the D-NTRU scheme also has the one-way property (Wang, Lei & Hu, 2018).
The main properties of the D-NTRU encryption scheme are defined by explaining its relationship with the C-NTRU and the NTRU. In this section, the relations between hard problems and their main properties are expressed to show the one-wayness property of the D-NTRU encryption. Based on Corollary 2 and Dent's KEM construction (Dent, 2003), the proposed KEM is explained in Section 3.

PROPOSED SCHEME
In this section, the proposed D-NTRU based IND-CCA2 secure KEM is detailed. Due to the one-way structure of the D-NTRU encryption function, to obtain IND-CCA2 security, Dent's one-way KEM construction (Dent, 2003) is added. The basic idea of obtaining the D-NTRU-based IND-CCA2 KEM is based on the modified D-NTRU encryption and Dent's KEM components. The proposed IND-CCA2 secure D-NTRU-based KEM scheme is given in Fig. 3.
In Fig. 3, the public and secret keys are generated using the key generation procedure of Algorithm 3. To construct IND-CCA2 secure KEM, Dent's KEM design idea, based on a one-way function, is used. In the encapsulation procedure of Algorithm 3, the ct components of Algorithm 2 are reevaluated in the following way.
The encapsulation steps are completed by computing the shared key using Kdf. To decapsulate C, r 1 and r 2 are recovered using secret keys ðf ; f À1 p ; GÞ. Then, the recovered message M′ is used to obtain shared key K under Kdf.
1. Kdf: It is a cryptographic algorithm that derives one or more secret keys from various values using a pseudo-random function. It is modeled as ROM based on hash function properties. In the proposed KEM, Shoup (2001)'s Kdf1 function (R q 2 ! f0; 1g N ) is chosen as Kdf.
2. H: R q 1 ! f0; 1g N : It is a hash function that provides entropy smoothing regarding security properties. For high-entropy input ciphertext byte sequences, the output is computationally indistinguishable from a random byte sequence with the same length.

Correctness
The equality of keys obtained by encapsulation and decapsulation is examined in the correctness analysis of the D-NTRU KEM. In Fig. 3, if step 23 does not work correctly, the decapsulation failure consists. So, the parameters should be chosen according to Theorem 4.  Fig. 3 is rewritten, Eq.
Based on Theorems 1 and 2, if q 1 . f is satisfied in the parameter selection, there will be no problem in the correctness.
(3) to show the correctness of the D-NTRU KEM.
By using Eq. (3), to recover the message M, the running process of the decapsulation procedure is explained with Eqs. (4) and (5). If the step 23 of Fig. 3 is rewritten, Eq. (4) is obtained.

SECURITY ANALYSIS OF D-NTRU KEM
In this section, the IND-CCA2 security analysis of the proposed KEM and its resistance to some lattice-based attacks are examined.

The IND-CCA2 security of the proposed KEM
In the security analysis, the idea of IND-CCA2 secure KEM from Dent's one-way IND-CPA secure encryption scheme (Dent, 2003) is followed. The model of IND-CCA2 security is constructed by adapting (Bogdanov, 2005;Dent, 2003;Shoup, 2001) to the D-NTRU problem. The attacker's behaviors in the IND-CCA2 security are examined based on the game-based security analysis. In this model, an Attacker (A), modeled as a PPT Turing machine, has the authority to run all algorithms and can obtain all communication-related media. A can also access the decapsulation oracle to decapsulate any capsulated pair. According to Dent's KEM structure, the proposed KEM is secure unless A has a significant advantage over the Game 1 against a mythical challenger.
Game 1 : There are three consecutive operations, such as start, challenge, and result, in the Game 1 . A aims to gain an advantage in the basic IND game by performing these operations. The visualization sub-steps of Game 1 is given in Fig. 4. Figure 4 shows the parameters obtained during the Game 1 based on the action of A. The summarized reactions of Fig. 4 are defined as follows.
Start: There are three sub-steps. s1: Based on the security parameter j, the key pair ðpk; skÞ is generated by the challenger.
pk is sent to A and sk is held by the challenger.
s2: A runs until the challenger receives the capsulated key pair. Then, it queries the decapsulation oracle to find the key that is associated with the capsulated key. It is ready to take on a challenge when A made enough queries.
s3: The following steps are taken by the A when generating the encapsulated key pair for the challenger. A submits two different capsulated keys: ? ðK 0 ; CÞ ¼ EncapsulationðpkÞ ? K 1 r f0; 1g N Challenge: It is completed when the following sub-steps are done.
c1: The challenger chooses bit u r f0; 1g and sends the capsulated key ðK u ; CÞ to A.
c2: A can perform any number of additional capsulation and computations. According to the number of queries that A can do, the obtained security properties are defined as follows.
? In the non-adaptive IND-CCA, A cannot make further requests to the decapsulation oracle before estimating u.
? In IND-CCA2, A can make further requests to the decapsulation oracle before the prediction, while the challenger ciphertext C cannot be submitted.
c3: A works until he/she generates the guess bit u 0 . Then, A queries the decapsulation oracle to find the ciphertext C, which is associated with the capsulated key pair. Result: 1. If u 0 ¼ u, A wins the game.
2. Let p be the advantage of A in Game 0 . In Eq. (6), if p is a negligible function of j, then the D-NTRU KEM is said to be IND-CCA2 secure.
Let's prove that Eq. (6) is negligible in the proposed KEM with Game 2 . Game 2 : In the IND-CCA2 KEM scheme, A can query the decapsulation oracle more than once. Following the idea of Theorem 4 in Dent (2003), the IND-CCA2 analysis of the D-NTRU KEM is examined with Theorem 5. Let; |H| be the output length of H : R q 1 ! f0; 1g N .
T be the execution time of encryption process.
|M| be the space size of M 2 R q 2 . Q D ; Q H ; and Q K be the maximum number of the decapsulation, hash and Kdf oracles queries in the ROM, respectively.
Theorem 5 Let the D-NTRU-(Key Generation, Encryption, Decryption), given in Fig. 2, be a one-way encryption scheme and the D-NTRU KEM be the KEM obtained from this encryption by following Dent's construction. Suppose that there is an A in the ROM that can break the IND-CCA2 security with probability p in time t. Then, there is also an algorithm that inverts the underlying one-way encryption function with probability p 0 ! p À Q D 2 jHj − Q D jMj and in time t 0 t þ ðQ H þ Q D þ Q K ÞT. Proof 3 It is shown that if there is an A that breaks the proposed scheme with a nonnegligible probability, there will be an algorithm that reverses the underlying one-way encryption scheme with a non-negligible probability. Note that it is assumed that A can query the oracle at any time in the IND-CCA2 security. The following changes are done in Game 2 .
• The challenger selects the challenge key pair ðK u ; CÞ at the beginning.
-If A queries the decapsulation oracle with input C ¼ ðC 1 ; C 2 Þ, it produces the error term ? at any time. The only difference compared with Game 0 is that A queries the decapsulation oracle with ciphertext C before obtaining ðK u ; CÞ. To analyze the effects of this difference on the advantage of A, adapted Lemmas 1 and 2 are used.
Lemma 1 Let Y 1 ; Y 2 and Z be an events such that Pr½Y 1 j:Z = Pr½Y 2 j:Z. Then, where |M| and |H| be the message space size and the output length of H, respectively. Proof Let Y 1 and Y 2 be the events that A wins in Game 1 and Game 2 , respectively. Note that if A wins the games, he/she can correctly guess u from ðK u ; CÞ, where ðK u ; CÞ is initially selected at just Y 2 . Let Z be the event that A asks to decapsulation of C before the challenge is done. If Z does not occur, A can only get the same information when querying oracles. Since, Pr½Y 1 j:Z = Pr½Y 2 j:Z, jPr½Y 1 À Pr½Y 2 j Pr½Z is obtained. In the IND-CCA2, the challenge ciphertext is chosen uniformly random from the possible ciphertext distribution. Since c 1 ¼ ðr 1 þ r 2 Þ h 1 þ ðp g þ 1Þ r 2 mod q 1 and c 2 ¼ r 1 h 2 þ r 2 þ ðM È Hðc 1 ÞÞ mod q 2 , where C ¼ ðc 1 ; c 2 Þ in the proposed KEM, decapsulation and hash oracles are queried in the event Z. The probability that A guesses C with an decapsulation oracle query is 1 jMj and hash oracle is 1 jHj . Since A can make multiple queries, A can obtain decapsulationðC; skÞ and C 0 ¼ HðdecapsulationðC; skÞÞ with a total probability Q D jMj þ Q D 2 jHj , if event Z occurs. So, Y 2 is only negligibly smaller than Y 1 since 1 jMj and 1 jHj are negligible in the one-way function. Lemma 2 Let A has a non-negligible advantage in the Game 1 . Then, there will also be an A′ with a non-negligible advantage in Game 2 . Proof 2 Suppose that there is an A′ who breaks KEM with probability p 0 in Game 2 . He/She runs the algorithm, given in Fig. 5, to reverse the one-way D-NTRU function. At the end of Algorithm 4, the winning probability of A′ is computed. This value is equal to A′'s success in reversing the challenge ciphertext C Ã . Let consider Step 3.b.iii in Fig. 5. The probability of obtaining the plaintext X Ã that creates the challenging ciphertext C Ã is equivalent to the probability that A′ wins Game 2 . The derivation of X Ã includes operation steps based on Kdf and H functions. Let V be the event of querying the Kdf function with X Ã ¼ decapsulationðC Ã ; skÞ at any time. The probability of outputting X Ã , which is the plaintext of C Ã , is computed with Eq. (8).
Since Kdf is modeled as a ROM and the D-NTRU provides one-wayness property, the total number of queries Q D jMj þ Q D 2 jHj as a function of j is negligible. Since Eq. (6) is hold, there is no an algorithm that can reverse the given C Ã ciphertext is obtained with a negligible. So, the proposed D-NTRU-based KEM is IND-CCA2 secure.

Basic lattice-based attacks
The security of the NTRU-based protocols is related to the shortest vector problem (SVP). The primal and dual attacks can be carried out for the NTRU-like protocols, such as the D-NTRU encryption and KEM, to find the short vectors in a lattice. Therefore, the parameter set should be chosen so that it is impossible to find short vectors (Elverdi, Akleylek & Kirlar, 2022). The primal and dual attack resistance of the D-NTRU KEM is examined as follows.
Primal attack aims to estimate the hardness of the learning with errors (LWE)-based crptosystems. By constructing an integer embedded lattice, it tries to solve the unique short vector problem (u-SVP). In other words, it reduces the LWE problem to the unique SVP by using the embedding technique. Then, it uses Block Korkin-Zolotarev (BKZ) lattice reduction to find the shortest vector. The hardness of the core-SVP estimates the complexity of the primal attack as 2 0:3496b , where b is the block size of the BKZ algorithm (Liang et al., 2022). So, in the primal attack resistance of the D-NTRU-KEM algorithm, the reduced base V ¼ ðv 1 ; . . . ; v d Þ is computed with the BKZ-b. In the BKZ-b algorithm, b is selected as 364 independent of parameters for n ¼ 128 bit security level in the local model (Liang et al., 2022;Hoffstein, Pipher & Silverman, 1998). Therefore, the core-SVP cost of primal attack is estimated as b0:3496 Â 364 ¼ 127c for b ¼ 364. Similarly, the estimations can be made with b ¼ 470 or b ¼ 496 for n ¼ 192 and b ¼ 612 for n ¼ 256. A dual attack aims to solve the decisional-LWE problem, which provides the obtaining secret key by recovering part of the secret. This attack is made by using the BKZ algorithm in dual lattices. In the concrete hardness assumptions of NIST's PQC standard Kyber (National Institute of Standards and Technology (NIST), 2023), dual attacks were not considered since it seems less realistic than the primal attack. Therefore, in the D-NTRU KEM algorithm, the dual attack is not considered since it is much more expensive and impracticable than the primal attack (Albrecht et al., 2018;Liang et al., 2022).

Remark 2
The man-in-the-middle (MITM) attack examination of the D-NTRU KEM is done regarding the distribution parameter of the key generation procedure. In the proposed the D-NTRU KEM, the key polynomials are chosen f r Lðd f ; d f À 1Þ, g r Lðd f ; d f À 1Þ and r r Lðd; dÞ, where d; d f ; d g . Since d ¼ d f ¼ d g in the D-NTRU-based schemes (Wang, Lei & Hu, 2018), MITM analysis is performed according to the key and message security calculations, presented in Table 2. The main security parameter is obtained by selecting the minimum key and message results.
Remark 3 In the IND-CCA2 security game, when a ciphertext C ¼ ðc 1 ; c 2 Þ and key K is given, it is wanted to determine whether K is generated uniformly random or ciphertext distribution by using decapsulation oracle. A possible attack scenario in checking IND-CCA2 security is as follows: Private key size : Packaged key pair size : ct = Nðlog 2 q1þlog 2 q2þlog 2 2Þ 8 byte Let the ciphertext of the message M be C and C 0 ¼ ðc 1 0 ¼ c 1 þ 1; c 2 0 ¼ c 2 þ 1Þ. Assume that the first coefficient of r 2 was not 1, so that r 2 0 ¼ r2 þ 1 is still a ternary noise (this happens with probability at least 1=2). Then C 0 ¼ ðc 1 0 ; c 2 0 Þ is an encryption of M′, with noise terms r 1 0 ¼ r 1 À f À 1 and r 2 0 . Although r 2 0 ¼ r 2 þ 1, the term r 1 0 is unpredictable for the attacker as it contains the component belonging to the secret key. Then, even if c 1 and c 0 1 are known, M cannot be obtained from M′ since r 0 1 6 ¼ r 1 þ 1.

COMPARISON
In this section, the proposed parameter set and the comparison analysis of the D-NTRU KEM are presented. The parameter set, given in Table 3, is obtained by adapting the NTRU parameters according to the correctness and security analysis. To compare with the NTRU-based schemes, we developed a python script (Seyhan, Akleylek & Dursun, 2023) based on the D-NTRU KEM bounds and the default values of Chen et al. (2022). Table 3 presents the lattice size, modulo, distribution, and the security parameters of proposed the D-NTRU KEM for 128, 192, and 256-bit security levels.  The theoretical basis of the proposed KEM is explained in Table 2. Based on Table 2, the developed script (Seyhan, Akleylek & Dursun, 2023) was used to determine the suitable parameters and sizes. By following the message and key security computation, the values N and d are determined for each security level. The twin primes q 1 and q 2 are chosen to satisfy failure condition q 1 . 40d À 18, where q 1 þ 2 ¼ q 2 . The ntruhps (Chen et al., 2022) values were selected as a reference for comparison.
By using Tables 2 and 3, the computed components of the D-NTRU KEM are presented in Table 4. In Table 4, the public/secret keys and ciphertext sizes are obtained in bytes using script (Seyhan, Akleylek & Dursun, 2023). Since no other D-NTRU-based IND-CCA2 KEM exists in the literature, the comparison can be made with the NTRU-based ones such as ntruhps (Chen et al., 2022). According to Table 4, the proposed KEM provides relatively larger key and ciphertext sizes for the same security level. The main parameters such as lattice size, moduli value, error bounds, parameter/message distributions, and security components that cause the differences of compared schemes are expressed in Table 5. Different hard problems and special requirements cause these differences. According to comparison analysis, the proposed method is characterized by the absence of any padding mechanism and arithmetically simple operations.

CONCLUSION
In this article, we construct a novel D-NTRU-based KEM scheme. It provides a solution to define IND-CCA2 security of the D-NTRU-based encryption, an open problem in Wang, Lei & Hu (2018). The security of the proposed KEM relies on the hardness assumption of the D-NTRU problem. Based on the one-way D-NTRU IND-CPA encryption scheme, IND-CCA2 secure D-NTRU KEM is constructed by following Dent's KEM architecture (Dent, 2003). The detailed security analysis is done in the ROM according to modified Dent assumptions for the D-NTRU-based structures. The basic lattice-based attack evaluations are also presented. The proposed KEM is the first IND-CCA2 secure D- Table 5 The parameter comparison for the NTRU/D-NTRU-based IND-CCA2 KEM schemes.
NTRU-based KEM in the literature. It has a simple design and the fact that it does not involve any padding mechanisms. The D-NTRU KEM trivializes the large key and ciphertext sizes. As a future work, we will focus on the D-NTRU-based KEM schemes, including methods such as NAEP padding and their security analysis in the quantum random oracle (QROM) model.

ADDITIONAL INFORMATION AND DECLARATIONS Funding
This work was supported by TUBITAK under Grant No. 118E312. There was no additional external funding received for this study. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Grant Disclosures
The following grant information was disclosed by the authors: TUBITAK: 118E312.