FOR SELECTING SYSTEM-WIDE PARAMETERS AND ANALYSIS OF RESISTANCE AGAINST THIRD-PARTY CHANNEL ATTACKS FOR THE KEY ENCAPSULATION MECHANISM DSTU 8961 : 2019

In recent years, there has been significant progress in the creation of quantum computers. If scalable quantum computers are implemented, it will jeopardize the security of most widely used public key cryptosystems. The most vulnerable are key schemes, i.e. digital signatures, based on factorization, discrete logarithms and elliptic curve cryptography. The main task now is to develop, evaluate, research and standardize asymmetric crypto transformations at the international level, including key encapsulation mechanisms (KEM), resistant to attacks by violators of the post-quantum period. Another important task is to further study the already adopted national standards of ACS and PIC on resistance to attacks by third-party channels, in particular to assess the dependence of the conversion time using the private key on the structure of the key bits. The main efforts of the international cryptographic community to develop standardize and implement new post-quantum crypto transformations are centered around the NIST US competition – NIST PQC Standardization Process, which began in December 2016 [1]. Of the 82 submitted candidates, 69 were admitted to the 1st round of the competition. In January 2019, based on open discussion and feedback from the cryptographic community, NIST selected 26 algorithms for the second round [2], including 17 asymmetric encryption and/or KEM.


Introduction
In recent years, there has been significant progress in the creation of quantum computers. If scalable quantum computers are implemented, it will jeopardize the security of most widely used public key cryptosystems. The most vulnerable are key schemes, i.e. digital signatures, based on factorization, discrete logarithms and elliptic curve cryptography. The main task now is to develop, evaluate, research and standardize asymmetric crypto transformations at the international level, including key encapsulation mechanisms (KEM), resistant to attacks by violators of the post-quantum period. Another important task is to further study the already adopted national standards of ACS and PIC on resistance to attacks by third-party channels, in particular to assess the dependence of the conversion time using the private key on the structure of the key bits.
The main efforts of the international cryptographic community to develop standardize and implement new post-quantum crypto transformations are centered around the NIST US competition -NIST PQC Standardization Process, which began in December 2016 [1].
Of the 82 submitted candidates, 69 were admitted to the 1st round of the competition. In January 2019, based on open discussion and feedback from the cryptographic community, NIST selected 26 algorithms for the second round [2], including 17 asymmetric encryption and/or KEM.

The state of development and standardization of key encapsulation protocols at the international level and in Ukraine
Of the NIST evaluation criteria, the most important is the algorithm security criterion. For the KEM algorithms, NIST in the program statement of the competition put forward requirements for "semantic security" of algorithms in terms of resistance to attacks with adaptively selected ciphertext, which is equivalent to the security model IND-CCA2. Given that meeting the more stringent requirements of the IND-CCA2 model for some algorithms may affect performance [3], NIST has also adopted algorithms that provide protection against attacks with selected ciphertext in the IND-CPA.
In July 2020, the 2nd stage of the competition ended and the start of the 3rd round was announced [3]. Fifteen candidates advanced to Round 3, of which 7 were selected as finalists and 8 as alternative candidates. In particular, the following KEM algorithms were selected as finalists: Classic McEliece, SABER, CRYSTALS-KYBER, NTRU. Alternative candidates were: BIKE, FrodoKEM, HQC, NTRU Prime, SIKE. Of the 4 main finalists, NTRU, CRYSTALS-KYBER, SABER are based on algebraic lattices, which provided a basis for the assumption of including at least one of them in the standard.
In the report [3] the second most important requirement is speed, and for the candidates of the 3rd round will be considered as the speed of key generation, forward and reverse transformations, and the spatial complexity of public keys, digital signatures and ciphertexts computation. For KEM algorithms, the key generation time is considered to be on a par with the forward and reverse conversion times because a large number of applications use a new key pair for each session to provide perfect forward security. As a result, safety and performance requirements are currently the main ones considered for NIST's decision in the 3rd round of the PQC competition.
In [4], NIST recommended that developers focus on developing parameters for the stability levels 1-5 defined in [5], i.e. for the stability level of 128 bits of quantum and 256 bits of classical security. Despite this, at the national level it was substantiated [6] and set the task to develop an al-gorithm for asymmetric transformation of the KEM type and parameter sets that would provide 7 levels of stability, i.e. 256 bits of quantum and 512 bits of classical security. In [7], the main algorithms for generating system-wide parameters, encryption and decryption for the advanced NTRU Prime IIT Ukraine KEM algorithm was substantiated.

The main parameters of DSTU 8961:2019 and the method of generation parameters for 7 th stability level
The main parameters of the algorithm presented in Table 1 and Table 2. The whole set of parameters can be found in [8,10]. Table 1 General parameters Ring of polynomials. All the coefficients reduced by module q max(3, 2 ) Nt  Order of polynomial. Should be a prime number for which the polynomial 1 n xx  is irreversible. The order determines the number of its coefficients  (  The comprehensive algorithm description of calculation general parameters presented in [7,8,13]. A simplified sequence of steps can be represented as follows: Step 1. Select prime number N. As a prime number, prime N are chosen for which the order is N-1 or (N-1) / 2. (1) Step 2. Formation of key space for private keys To specify the key space, it is necessary to determine the number of nonzero N / 3 (1 and -1) elements in the polynomial F = F1 * F2 + F3 and the keys G.
Then the maximum number of nonzero elements in the key defined [8] by the polynomial F = F1 * F2 + F3 taking into account the number (1) and (-1) is equal to In order to find the keys on the polynomials F1, F2, F3 was approximately the same complexity we choose d 1 ≈d 2

≈d 3
In [13] it is proposed to calculate the value according to formulas (3, Step

Calculation of security parameter taking into account key space and attack meeting in the middle (upper security boundaries)
To calculate the security parameter taking into account the key space and the attack of the meeting in the middle [8], the number of keys is determined taking into account their form of representation and the attack of the meet-in-the middle [14].
To determine the minimum prime number that provides the desired stability λ, the next inequality(5) is used [13] 33 If λ < required, then choose greater prime N, and go to step 2.
Step 4. Calculate the maximum number of non-zero elements in the message (d m ) During encryption of the data of encoded message, converted into a form of small polynomial, it should contain a number of non-zero elements, defined by general parameter dm to prevent attacks. However, in case of the number of such non-zero elements is larger than some threshold, then the probability of reselecting a mask and multiplying by a blinding polynomial will be high [8]. Therefore, this parameter significantly affects the performance of the encryption algorithm.
The following condition (6) is a sufficient to eliminate the decryption error: Step 5. Calculate q. It should be prime and satisfy conditions from [13] The analysis showed that the value of the modulus q affects the probability of decryption error and is used in assessing the security of the lattice.
To calculate the value of q, which provides the maximum probability of error, which is determined by stability, the inequality(7) can be used: Step 6. Calculate T mintm . Calculate minimum value 0 <r ≤ N, which satisfy conditions (8): If at least one of the conditions fails, select greater prime N and go to step 2.
Step 7. Calculate the size of the lattice: Step 8. Calculate T lattice -the number of operations for the construction of Korkin-Zolotarevreduced basis [13] of a complete lattice of dimension S by formula(10):  Table 3. They can be applicable for key encapsulation and direct encryption. Highlighted rows are used in standard DSTU 8961:2019[10].  For the experiment, 10,000 keys were generated and sorted by increasing number of ones. For each key, 100 calls were made to each of the tested functions and the average value of the execution time in CPU clocks for such a key was calculated. In Fig. 2-3 shows graphs of the number of CPU cycles from the key number. Random deviations can be caused by other processes in the operating system and do not depend on the number of units in the key. However, some optimizations of the implementation still possible and the number of cycles may depend on implementation.  The correlation coefficients between the execution time for the functions of encapsulation / decapsulation of keys and the number of units in the key for the standard DSTU 8961: 2019 are in the range [0.106 ... 0.153], which indicates the practical independence of execution time converted from the number of units in the key.

Conclusions
The main problems with asymmetric cryptography are the development of stable asymmetric crypto transformations such as KEM against both classical and quantum attacks, as well as the construction of system-wide parameters of 5-7 levels of stability [7,8].
Of particular relevance is the provision of cryptographic resistance to attacks by third-party channels, which requires a fundamentally new approach to the implementation of testing of cryptographic solutions of constant time, as well as analysis of existing standards on vulnerability to this class of attacks and countermeasures.
The study of the national standard DSTU 8961:2019 on resistance to attacks by third-party channels was performed. The KEM algorithms set out in DSTU 8961:2019 are protected from attacks by third-party channels in case of correct and accurate implementation, which has been confirmed experimentally.
The stability level has direct impact on the performance, so it is important to choose a sufficient level of stability based on device, e.g. for smart cards and tokens it might be reasonable to choose lower level of stability. The article presents the dependency between performance and stability level.
The simultaneous usage of keys encapsulation end encryption allows to setup symmetric encryption keys such as AES keys to increase speed of secure data transfer across communication channels.