| From:    | Liu, Yi-Kai (Fed)                                                                                                      |
|----------|------------------------------------------------------------------------------------------------------------------------|
| To:      | Perlner, Ray A. (Fed); Moody, Dustin (Fed); internal-pgc                                                               |
| Subject: | Re: 3rd Draft response to Kyber (A few minor editorial changes for grammar, plus a slight expansion of the conclusion) |
| Date:    | Tuesday, June 9, 2020 1:04:35 AM                                                                                       |

Hey--

Unfortunately I won't be able to call in to tomorrow's meeting, but here are a few comments:

1. I think we should take Ray's last paragraph ("So what does that mean for NIST's decisions...") and make that the beginning of our response. I feel that that paragraph summarizes our main message: memory costs can be a significant factor in estimating security, but be careful...

I think the Kyber team is probably being sufficiently cautious with their estimate, but it is not easy to provide a rigorous justification.

2. Maybe we should add some more explanation regarding this sentence:

"Overall, we think it's fairly easy to justify treating a random access query for b consecutive bits in a memory of size N as equivalent to a circuit with depth  $N^{(1/3)}$ , and using  $\log(N)(b+\log(N))$  gates."

In particular, maybe we need to explain how a circuit can have such large depth with so few gates? I think the answer is that the "depth" counts the length of the wires, not the number of gates? This is not the usual meaning of circuit depth, however, so we should probably explain.

Also, maybe we should explain that the  $N^{(1/3)}$  factor comes from the 3-D layout of the memory. This 3-D layout is mentioned earlier, but maybe we should mention it again here.

3. I think it's difficult to estimate the cost of memory, because there are a lot of different memory technologies (e.g., RAM versus flash versus hard disks), with different costs (varying by a factor of 2^20), and different performance (depending on how you use them, e.g., reading versus writing, and random versus sequential access).

When there are so many different memory technologies, it is harder to see what are the fundamental physical limits. To put this in perspective, I think it's easier to estimate the cost of computation (i.e., logical gates), because there's one dominant technology for that, CMOS silicon chips. I also think it's much easier to estimate the cost of long-distance communication, because there's one dominant technology for that too, namely optical fiber. But for memory technologies, the situation is a lot less clear. If I had to guess, I would say that the ideal memory technology would combine both CMOS and photonics -- and has not been invented yet.

Anyway, that's my two cents...

Cheers,

--Yi-Kai

I think I might as well wait until after the meeting: Here's the updated text of my response (with Daniel A's edits to the very end):

From: Perlner, Ray A. (Fed) <ray.perlner@nist.gov>

Sent: Monday, June 8, 2020 4:40 PM

To: Moody, Dustin (Fed); internal-pqc

Subject: RE: 3rd Draft response to Kyber (A few minor editorial changes for grammar, plus a slight expansion of the conclusion)

Dear Kyber team (And Dan and whoever else is listening) Thank you for these details regarding the Kyber team's approach to security estimates.

The Kyber team asks:

"We are very curious to learn about the position that NIST takes on this and more generally on the importance of the gate-count metric for attacks that require access to large memories"

We would like to preface our response by noting that all 5 security categories are designed to be well beyond the reach of any current technology that could be employed to implement a computational attack. The reason we distinguish among security levels beyond what's currently feasible is as a hedge against improvements in both technology and cryptanalysis. In order to be a good hedge against technology improvements, a model must be realistic, not just for current technology, but for future technology (otherwise we wouldn't consider quantum attacks at all.) This means that we should be more convinced by hard physical limits than the particular limitations of current technology (although if something is difficult for current technology there often is a fundamental physical reason why, even if it's not obvious.) As a hedge against improvements in cryptanalysis, it's not 100% clear that a realistic model of computation, even for future technology, is optimal in providing that hedge. The more complicated a model of computation is, the harder it is to optimize an attack for that model, and the less certain we can be that we are truly measuring the best attacks in that model. As such, the gate model has the virtue of being simpler and easier to analyze than more realistic models.

With that said, let's assume we are aiming for a realistic model of computation.

There are a number of ways that memory intensive attacks might incur costs beyond what's suggested by the basic gate model

First of all, there is the sheer cost of hardware. This is what seems to be alluded to by the Kyber team's observation that

"For a fun sense of scale: a micro-SD card has a  $2^{3.5}$  mm<sup>2</sup> footprint (if you stand it on the short end). A planar sheet of terabyte micro-SD cards the size of New York City (all five boroughs, 800 km<sup>2</sup> ~  $2^{49.5}$  mm<sup>2</sup>) would hold  $2^{89}$  bits."

This sounds quite impressive, but note that if we were to try to perform 2^143 bit operations with current hardware, we could for example invest in high-end bitcoin mining equipment. By our calculations, a planar array of high-end mining boxes could cover New York city 30 times over and still take 10000 years to perform 2^143 bit operations (Assuming you can dissipate all the heat involved somehow.) Moreover, this equipment would need to be powered by an array of solar cells (operating at 20% efficiency) covering all of North America. As such, we are unconvinced based on hardware costs alone that 2^89 bits of memory is enough to push an attack above level 1.

A second way memory could incur costs is latency. A number of submitters have pointed out that information cannot travel faster than the speed of light, and we are inclined to agree. However, some have gone further and suggested that memory must be arranged in a 2-dimensional fashion. We are unconvinced, as modern supercomputers tend to use a meaningfully 3-dimensional arrangement of components (although the components themselves tend to be 2-dimensional.) It's also worth noting that sending data long distance can be done at near light speed, (e.g. via fiber optics), but data travels somewhat slower over short distances in most technology we are aware of.

Finally, there is energy cost. Accessing far-away memory tends to cost more energy than nearby memory. One might in fact argue that what gate cost is really trying to measure is energy consumption. Some submitters have advocated modeling this by using a gate model of computation where only local nearest neighbor interactions are allowed. This however, seems potentially too pessimistic, because we would be modeling things like long distance fiber optic connections by a densely packed series of gates. It seems clear that sending a bit over a kilometer of fiber optic, while more expensive than sending a bit through a single gate is less expensive than sending a bit through a densely packed series of gates a kilometer long. There is also at least a logarithmic gate cost in the literal sense, since you need logarithmically many branch points to get data to and from the right memory address. For random

access queries to extremely small amounts of data, the cost per bit gets multiplied by a logarithmic factor since you need to send the address of the data a good portion of the way, but the algorithms in question are generally accessing consecutive chunks of memory larger than the memory address, so we can probably only assume that random access queries have a log-memory-size cost per bit as opposed to a log^2-memory-size cost per bit, at least based on this particular consideration.

Overall, we think it's fairly easy to justify treating a random access query for b consecutive bits in a memory of size N as equivalent to a circuit with depth  $N^{(1/3)}$ , and using  $\log(N)(b+\log(N))$  gates. (Assuming that the random access query can't be replaced with a cheaper local nearest neighbor circuit.) This is almost certainly an underestimate, but it's somewhat difficult to justify treating memory as much more expensive than this, without making assumptions about future technology that might be wrong.

So what does that mean for NIST's decisions? We recognize that, given known attacks, lattice schemes like Kyber are most likely to have their security underestimated by the nonlocal gate model as compared to a more realistic memory model. However, without very rigorous analysis, it is a bit difficult to say by how much. In cases where we think the possible attack space is well explored, and the gate model cost of all known attacks can be shown to be very close to that of breaking AES or SHA at the appropriate level, and the attacks in question can be shown to need a lot of random access queries to a large memory, we're currently inclined to give submitters the benefit of the doubt that memory costs can cover the difference. To the extent any of those assumptions do not hold (e.g. if the gate cost isn't very close to what it should be ignoring memory costs) we're less inclined. We're planning on doing a more thorough internal review of this issue early in the third round. If we think the security of a parameter set falls short of what it should be, but we still like the scheme, we will most likely respond by asking the submitters to alter the parameters to increase the security margin, or to provide a higher security parameter set, but we would prefer not to have to do this.

As always, we warmly encourage more feedback and community discussion.

Thank you, NIST PQC team

From: Moody, Dustin (Fed) <dustin.moody@nist.gov> Sent: Monday, June 8, 2020 2:57 PM To: Perlner, Ray A. (Fed) <ray.perlner@nist.gov> Subject: Re: 2nd Draft response to Kyber (A few minor editorial changes for grammar, plus a slight expansion of the conclusion)

## Ray,

Do you think we have enough approval from the group to respond? or should we wait til our meeting tomorrow to discuss. I haven't heard Gorjan or Yi-Kai comment, which I would be interested in.

## Dustin

From: Perlner, Ray A. (Fed) <ray.perlner@nist.gov<mailto:ray.perlner@nist.gov>>>

<angela.robinson@nist.gov<mailto:angela.robinson@nist.gov>>; Smith-Tone, Daniel C. (Fed)

<daniel.smith@nist.gov<<u>mailto:daniel.smith@nist.gov</u>>>; internal-pqc@nist.gov<<u>mailto:internal-pqc@nist.gov</u>>>

Subject: RE: 2nd Draft response to Kyber (A few minor editorial changes for grammar, plus a slight expansion of the conclusion)

Sent: Monday, June 8, 2020 2:54 PM

To: Moody, Dustin (Fed) <dustin.moody@nist.gov<<u>mailto:dustin.moody@nist.gov</u>>>; Dang, Quynh H. (Fed) <quynh.dang@nist.gov<<u>mailto:quynh.dang@nist.gov</u>>>; Robinson, Angela Y. (Fed)

How about the following at the end?

"As always, we encourage more feedback and community discussion. Thanks again.

NIST pqc team"

From: Moody, Dustin (Fed) <dustin.moody@nist.gov<<u>mailto:dustin.moody@nist.gov</u>>> Sent: Monday, June 8, 2020 10:54 AM

To: Perlner, Ray A. (Fed) <ray.perlner@nist.gov<<u>mailto:ray.perlner@nist.gov</u>>>; Dang, Quynh H. (Fed)

<quynh.dang@nist.gov<<u>mailto:quynh.dang@nist.gov</u>>>; Robinson, Angela Y. (Fed)

<angela.robinson@nist.gov<mailto:angela.robinson@nist.gov>>; Smith-Tone, Daniel C. (Fed)

<daniel.smith@nist.gov<<u>mailto:daniel.smith@nist.gov</u>>>; internal-pqc@nist.gov<<u>mailto:internal-pqc@nist.gov</u>>>

Subject: Re: 2nd Draft response to Kyber (A few minor editorial changes for grammar, plus a slight expansion of the conclusion)

I like the response.

Should we add in a line at the end that we would appreciate feedback and hope to encourage more community discussion?

Dustin

Dear Kyber team (And Dan and whoever else is listening)

Thank you for these details regarding the Kyber team's approach to security estimates.

From: Perlner, Ray A. (Fed) <ray.perlner@nist.gov<<u>mailto:ray.perlner@nist.gov</u>>> Sent: Monday, June 8, 2020 10:14 AM

To: Dang, Quynh H. (Fed) <quynh.dang@nist.gov<<u>mailto:quynh.dang@nist.gov</u>>>; Robinson, Angela Y. (Fed) <angela.robinson@nist.gov<<u>mailto:angela.robinson@nist.gov</u>>>; Smith-Tone, Daniel C. (Fed)

<sup>&</sup>lt;daniel.smith@nist.gov<<u>mailto:daniel.smith@nist.gov</u>>>; internal-pqc@nist.gov<<u>mailto:internal-pqc@nist.gov</u>>>

Subject: RE: 2nd Draft response to Kyber (A few minor editorial changes for grammar, plus a slight expansion of the conclusion)

The Kyber team asks:

"We are very curious to learn about the position that NIST takes on this and more generally on the importance of the gate-count metric for attacks that require access to large memories"

We would like to preface our response by noting that all 5 security categories are designed to be well beyond the reach of any current technology that could be employed to implement a computational attack. The reason we distinguish among security levels beyond what's currently feasible is as a hedge against improvements in both technology and cryptanalysis. In order to be a good hedge against technology improvements, a model must be realistic, not just for current technology, but for future technology (otherwise we wouldn't consider quantum attacks at all.) This means that we should be more convinced by hard physical limits than the particular limitations of current technology (although if something is difficult for current technology there often is a fundamental physical reason why, even if it's not obvious.) As a hedge against improvements in cryptanalysis, it's not 100% clear that a realistic model of computation, even for future technology, is optimal in providing that hedge. The more complicated a model of computation is, the harder it is to optimize an attack for that model, and the less certain we can be that we are truly measuring the best attacks in that model. As such, the gate model has the virtue of being simpler and easier to analyze than more realistic models.

With that said, let's assume we are aiming for a realistic model of computation.

There are a number of ways that memory intensive attacks might incur costs beyond what's suggested by the basic gate model

First of all, there is the sheer cost of hardware. This is what seems to be alluded to by the Kyber team's observation that

"For a fun sense of scale: a micro-SD card has a  $2^{3.5}$  mm<sup>2</sup> footprint (if you stand it on the short end). A planar sheet of terabyte micro-SD cards the size of New York City (all five boroughs, 800 km<sup>2</sup> ~  $2^{49.5}$  mm<sup>2</sup>) would hold  $2^{89}$  bits."

This sounds quite impressive, but note that if we were to try to perform 2^143 bit operations with current hardware, we could for example invest in high-end bitcoin mining equipment. By our calculations, a planar array of high-end mining boxes could cover New York city 30 times over and still take 10000 years to perform 2^143 bit operations (Assuming you can dissipate all the heat involved somehow.) Moreover, this equipment would need to be powered by an array of solar cells (operating at 20% efficiency) covering all of North America. As such, we are unconvinced based on hardware costs alone that 2^89 bits of memory is enough to push an attack above level 1.

A second way memory could incur costs is latency. A number of submitters have pointed out that information cannot travel faster than the speed of light, and we are inclined to agree. However, some have gone further and suggested that memory must be arranged in a 2-dimensional fashion. We are unconvinced, as modern

supercomputers tend to use a meaningfully 3-dimensional arrangement of components (although the components themselves tend to be 2-dimensional.) It's also worth noting that sending data long distance can be done at near light speed, (e.g. via fiber optics), but data travels somewhat slower over short distances in most technology we are aware of.

Finally, there is energy cost. Accessing far-away memory tends to cost more energy than nearby memory. One might in fact argue that what gate cost is really trying to measure is energy consumption. Some submitters have advocated modeling this by using a gate model of computation where only local nearest neighbor interactions are allowed. This however, seems potentially too pessimistic, because we would be modeling things like long distance fiber optic connections by a densely packed series of gates. It seems clear that sending a bit over a kilometer of fiber optic, while more expensive than sending a bit through a single gate is less expensive than sending a bit through a densely packed series of gates a kilometer long. There is also at least a logarithmic gate cost in the literal sense, since you need logarithmically many branch points to get data to and from the right memory address. For random access queries to extremely small amounts of data, the cost per bit gets multiplied by a logarithmic factor since you need to send the address of the data a good portion of the way, but the algorithms in question are generally accessing consecutive chunks of memory larger than the memory address, so we can probably only assume that random access queries have a log-memory-size cost per bit as opposed to a log^2-memory-size cost per bit, at least based on this particular consideration.

Overall, we think it's fairly easy to justify treating a random access query for b consecutive bits in a memory of size N as equivalent to a circuit with depth  $N^{(1/3)}$ , and using  $\log(N)(b+\log(N))$  gates. (Assuming that the random access query can't be replaced with a cheaper local nearest neighbor circuit.) This is almost certainly an underestimate, but it's somewhat difficult to justify treating memory as much more expensive than this, without making assumptions about future technology that might be wrong.

So what does that mean for NIST's decisions? We recognize that, given known attacks, lattice schemes like Kyber are the category most likely to have their security underestimated by the nonlocal gate model as compared to a more realistic memory model. However, without very rigorous analysis, it is a bit difficult to say by how much. In cases where we think the possible attack space is well explored, and the gate model cost of all known attacks can be shown to be very close to that of breaking AES or SHA at the appropriate level, and the attacks in question can be shown to need a lot of random access queries to a large memory, we're currently inclined to give submitters the benefit of the doubt that memory costs can cover the difference. To the extent any of those assumptions do not hold (e.g. if the gate cost isn't very close to what it should be ignoring memory costs) we're less inclined. We're planning on doing a more thorough internal review of this issue early in the third round. If we think the security of a parameter set falls short of what it should be, but we still like the scheme, we will most likely respond by asking the submitters to alter the parameters to increase the security margin, or to provide a higher security parameter set, but we would prefer not to have to do this.

NIST pqc team

From: Dang, Quynh H. (Fed) <quynh.dang@nist.gov<<u>mailto:quynh.dang@nist.gov</u>>> Sent: Saturday, June 6, 2020 8:34 AM

To: Robinson, Angela Y. (Fed) <angela.robinson@nist.gov<<u>mailto:angela.robinson@nist.gov</u>>>; Smith-Tone, Daniel C. (Fed) <daniel.smith@nist.gov<<u>mailto:daniel.smith@nist.gov</u>>>; Perlner, Ray A. (Fed) <ray.perlner@nist.gov<<u>mailto:ray.perlner@nist.gov</u>>>; internal-pqc@nist.gov<<u>mailto:internal-</u>

pqc@nist.gov>>
Subject: Re: Draft response to Kyber

Hi all,

I like Ray's conclusion at the end.

But, I am not sure I like " the attacks in question can be shown to need a lot of random access queries to a large memory, we're inclined to give submitters the benefit of the doubt that memory costs can cover the difference." because we did not say that in our call for proposal. I guess many algorithms could have been designed differently to improve their performances if their authors knew that up front.

Also, the immediate question is what difference and what memory cost are comparable ?

For the phrase: " If we think the security of a parameter set falls short of what it should be", how short for each security level is acceptable?

I guess the former can have a good answer. I am afraid that the latter is hard to answer.

Quynh.

To: Smith-Tone, Daniel C. (Fed) <daniel.smith@nist.gov<<u>mailto:daniel.smith@nist.gov</u>>>; Perlner, Ray A. (Fed) <ray.perlner@nist.gov<<u>mailto:ray.perlner@nist.gov</u>>>; internal-pqc@nist.gov<<u>mailto:internal-pqc@nist.gov</u>>>

Subject: RE: Draft response to Kyber

The only distracting line I caught was: "The more complicated a model of computation is, the harder it is to optimize an attack for that model, and the less certain we can be we are truly measuring..."

Maybe insert a "that": "...and the less certain we can be [that] we are truly measuring..."

I'm assuming the typos can wait. I didn't want to go through them all now since the content may change.

From: Robinson, Angela Y. (Fed) <angela.robinson@nist.gov<<u>mailto:angela.robinson@nist.gov</u>>> Sent: Friday, June 5, 2020 6:57 PM

Angela

Sent from Mail<<u>https://go.microsoft.com/fwlink/?LinkId=550986</u>> for Windows 10

From: Smith-Tone, Daniel C. (Fed)<<u>mailto:daniel.smith@nist.gov</u>> Sent: Friday, June 5, 2020 6:17 PM To: Perlner, Ray A. (Fed)<<u>mailto:ray.perlner@nist.gov</u>>; internal-pqc<u>mailto:internal-pqc@nist.gov</u>> Subject: RE: Draft response to Kyber

I like it. Spotted a grammar mistake somewhere but I forgot where now. Someone else will spot it, because it is distracting.

From: Perlner, Ray A. (Fed) <ray.perlner@nist.gov<<u>mailto:ray.perlner@nist.gov</u>>> Sent: Friday, June 5, 2020 6:05 PM To: internal-pqc@nist.gov<<u>mailto:internal-pqc@nist.gov</u>>> Subject: Draft response to Kyber

Dear Kyber team (And Dan and whoever else is listening)

Thank you for these details regarding the Kyber team's approach to security estimates.

The Kyber team asks:

"We are very curious to learn about the position that NIST takes on this and more generally on the importance of the gate-count metric for attacks that require access to large memories"

We would like to preface our response by noting that all 5 security categories are designed to be well beyond the reach of any current technology that could be employed to implement a computational attack. The reason we distinguish among security levels beyond what's currently feasible is as a hedge against improvements in both technology and cryptanalysis. In order to be a good hedge against technology improvements, a model must be realistic, not just for current technology, but for future technology (otherwise we wouldn't consider quantum attacks at all.) This means that we should be more convinced by hard physical limits, than the particular limitations of current technology (although if something is difficult for current technology there often is a fundamental physical reason why, even if it's not obvious.) As a hedge against improvements in cryptanalysis, it's not 100% clear that a realistic model of computation, even for future technology, is optimal in providing that hedge. The more complicated a model of computation is, the harder it is to optimize an attack for that model, and the less certain we can be we are truly measuring the best attacks in that model. As such, the gate model has the virtue of being simpler and easier to analyze than more realistic models.

With that said, let's assume we are aiming for a realistic model of computation.

There are a number of ways that memory intensive attacks might incur costs beyond what's suggested by the basic gate model

First of all, there is the sheer cost of hardware. This is what seems to be alluded to by the Kyber team's observation that

"For a fun sense of scale: a micro-SD card has a  $2^{3.5}$  mm<sup>2</sup> footprint (if you stand it on the short end). A planar sheet of terabyte micro-SD cards the size of New York City (all five boroughs, 800 km<sup>2</sup> ~  $2^{49.5}$  mm<sup>2</sup>) would hold  $2^{89}$  bits."

This sounds quite impressive, but note that if we were to try to perform 2<sup>143</sup> bit operations with current hardware, we could for example invest in high end bitcoin mining equipment. By our calculations, a planar array of high end mining boxes could cover New York city 30 times over and still take 10000 years to perform 2<sup>143</sup> bit operations (Assuming you can dissipate all the heat involved somehow.) Moreover, this equipment would need to be powered by an array of solar cells (operating a 20% efficiency) covering all of North America. As such, we are unconvinced based on hardware costs alone that 2<sup>89</sup> bits of memory is enough to push an attack above level 1.

A second way memory could incur costs is latency. A number of submitters have pointed out that information cannot travel faster than the speed of light, and we are inclined to agree. However, some have gone further and suggested that memory must be arranged in a 2 dimensional fashion. We are unconvinced, as modern supercomputers tend to use a meaningfully 3 dimensional arrangement of components (although the components themselves tend to be 2 dimensional.) It's also worth noting that sending data long distance can be done at near light speed, (e.g. via fiber optics), but data travels somewhat slower over short distances in most technology we are aware of.

Finally, there is energy cost. Accessing far-away memory tends to cost more energy than nearby memory. One might in fact argue that what gate cost is really trying to measure is energy consumption. Some submitters have advocated modeling this by using a gate model of computation where only local nearest neighbor interactions are allowed. This however, seems potentially too pessimistic, because we would be modeling things like long distance fiber optic connections by a densely packed series of gates. It seems clear that sending a bit over a kilometer of fiber optic, while more expensive than sending a bit through a single gate is less expensive than sending a bit through a densely packed series of gates a kilometer long. There is also at least a logarithmic gate cost in the literal sense, since you need logarithmically many branch points to get data to and from the right memory address. For random access queries to extremely small amounts of data, the cost per bit gets multiplied by a logarithmic factor since you need to send the address of the data a good portion of the way, but the algorithms in question are generally accessing consecutive chunks of memory larger than the memory address, so we can probably only assume that random access queries have a log-memory-size cost per bit as opposed to a log^2-memory-size cost per bit, at least based on this particular consideration.

Overall, we think it's fairly easy to justify treating a random access query for b consecutive bits in a memory of size N as equivalent to a circuit with depth  $N^{(1/3)}$ , and using  $\log(N)(b+\log(N))$  gates. (Assuming that the random access query can't be replaced with a cheaper local nearest neighbor circuit.) This is almost certainly an underestimate, but it's somewhat difficult to justify treating memory as much more expensive than this, without making assumptions about future technology that might be wrong.

So what does that mean for NIST's decisions? We recognize that, given known attacks, lattice schemes like Kyber are most likely to have their security underestimated by the gate model as compared to a more realistic memory model. However, without very rigorous analysis, it is a bit difficult to say by how much. In cases where we think the possible attack space is well explored, and the gate model cost of all known attacks can be shown to be very close to that of breaking AES or SHA at the appropriate level, and the attacks in question can be shown to need a lot of random access queries to a large memory, we're inclined to give submitters the benefit of the doubt that memory costs can cover the difference. To the extent any of those assumptions do not hold (e.g. if the gate cost isn't very close to what it should be ignoring memory costs) we're less inclined. If we think the security of a parameter set falls short of what it should be, but we still like the scheme, we will most likely respond by asking the submitters to alter the parameters to increase the security margin, or to provide a higher security parameter set.

NIST pqc team