# Concrete Complexities

In [1]:
from math import inf, comb as binom, log2, factorial
from cryptographic_estimators.SDFqEstimator import SDFqEstimator

def gv_distance(n,k,q):
    """
    Gilbert - Varshamov distance of a code over Fq, with length n and dimension k
    """
    d = 1
    right_term = q**(n-k)
    left_term = 0
    while left_term <= right_term:
        left_term += binom(n,d)*(q-1)**d
        d+=1

    return d

def prob(n,k,w,ell):
    """
    probability of intersection of the support of two random weight w codwors beeing larger than ell
    """
    return log2(sum([binom(w,i)*binom(n-w,w-i)/binom(n,w) for i in range(ell,ell+20)]))

def time_new(n,k,q, verbose=1, lowerbound=-1, output_all_data=0):
    """
    Concrete time complexity of 
    - Algorithm 4 (lowerbound=-1)
    - Lowerbound for codeword-finding based algorithms(lowerbound=1)
    - Semi-Lowerbound assuming |Z|<|V| (lowerbound = 0)    
    """
    mini=100000000
    prev=2**12
    wmin=gv_distance(n,k,q)
    for w in range(wmin,n-k):
        ell=int(w**2/n)  
        Nw =log2(binom(n,w))+log2(q-1)*w-log2(q)*(n-k)
        pr=prob(n,k,w,ell)
        
        # required number of codewords
        codewords = Nw/2+0.5-log2(q-1)/2-pr/2 
        
        # time to find codewords
        time_codeword_finding = SDFqEstimator(n,k,w,q).fastest_algorithm().time_complexity()+codewords+1
        
        # list size of all pairs
        list_of_pairs =2*codewords
        
        # meet in the middle on scalar
        list_of_pairs +=  log2(q-1)/2

        # upper bound on Z
        perms = log2(factorial(ell))
        result_list =max(0,2*list_of_pairs+perms-ell*log2(q-1))


        time_monomial_reconstruction = log2(n)*4
        field_operation = log2(log2(q))*2
        time_per_pair = log2(2*(n+ell))
        if lowerbound == -1:
            #regular algorithm
            time_recovery =  field_operation + max(result_list + time_monomial_reconstruction,list_of_pairs+ time_per_pair)
            # print(time_recovery)
        elif lowerbound ==0:
            #compatibility linear
            time_recovery = field_operation + list_of_pairs+ time_per_pair
        elif lowerbound ==1:
            #lower bound
            time_recovery = field_operation + codewords + log2(n)
                                                             
        tmp = max(time_codeword_finding,time_recovery)
        
        #early abort
        if tmp>prev:
            break
        else:
            prev=tmp
            
        if tmp<mini:
            mini=tmp
            par=w
            times = time_codeword_finding,time_recovery,result_list+time_monomial_reconstruction,result_list
            paramint=w,codewords,list_of_pairs,result_list,time_monomial_reconstruction,time_per_pair, SDFqEstimator(n,k,w,q,nsolutions=0).stern.time_complexity()-Nw,time_recovery,mini

    if verbose:
        print(mini,times, par)
    return mini

In [2]:
def cf_mitm_concrete(n,k,q):
    """
    Concrete complexity of CFMITM algorithm
    """
    return log2(binom(n,n-k))/2+log2(k)*2 + log2(n)+2*log2(log2(q))

### LCE instances

In [None]:
from cryptographic_estimators.LEEstimator import LEEstimator
from prettytable import PrettyTable
def ri(x):
    if x == inf:
        return "-"
    return int(round(x))

row_header = ["(n,k,q)","CFMITM","Leon","Beullens","BBPS", "New"]
t = PrettyTable(row_header)

for par in [[252,126,127],[400,200,127],[548,274,127],[198,94,251]]:
    n,k,q=par
    new = time_new(n,k,q,verbose=0,lowerbound=-1)
    low0 = time_new(n,k,q,verbose=0,lowerbound=0)
    low1 = time_new(n,k,q,verbose=0,lowerbound=1)
    
    A=LEEstimator(n,k,q)
    beu = A.beullens.time_complexity()
    leo = A.leon.time_complexity()
    bbps = A.bbps.time_complexity()
    cf = cf_mitm_concrete(n,k,q)
        
    name = params= "("+str(n)+","+str(k)+","+str(q)+")"
    row = [name,ri(cf),ri(leo),ri(beu),ri(bbps),ri(new)]
    t.add_row(row)

print(t)

### Permutation Equivalence Instances

In [None]:
from cryptographic_estimators.PEEstimator import PEEstimator

perm_eq= [[252,126,127],[400,200,127],[548,274,127],[235,108,251],[230,115,127]]
row_header = ["(n,k,q)","CFMITM","Leon","Beullens", "New"]
t = PrettyTable(row_header)

for i in perm_eq:
    n,k,q=i
    
    new = time_new(n,k,q,verbose=0,lowerbound=-1)
    low0 = time_new(n,k,q,verbose=0,lowerbound=0)
    low1 = time_new(n,k,q,verbose=0,lowerbound=1)
    
    A=PEEstimator(n,k,q)
    beu = A.beullens.time_complexity()
    leo = A.leon.time_complexity()
    cf = cf_mitm_concrete(n,k,q)

    name= "("+str(n)+","+str(k)+","+str(q)+")"
    row =[name,ri(cf),ri(leo),ri(beu),ri(new)]
    t.add_row(row)
print(t)

### Plot Concrete Complexities

In [None]:
Lnew=[]
Llow1=[]
Llow0=[]
Lbeu=[]
Lleo=[]
Lbbps=[]
Lcf=[]

n=252
k=126

for i in range(5,250,2):
    new = time_new(n,k,i,verbose=0,lowerbound=-1)
    low0 = time_new(n,k,i,verbose=0,lowerbound=0)
    low1 = time_new(n,k,i,verbose=0,lowerbound=1)
    Lnew.append([i,new])
    Llow0.append([i,low0])
    Llow1.append([i,low1])
    
    A=LEEstimator(n,k,i)
    beu = A.beullens.time_complexity()
    leo = A.leon.time_complexity()
    bbps = A.bbps.time_complexity()
    Lbeu.append([i,beu])
    Lleo.append([i,leo])
    Lbbps.append([i,bbps])
    
    cf = cf_mitm_concrete(n,k,i)
    Lcf.append([i,cf])

In [None]:
Lbeu= [[j[0],j[1]] for j in Lbeu if j[1]!=inf]
Lbbps= [[j[0],j[1]] for j in Lbbps if j[1]!=inf]

In [None]:
import matplotlib.pyplot as plt
def plot(L,label_list):
    """
    function to plot list of lists of the form L=[L1,L2,...] with Li=[[x1,y1],[x2,y2],...]
    """
    c=0
    for Li in L:
        x,y=zip(*Li)
        plt.scatter(x,y, label=label_list[c],s=1)
        c+=1
    plt.legend(bbox_to_anchor=(1.05, 1), loc='upper left')
    
plot([Lnew,Llow1,Llow0,Lleo,Lbeu,Lbbps,Lcf],["New","Lowerbound", "Semi-Lowerbound","Leon","Beullens","BBPS","CFMITM"])