In [228]:
import sys
Rfloat = RealField(1024)

In [229]:
# SDitH parameters
# v1.0
SDitH_L1_gf256_v10 = 256, 230, 126, 79, 1, "SDitH_L1_gf256_v10"
SDitH_L1_gf251_v10 = 251, 230, 126, 79, 1, "SDitH_L1_gf251_v10"
SDitH_L3_gf256_v10 = 256, 352, 193, 120, 2, "SDitH_L3_gf256_v10"
SDitH_L3_gf251_v10 = 251, 352, 193, 120, 2, "SDitH_L3_gf251_v10"
SDitH_L5_gf256_v10 = 256, 480, 278, 150, 2, "SDitH_L5_gf256_v10"
SDitH_L5_gf251_v10 = 251, 480, 278, 150, 2, "SDitH_L5_gf251_v10"

# v1.1
SDitH_L1_gf256_v11 = 256, 242, 126, 87, 1, "SDitH_L1_gf256_v11"
SDitH_L1_gf251_v11 = 251, 242, 126, 87, 1, "SDitH_L1_gf251_v11"
SDitH_L3_gf256_v11 = 256, 376, 220, 114, 2, "SDitH_L3_gf256_v11"
SDitH_L3_gf251_v11 = 251, 376, 220, 114, 2, "SDitH_L3_gf251_v11"
SDitH_L5_gf256_v11 = 256, 494, 282, 156, 2, "SDitH_L5_gf256_v11"
SDitH_L5_gf251_v11 = 251, 494, 282, 156, 2, "SDitH_L5_gf251_v11"

SDitH_params_v10 = [SDitH_L1_gf256_v10, 
                SDitH_L1_gf251_v10, 
                SDitH_L3_gf256_v10, 
                SDitH_L3_gf251_v10, 
                SDitH_L5_gf256_v10, 
                SDitH_L5_gf251_v10]
SDitH_params_v11 = [SDitH_L1_gf256_v11, 
                SDitH_L1_gf251_v11, 
                SDitH_L3_gf256_v11, 
                SDitH_L3_gf251_v11, 
                SDitH_L5_gf256_v11, 
                SDitH_L5_gf251_v11]

In [230]:
# Complexity of Stern decoding for SDitH.
# Here, the number of solution is not considered.

def Stern_Complexity_SDitHspec(q, n, k, t, d, p, ell, verbose=False):
    TGauss = Rfloat(0.5*((n-k)*(n-k)*(n+k)))
    L1 = binomial(floor(k/2), p)*(q-1)^p
    L2 = binomial(k - floor(k/2), p)*(q-1)^p
    Tlists = Rfloat( (k/2 - p + 1 + L1 + L2)*ell )
    Ncols = Rfloat( L1 * L2 / (q^ell) )
    Tcheck = Rfloat( (q/(q-1))*(t-2*p+1)*2*p*(1+(q-2)/(q-1)) * Ncols )
        
    Psucc = Rfloat( L1 * L2 * binomial(n - k - ell, t - 2*p) / (binomial(n, t) * (q-1)^(2*p)) )
    dsplit = Rfloat( (binomial(floor(n/d),floor(t/d))^d)/binomial(n,t) )
    T = dsplit*(TGauss +  Tlists + Tcheck)*log(q,2)/Psucc
    if verbose == True:
        print("q = ", q)
        print("n = ", n)
        print("k = ", k)
        print("t = ", t)
        print("d = ", d)
        print("p = ",p)
        print("l = ",ell)
        print("L1 = ", float(L1))
        print("L2 = ", float(L2))
        print("TGauss = ", float(TGauss))
        print("Tlists = ", float(Tlists))
        print("Ncols = ", float(Ncols))
        print("Tcheck = ", float(Tcheck))
        print("Psucc = ", float(Psucc))
        print("dsplit = ", float(dsplit))
        print("T = 2^", float(log(T,2)))
    return T

def Stern_opt_SDitHspec(q, n, k, t, d):
    T_min = oo
    p_min = 0
    ell_min = 0
    for p in range(min(floor(t/2), floor(k/2))):
        for ell in range(1,min(n-k, n-k+2*p-t)):
            T_cur = Stern_Complexity_SDitHspec(q, n, k, t, d, p, ell)
            if T_min > T_cur:
                T_min = T_cur
                p_min = p
                ell_min = ell
    
    Stern_Complexity_SDitHspec(q, n, k, t, d, p_min, ell_min, True)
    
    
for params in SDitH_params_v10+SDitH_params_v11:
    q, n, k, t, d, version = params
    print(version)
    Stern_opt_SDitHspec(q, n, k, t, d)
    print()
   

SDitH_L1_gf256_v10
q =  256
n =  230
k =  126
t =  79
d =  1
p =  1
l =  2
L1 =  16065.0
L2 =  16065.0
TGauss =  1925248.0
Tlists =  64386.0
Ncols =  3938.052749633789
Tcheck =  1231072.171875
Psucc =  1.685660154323889e-36
dsplit =  1.0
T = 2^ 143.45504332945762

SDitH_L1_gf251_v10
q =  251
n =  230
k =  126
t =  79
d =  1
p =  1
l =  2
L1 =  15750.0
L2 =  15750.0
TGauss =  1925248.0
Tlists =  63126.0
Ncols =  3937.4375009920477
Tcheck =  1230927.6334661355
Psucc =  1.685660154323889e-36
dsplit =  1.0
T = 2^ 143.44927314274398

SDitH_L3_gf256_v10
q =  256
n =  352
k =  193
t =  120
d =  2
p =  2
l =  5
L1 =  296514000.0
L2 =  302756400.0
TGauss =  6889072.5
Tlists =  2996352477.5
Ncols =  81646.71379709034
Tcheck =  76570582.2173059
Psucc =  6.733457741571941e-54
dsplit =  0.089497822120607
T = 2^ 207.67096117050832

SDitH_L3_gf251_v10
q =  251
n =  352
k =  193
t =  120
d =  2
p =  2
l =  5
L1 =  285000000.0
L2 =  291000000.0
TGauss =  6889072.5
Tlists =  2880000477.5
Ncols =  83247.

In [231]:
# Correction of the complexity of Stern decoding for SDitH.
# The number of solution is considered and we use the tighter lower bound for the d-split.

def Stern_Complexity_correction(q, n, k, t, d, p, ell, verbose=False):
    TGauss = Rfloat( ((q-1)/q)*(n-k)*(n-k)*(n+k+3) )
    L1 = binomial(floor(k/2), p)*(q-1)^(p)
    L2 = binomial(k - floor(k/2), p)*(q-1)^(p)
         
    Tlists = Rfloat( ell * (k - 2*p - 1 + L1 + L2) )
    Ncols = (L1*L2)/(q^ell)
    Tcheck = Rfloat( (q/(q-1))*(t-2*p+1)*2*p*(1+(q-2)/(q-1)) * Ncols )
    
    Ppart = Rfloat( L1 * L2 * binomial(n - k - ell, t - 2*p) / (binomial(n, t) * (q-1)^(2*p)) )
    Nsol = Rfloat( 1 + ((binomial(n, t) *(q-1)^(t) - 1) / (q^(n-k))) )
    Psucc = Rfloat( 1 - (1 - Ppart)^Nsol )
    dsplit = Rfloat( (binomial(floor(n/d),floor(t/d))^d)/binomial(n,t) )
    dsplit *= Rfloat( binomial(n,t)*(q-1)^t + q^(n-k) - 1 )
    dsplit /= Rfloat( (binomial(floor(n/d),floor(t/d))^d)*(q-1)^t + q^(n-k) - 1 )
    
    T = dsplit*(TGauss + Tlists + Tcheck)*log(q,2)/Psucc
    if verbose == True:
        print("q = ", q)
        print("n = ", n)
        print("k = ", k)
        print("t = ", t)
        print("d = ", d)
        print("p = ",p)
        print("l = ",ell)
        print("L1 = ", float(L1))
        print("L2 = ", float(L2))
        print("TGauss = ", float(TGauss))
        print("Tlists = ", float(Tlists))
        print("Ncols = ", float(Ncols))
        print("Tcheck = ", float(Tcheck))
        print("Ppart = ", float(Ppart))
        print("Nsol = ", float(Nsol))
        print("Psucc = ", float(Psucc))
        print("dsplit = ", float(dsplit))
        print("  --> dsplit_old = ", float( (binomial(floor(n/d),floor(t/d))^d)/binomial(n,t) ))
        print("T = 2^", float(log(T,2)))
    return T


def Stern_opt_correction(q, n, k, t, d):
    T_min = oo
    p_min = 0
    ell_min = 0
    for p in range(min(floor(t/2), floor(k/2))):
        for ell in range(1,min(n-k, n-k+2*p-t)):
            T_cur = Stern_Complexity_correction(q, n, k, t, d, p, ell)
            if T_min > T_cur:
                T_min = T_cur
                p_min = p
                ell_min = ell
    
    Stern_Complexity_correction(q, n, k, t, d, p_min, ell_min, True)
    
    
for params in SDitH_params_v10 + SDitH_params_v11:
    q, n, k, t, d, version = params
    print(version)
    Stern_opt_correction(q, n, k, t, d)
    print()
    

SDitH_L1_gf256_v10
q =  256
n =  230
k =  126
t =  79
d =  1
p =  1
l =  2
L1 =  16065.0
L2 =  16065.0
TGauss =  3867776.25
Tlists =  64506.0
Ncols =  3938.052749633789
Tcheck =  1231072.171875
Ppart =  1.685660154323889e-36
Nsol =  460.1899978103391
Psucc =  7.757239427272863e-34
dsplit =  1.0
  --> dsplit_old =  1.0
T = 2^ 135.2898890950291

SDitH_L1_gf251_v10
q =  251
n =  230
k =  126
t =  79
d =  1
p =  1
l =  2
L1 =  15750.0
L2 =  15750.0
TGauss =  3867474.103585657
Tlists =  63246.0
Ncols =  3937.4375009920477
Tcheck =  1230927.6334661355
Ppart =  1.685660154323889e-36
Nsol =  748.2539317431476
Psucc =  1.261301838055611e-33
dsplit =  1.0
  --> dsplit_old =  1.0
T = 2^ 134.5829729279018

SDitH_L3_gf256_v10
q =  256
n =  352
k =  193
t =  120
d =  2
p =  2
l =  5
L1 =  296514000.0
L2 =  302756400.0
TGauss =  13799870.859375
Tlists =  2996352940.0
Ncols =  81646.71379709034
Tcheck =  76570582.2173059
Ppart =  6.733457741571941e-54
Nsol =  412.35302958763623
Psucc =  2.776561699337

In [232]:
# Complexity of d-split Stern decoding for SDitH.

def dsplit_Stern_Complexity(q, n, k, t, d, p, ell, verbose=False):
    TGauss = Rfloat(((q-1)/q)*(n-k)*(n-k)*(n+k+3)) #to fix
    if (d==1):
        L1 = binomial(floor(k/2), p)*(q-1)^(p)
        L2 = binomial(k - floor(k/2), p)*(q-1)^(p)
    if (d==2):
        L1=binomial(floor(k/4), floor(p/2) )*binomial(floor(k/2)-floor(k/4), p-floor(p/2) )*(q-1)^(p)
        L2=binomial(floor(k/2)-floor(k/4), floor(p/2))*binomial(k-2*floor(k/2)+floor(k/4), p-floor(p/2) )*(q-1)^(p)
            
    Tlists = Rfloat( ell *(k/2-p+1 +(L1 + L2)))
    Ncols = (L1*L2)/(q^ell)
    Tcheck = Rfloat( (q/(q-1))*(t-2*p+1)*2*p*(1+(q-2)/(q-1)) * Ncols)
        

        
    if (d==1):
        Ppart = Rfloat( L1 * L2 * binomial(n - k - ell, t - 2*p) / (binomial(n, t)*(q-1)^(2*(p))  ))
        Nsol = Rfloat(1 + ((binomial(n, t) *(q-1)^(t)-1) / (q^(n-k))))
    if (d==2):
        Ppart = Rfloat( L1 * L2 * binomial(floor((n - k - ell)/2), floor((t - 2*p)/2))*binomial(n - k - ell-floor((n - k - ell)/2), (t - 2*p)-floor((t - 2*p)/2)) / ((binomial(n/2, t/2)^2)*(q-1)^(2*(p))  ))
        Nsol = Rfloat(1 + (( (binomial(n/2, t/2)^2) *(q-1)^(t)-1) / (q^(n-k))))
    Psucc = Rfloat( 1 - (1 - Ppart)^Nsol )
    T =(TGauss + Tlists + Tcheck)*log(q,2)/Psucc
    if verbose == True:
        print("q = ", q)
        print("n = ", n)
        print("k = ", k)
        print("t = ", t)
        print("d = ", d)
        print("p = ",p)
        print("l = ",ell)
        print("L1 = ", float(L1))
        print("L2 = ", float(L2))
        print("TGauss = ", float(TGauss))
        print("Tlists = ", float(Tlists))
        print("Ncols = ", float(Ncols))
        print("Tcheck = ", float(Tcheck))
        print("Ppart = ", float(Ppart))
        print("Nsol = ", float(Nsol))
        print("Psucc = ", float(Psucc))
        print("T = 2^", float(log(T,2)))
        
    return (T)



def dsplit_Stern_opt(q, n, k, t, d):
    T_min = oo
    p_min = 0
    ell_min = 0
    for p in range(min(floor(t/2), floor(k/2))):
        for ell in range(1,min(n-k, n-k+2*p-t)):
            T_cur = dsplit_Stern_Complexity(q, n, k, t, d,p, ell)
            if T_min > T_cur:
                T_min = T_cur
                p_min = p
                ell_min = ell
    
    dsplit_Stern_Complexity(q, n, k, t, d,p_min, ell_min, True)

for params in SDitH_params_v10 + SDitH_params_v11:
    q, n, k, t, d, version = params
    print(version)
    dsplit_Stern_opt(q, n, k, t, d)
    print()

SDitH_L1_gf256_v10
q =  256
n =  230
k =  126
t =  79
d =  1
p =  1
l =  2
L1 =  16065.0
L2 =  16065.0
TGauss =  3867776.25
Tlists =  64386.0
Ncols =  3938.052749633789
Tcheck =  1231072.171875
Ppart =  1.685660154323889e-36
Nsol =  460.1899978103391
Psucc =  7.757239427272863e-34
T = 2^ 135.2898555653888

SDitH_L1_gf251_v10
q =  251
n =  230
k =  126
t =  79
d =  1
p =  1
l =  2
L1 =  15750.0
L2 =  15750.0
TGauss =  3867474.103585657
Tlists =  63126.0
Ncols =  3937.4375009920477
Tcheck =  1230927.6334661355
Ppart =  1.685660154323889e-36
Nsol =  748.2539317431476
Psucc =  1.261301838055611e-33
T = 2^ 134.58293938717486

SDitH_L3_gf256_v10
q =  256
n =  352
k =  193
t =  120
d =  2
p =  2
l =  5
L1 =  149817600.0
L2 =  152938800.0
TGauss =  13799870.859375
Tlists =  1513782477.5
Ncols =  20839.182946365327
Tcheck =  19543571.283245087
Ppart =  2.843540761917612e-54
Nsol =  37.815200270807054
Psucc =  1.0752906339011779e-52
T = 2^ 206.16247775979994

SDitH_L3_gf251_v10
q =  251
n =  352

In [278]:
# Complexity of projective Stern for SDitH
# We use the lower bound for the d-split
# We use [CC98, BLP08] for the Gaussian elimination
# We use the factorization of the Gaussian elimination step

def proj_Stern_Complexity(q, n, k, t, d, p, ell, c, verbose=False):

    # number of solutions to the original syndrome decoding problem
    Nsol_SD = Rfloat( 1 + (binomial(n,t)*(q-1)^(t) - 1)/(q^(n-k)) )

    # reduction from the syndrome decoding to the low weight codeword search
    A = Rfloat( q + (q-1)*(1 - 1/(q^(n-k)))/Nsol_SD )
    reduction_factor = Rfloat( 1/(1 - 1/A) )
    
    
    # number of iteration of the inner loop to find one particular solution
    qin = Rfloat( binomial(floor((k+1)/2), p)*binomial(k+1 - floor((k+1)/2), p)*binomial(n-k-1-ell,t-2*p)/(binomial(k+1,2*p)*binomial(n-k-1,t-2*p)) )
    Nin_tmp = Rfloat( 1/qin )
    pin = Rfloat( 1 - (1 - qin)^Nin_tmp )
    
    
    
    # number of iteration of the outer loop to find one particular solution
    # Markov chain for [CC98, BLP08] technique
    
    distrib_init = vector(Rfloat, [0]*(t+2))
    for v in range(t+1):
        distrib_init[v] = binomial(k+1, v)*binomial(n-k-1, t-v)/binomial(n, t)
    
    Transition = matrix(Rfloat, t+2, t+2)
    Transition[t+1, t+1] = 1
    for u in range(t+1):
        for v in range(max(0, u-c),min(u+c, t)+1): 
            jmin = max(0, c-k-1+u, u-v, c - v - n + k + 1 + t)
            jmax = min(u, c, t-v, c-v+u)
            if jmin > jmax:
                continue
            term = Rfloat( binomial(u,jmin)*binomial(k+1-u,c-jmin)*binomial(t-u,v-u+jmin)*binomial(n-k-1-t+u,c-v+u-jmin)/(binomial(k+1,c)*binomial(n-k-1,c)) )
            Transition[u, v] = term
            for j in range(jmin+1, jmax+1):
                term *= Rfloat( ((u-j+1)/j) * ((c-j+1)/(k+1-u-c+j)) * ((t-v-j+1)/(v-u+j)) *  ((c-v+u-j+1)/(n-k-1-t-c+v+j)) )
                Transition[u, v] += term
    Transition[2*p, t+1] = pin
    for v in range(t+1):
        Transition[2*p, v] *= Rfloat( 1 - pin )

    F = (identity_matrix(Rfloat, t+1) - Transition.submatrix(0,0,t+1,t+1)).inverse()
    Nout_tmp = 0
    for v in range(t+1):
        for u in range(t+1):
            Nout_tmp += distrib_init[v] * F[u,v]    
    
    # number of solutions to the low weight codeword search
    Nsol = Rfloat( 1 + (binomial(n,t)*(q-1)^(t-1) - 1)/(q^(n-k-1)) )
    
    # Number of iterations of the inner loop and the outer loop considering the multiple solutions
    Nout = max(1, Nout_tmp/Nsol)
    Nin = max(1, Nin_tmp * min(1, Nout_tmp/Nsol))
    
    
    #lists sizes
    L1 = binomial(floor((k+1)/2), p)*(q-1)^(p-1)
    L2 = binomial(k + 1 - floor((k+1)/2), p)*(q-1)^(p-1)
        
    # TGauss
    TGauss = Rfloat( c * (n - k - 1) * (2*k + c + 3) )
    
    
    # Tlists
    Tlists = Rfloat( ell*(k + 2*p - 1 + 2*(L1 + L2)) )
    
    # Number of collisions
    Ncols = Rfloat( (q-1) * L1 * L2 / (q^(ell)) )
    
    # Tcheck
    Tcheck = Rfloat( 2*p + (q/(q-1))*(t - 2*p + 1)*2*p*(1 - (q-2)/(q-1)) ) * Ncols
    
    # d-split lower bound
    dsplit = Rfloat( (binomial(floor(n/d),floor(t/d))^d)/binomial(n,t) )
    dsplit *= Rfloat( binomial(n,t)*(q-1)^t + q^(n-k) - 1 )
    dsplit /= Rfloat( (binomial(floor(n/d),floor(t/d))^d)*(q-1)^t + q^(n-k) - 1 )
    

    # Total complexity
    T = reduction_factor*dsplit*Nout*(TGauss + Nin*(Tlists + Tcheck)) * log(q,2)
    
    #verbosity
    if verbose:
        print("q = ", q)
        print("n = ", n)
        print("k = ", k)
        print("t = ", t)
        print("d = ", d)
        print("p = ",p)
        print("l = ",ell)
        print("c = ",c)
        print("reduction_factor = ", float(reduction_factor))
        print("dsplit = ", float(dsplit))
        print("  --> dsplit_old = ", float( (binomial(floor(n/d),floor(t/d))^d)/binomial(n,t) ))
        print("Nout = ", float(Nout))
        print("  --> Nsol = ",  float(Nsol))
        print("  --> Nout_tmp = ",  float(Nout_tmp))
        print("  --> Nout_tmp without [BLP08] = ", float( binomial(n, t)/(binomial(k+1, 2*p)*binomial(n-k-1, t-2*p)) ))
        print("TGauss = ",  float(TGauss))
        print("  --> TGauss without [BLP08] = ",  float( ((q-1)/q)*(n-k-1)*(n-k-1)*(n+k+2) ))
        print("Nin = ", float(Nin))
        print("  --> Nsol_in = min(1, Nsol/Nout_tmp) = ",  max(1, Nsol/Nout_tmp))
        print("  --> Nin_tmp = ",  float(Nin_tmp))
        print("L1 = ", float(L1))
        print("L2 = ", float(L2))
        print("Tlists = ", float(Tlists))
        print("Ncols = ", float(Ncols))
        print("Tcheck = ", float(Tcheck))
        
        print("T = 2^", float(log(T,2)))
        
    return T
        

def proj_Stern_opt(q, n, k, t, d):
    T_min = oo
    p_min = 0
    ell_min = 0
    c_min = 0
    for p in range(1,3):
        for ell in range(1, 5):
            for c in range(1, 4):
                T_cur = proj_Stern_Complexity(q, n, k, t, d, p, ell, c)
                if T_min > T_cur:
                    T_min = T_cur
                    p_min = p
                    ell_min = ell
                    c_min = c
    
    proj_Stern_Complexity(q, n, k, t, d, p_min, ell_min, c_min, True)
    
    
for params in SDitH_params_v10+SDitH_params_v11:
    q, n, k, t, d, version = params
    print(version)
    proj_Stern_opt(q, n, k, t, d)
    print()

SDitH_L1_gf256_v10
q =  256
n =  230
k =  126
t =  79
d =  1
p =  1
l =  2
c =  1
reduction_factor =  1.0039130654755049
dsplit =  1.0
  --> dsplit_old =  1.0
Nout =  1.906252287974278e+33
  --> Nsol =  461.99074289979137
  --> Nout_tmp =  8.806709106756637e+35
  --> Nout_tmp without [BLP08] =  7.42853083991752e+34
TGauss =  26368.0
  --> TGauss without [BLP08] =  3783185.9765625
Nin =  32.07360576923077
  --> Nsol_in = min(1, Nsol/Nout_tmp) =  1
  --> Nin_tmp =  32.07360576923077
L1 =  63.0
L2 =  64.0
Tlists =  762.0
Ncols =  15.6884765625
Tcheck =  41.01224724264706
T = 2^ 129.22964683654712

SDitH_L1_gf251_v10
q =  251
n =  230
k =  126
t =  79
d =  1
p =  1
l =  2
c =  1
reduction_factor =  1.0039946613560096
dsplit =  1.0
  --> dsplit_old =  1.0
Nout =  1.1722850958420364e+33
  --> Nsol =  751.2429474701202
  --> Nout_tmp =  8.806709106756637e+35
  --> Nout_tmp without [BLP08] =  7.42853083991752e+34
TGauss =  26368.0
  --> TGauss without [BLP08] =  3782890.438247012
Nin =  32.073

In [277]:
# Complexity of d-split projective Stern for SDitH
# We don't use the lower bound but adapt Stern to the d-split
# We don't use [CC98, BLP08] for the Gaussian elimination
# We use the factorization of the Gaussian elimination step

def dsplit_proj_Stern_Complexity(q, n, k, t, d, p, ell, verbose=False):
    if d!=2:
        if verbose:
            print("d must be 2")
        return oo
    else:
        if t%2 == 1:
            if verbose:
                print("d must divide t")
            return oo
        p = p + (p%2)
        ell = ell + (ell%2)
        
        # number of solutions to the original syndrome decoding problem
        Nsol_SD = Rfloat( 1 + (binomial(floor(n/2),floor(t/2))^2*(q-1)^(t) - 1)/(q^(n-k)) )

        # reduction from the syndrome decoding to the low weight codeword search
        A = Rfloat( q + (q-1)*(1 - 1/(q^(n-k)))/Nsol_SD )
        reduction_factor = Rfloat( 1/(1 - 1/A) )


        # number of iteration of the inner loop to find one particular solution
        qin = Rfloat( binomial(floor((k+1)/4), floor(p/2)) * binomial(floor((k+1)/2) - floor((k+1)/4), p - floor(p/2)) / binomial(floor((k+1)/2), p) )
        qin *= Rfloat( binomial(floor((k+1)/2) - floor((k+1)/4), floor(p/2)) * binomial(k + 1 - 2*floor((k+1)/2) + floor((k+1)/4), p - floor(p/2)) / binomial(k + 1 - floor((k+1)/2), p) )
        qin *= Rfloat( binomial(floor((n-k-1)/2) - floor(ell/2), floor(t/2) - p) * binomial(n-k-1-ell-floor((n-k-1)/2) - floor(ell/2), floor(t/2) - p) / ( binomial(floor((n-k-1)/2), floor(t/2) - p) * binomial(n-k-1-ell-floor((n-k-1)/2), floor(t/2) - p) ) )
                
        
        Nin_tmp = Rfloat( 1/qin ) 
        pin = Rfloat( 1 - (1 - qin)^Nin_tmp )

        Nout_tmp = Rfloat( (binomial(floor(n/2), floor(t/2))^2)/(binomial(floor((k+1)/2), p)*binomial(k+1-floor((k+1)/2), p)*binomial(floor((n-k-1)/2), floor(t/2)-p)*binomial(n-k-1-floor((n-k-1)/2), floor(t/2)-p)) )

        # number of solutions to the low weight codeword search
        Nsol = Rfloat( 1 + (binomial(floor(n/2),floor(t/2))^2*(q-1)^(t-1) - 1)/(q^(n-k-1)) )

        # Number of iterations of the inner loop and the outer loop considering the multiple solutions
        Nout = max(1, Nout_tmp/Nsol)
        Nin = max(1, Nin_tmp * min(1, Nout_tmp/Nsol))


        #lists sizes
        L1 = binomial(floor((k+1)/4), floor(p/2))*binomial(floor((k+1)/2) - floor((k+1)/4), p - floor(p/2))*(q-1)^(p-1)
        L2 = binomial(floor((k+1)/2) - floor((k+1)/4), floor(p/2))*binomial(k + 1 - 2*floor((k+1)/2) + floor((k+1)/4), p - floor(p/2))*(q-1)^(p-1)

        # TGauss
        TGauss = Rfloat( (n-k-1)*(n-k-1)*(n+k+2) )
        #TGauss = Rfloat( ( (n-k-1)*(k+1)/n )^2 * (3*n - k - 1 + n/(k+1)) )
        
        # Tlists
        Tlists = Rfloat( ell*(k + 2*p - 1 + 2*(L1 + L2)) )

        # Number of collisions
        Ncols = Rfloat( (q-1) * L1 * L2 / (q^(ell)) )

        # Tcheck
        Tcheck = Rfloat( 2*p + (q/(q-1))*(t - 2*p + 1)*2*p*(1 - (q-2)/(q-1)) ) * Ncols

        # d-split lower bound
        dsplit = Rfloat( (binomial(floor(n/d),floor(t/d))^d)/binomial(n,t) )
        dsplit *= Rfloat( binomial(n,t)*(q-1)^t + q^(n-k) - 1 )
        dsplit /= Rfloat( (binomial(floor(n/d),floor(t/d))^d)*(q-1)^t + q^(n-k) - 1 )


        # Total complexity
        T = reduction_factor*Nout*(TGauss + Nin*(Tlists + Tcheck)) * log(q,2)

        #verbosity
        if verbose:
            print("q = ", q)
            print("n = ", n)
            print("k = ", k)
            print("t = ", t)
            print("d = ", d)
            print("p = ",p)
            print("l = ",ell)
            print("reduction_factor = ", float(reduction_factor))
            print("dsplit = ", float(dsplit))
            print("  --> dsplit_old = ", float( (binomial(floor(n/d),floor(t/d))^d)/binomial(n,t) ))
            print("Nout = ", float(Nout))
            print("  --> Nsol = ",  float(Nsol))
            print("  --> Nout_tmp without [BLP08] = ",  float(Nout_tmp))
            print("TGauss without [BLP08] = ",  float(TGauss))
            print("TGauss without reusing anything = ",  float( (n - k - 1)^2 * (n+k+2) ) )
            print("Nin = ", float(Nin))
            print("  --> Nsol_in = min(1, Nsol/Nout_tmp) = ",  max(1, Nsol/Nout_tmp))
            print("  --> Nin_tmp = ",  float(Nin_tmp))
            print("L1 = ", float(L1))
            print("L2 = ", float(L2))
            print("Tlists = ", float(Tlists))
            print("Ncols = ", float(Ncols))
            print("Tcheck = ", float(Tcheck))

            print("T = 2^", float(log(T,2)))

        return T
        

def dsplit_proj_Stern_opt(q, n, k, t, d):
    T_min = oo
    p_min = 0
    ell_min = 0
    c_min = 0
    for p in range(1,5,1):
        for ell in range(2,6,1):
            T_cur = dsplit_proj_Stern_Complexity(q, n, k, t, d, p, ell)
            if T_min > T_cur:
                T_min = T_cur
                p_min = p
                ell_min = ell
    
    dsplit_proj_Stern_Complexity(q, n, k, t, d, p_min, ell_min, True)
    
    
for params in SDitH_params_v10+SDitH_params_v11:
    q, n, k, t, d, version = params
    if d == 2:
        print(version)
        dsplit_proj_Stern_opt(q, n, k, t, d)
        print()

SDitH_L3_gf256_v10
q =  256
n =  352
k =  193
t =  120
d =  2
p =  2
l =  4
reduction_factor =  1.0038205368512372
dsplit =  0.9759223229981863
  --> dsplit_old =  0.089497822120607
Nout =  1.0758909591249867e+49
  --> Nsol =  37.95957360520238
  --> Nout_tmp without [BLP08] =  4.0840362054076714e+50
TGauss without [BLP08] =  13655308.0
TGauss without reusing anything =  13655308.0
Nin =  1173.1344575002013
  --> Nsol_in = min(1, Nsol/Nout_tmp) =  1
  --> Nin_tmp =  1173.1344575002013
L1 =  599760.0
L2 =  599760.0
Tlists =  9596944.0
Ncols =  21356.757424771786
Tcheck =  124776.67050719261
T = 2^ 199.2961691335549

SDitH_L3_gf251_v10
q =  251
n =  352
k =  193
t =  120
d =  2
p =  2
l =  4
reduction_factor =  1.0039504408938693
dsplit =  0.9885775600045428
  --> dsplit_old =  0.089497822120607
Nout =  5.103351406579594e+48
  --> Nsol =  80.02655275006634
  --> Nout_tmp without [BLP08] =  4.0840362054076714e+50
TGauss without [BLP08] =  13655308.0
TGauss without reusing anything =  1365

In [240]:
# Complexity of d-split projective Stern for SDitH
# We don't use the lower bound but adapt Stern to the d-split
# We try to use [CC98, BLP08] for the Gaussian elimination but here, the Markov chain is too big so it is very long...
# We use the factorization of the Gaussian elimination step

def dsplit_proj_Stern_Complexity(q, n, k, t, d, p, ell, c, verbose=False):
    if d!=2:
        if verbose:
            print("d must be 2")
        return oo
    else:
        if t%2 == 1:
            if verbose:
                print("d must divide t")
            return oo
        p = p + (p%2)
        ell = ell + (ell%2)
        c = c + c%2
        
        # number of solutions to the original syndrome decoding problem
        Nsol_SD = Rfloat( 1 + (binomial(floor(n/2),floor(t/2))^2*(q-1)^(t) - 1)/(q^(n-k)) )

        # reduction from the syndrome decoding to the low weight codeword search
        A = Rfloat( q + (q-1)*(1 - 1/(q^(n-k)))/Nsol_SD )
        reduction_factor = Rfloat( 1/(1 - 1/A) )


        # number of iteration of the inner loop to find one particular solution
        qin = Rfloat( binomial(floor((k+1)/4), floor(p/2)) * binomial(floor((k+1)/2) - floor((k+1)/4), floor(p/2)) / binomial(floor((k+1)/2), p) )
        qin *= Rfloat( binomial(floor((k+1)/2) - floor((k+1)/4), floor(p/2)) * binomial(k + 1 - 2*floor((k+1)/2) + floor((k+1)/4), floor(p/2)) / binomial(k + 1 - floor((k+1)/2), p) )
        qin *= Rfloat( binomial(floor((n-k-1)/2) - floor(ell/2), floor(t/2) - p) * binomial(n-k-1-ell-floor((n-k-1)/2) - floor(ell/2), floor(t/2) - p) / ( binomial(floor((n-k-1)/2), floor(t/2) - p) * binomial(n-k-1-ell-floor((n-k-1)/2), floor(t/2) - p) ) )
                
        
        Nin_tmp = Rfloat( 1/qin ) 
        pin = Rfloat( 1 - (1 - qin)^Nin_tmp )

        # number of iteration of the outer loop to find one particular solution
        # Markov chain for [CC98, BLP08] technique

        distrib_init = vector(Rfloat, [0]*((floor(t/2)+1)^2))
        for v1 in range(floor(t/2)+1):
            for v2 in range(floor(t/2)+1):
                distrib_init[v1 + (floor(t/2)+1)*v2] = binomial(floor((k+1)/2), v1)*binomial(k+1-floor((k+1)/2), v2)*binomial(floor((n-k-1)/2), floor(t/2)-v1)*binomial(n-k-1-floor((n-k-1)/2), floor(t/2)-v2)/(binomial(floor(n/2), floor(t/2))^2)

        Q = matrix(Rfloat, ((floor(t/2)+1)^2), ((floor(t/2)+1)^2))
        for u1 in range(floor(t/2)+1):
            for u2 in range(floor(t/2)+1):
                for v1 in range(max(0, u1-floor(c/2)), min(floor(c/2) + u1, floor(t/2))+1):
                    for v2 in range(max(0, u2-floor(c/2)), min(floor(c/2) + u2, floor(t/2))+1):
                        j1min = max(0, c/2 - floor((k+1)/2) + u1, u1 - v1, c/2 - v1 - floor((n-k-1)/2) + floor(t/2))
                        j1max = min(u1, c/2, floor(t/2) - v1, c/2 - v1 + u1)
                        j2min = max(0, c/2 - floor((k+1)/2) + u2, u2 - v2, c/2 - v2 - floor((n-k-1)/2) + floor(t/2))
                        j2max = min(u2, c/2, floor(t/2) - v2, c/2 - v2 + u2)
                        if j1min > j1max or j2min > j2max:
                            continue
                        term = Rfloat( binomial(u1,j1min)*binomial(floor((k+1)/2)-u1,floor(c/2)-j1min)*binomial(floor(t/2)-u1,v1-u1+j1min)*binomial(floor((n-k-1)/2)-floor(t/2)+u1,c/2-v1+u1-j1min)/(binomial(floor((k+1)/2),floor(c/2))*binomial(floor((n-k-1)/2),floor(c/2))) )
                        sum_terms = term
                        for j1 in range(j1min+1, j1max+1):
                            term *= Rfloat( ((u1-j1+1)/j1) * ((c/2-j1+1)/(floor((k+1)/2)-u1-c/2+j1)) * ((t/2-v1-j1+1)/(v1-u1+j1)) *  ((c/2-v1+u1-j1+1)/(floor((n-k-1)/2)-t/2-c/2+v1+j1)) )
                            sum_terms += term
                        Q[u1+(floor(t/2) +1)*u2, v1+(floor(t/2) +1)*v2] = sum_terms
                        term = Rfloat( binomial(u2,j2min)*binomial(k+1-floor((k+1)/2)-u2,floor(c/2)-j2min)*binomial(floor(t/2)-u2,v2-u2+j2min)*binomial(n-k-1-floor((n-k-1)/2)-floor(t/2)+u2,c/2-v2+u2-j2min)/(binomial(k+1-floor((k+1)/2),floor(c/2))*binomial(n-k-1-floor((n-k-1)/2),floor(c/2))) )
                        sum_terms = term
                        for j2 in range(j2min+1, j2max+1):
                            term *= Rfloat( ((u2-j2+1)/j2) * ((c/2-j2+1)/(k+1-floor((k+1)/2)-u2-c/2+j2)) * ((t/2-v2-j2+1)/(v2-u2+j2)) *  ((c/2-v2+u2-j2+1)/(n-k-1-floor((n-k-1)/2)-t/2-c/2+v2+j2)) )
                            sum_terms += term
                        Q[u1+(floor(t/2) +1)*u2, v1+(floor(t/2) +1)*v2] *= sum_terms
        
        for v1 in range(floor(t/2)+1):
            for v2 in range(floor(t/2)+1):
                Q[p+(floor(t/2) +1)*p, v1+(floor(t/2) +1)*v2] *= Rfloat( 1 - pin )
        
        F = (identity_matrix(Rfloat, ((floor(t/2)+1)^2)) - Q).inverse()
        
        Nout_tmp = 0
        for u1 in range(floor(t/2)+1):
            for u2 in range(floor(t/2)+1):
                for v1 in range(floor(t/2)+1):
                    for v2 in range(floor(t/2)+1):
                        Nout_tmp += distrib_init[v1+(floor(t/2) +1)*v2] * F[u1+(floor(t/2) +1)*u2,v1+(floor(t/2) +1)*v2]

        # number of solutions to the low weight codeword search
        Nsol = Rfloat( 1 + (binomial(floor(n/2),floor(t/2))^2*(q-1)^(t-1) - 1)/(q^(n-k-1)) )

        # Number of iterations of the inner loop and the outer loop considering the multiple solutions
        Nout = max(1, Nout_tmp/Nsol)
        Nin = max(1, Nin_tmp * min(1, Nout_tmp/Nsol))


        #lists sizes
        L1 = binomial(floor((k+1)/4), floor(p/2))*binomial(floor((k+1)/2) - floor((k+1)/4), floor(p/2))*(q-1)^(p-1)
        L2 = binomial(floor((k+1)/2) - floor((k+1)/4), floor(p/2))*binomial(k + 1 - 2*floor((k+1)/2) + floor((k+1)/4), floor(p/2))*(q-1)^(p-1)

        # TGauss
        TGauss = Rfloat( c * (n - k - 1) * (2*k + c + 3) )

        # Tlists
        Tlists = Rfloat( ell*(k + 2*p - 1 + 2*(L1 + L2)) )

        # Number of collisions
        Ncols = Rfloat( (q-1) * L1 * L2 / (q^(ell)) )

        # Tcheck
        Tcheck = Rfloat( 2*p + (q/(q-1))*(t - 2*p + 1)*2*p*(1 - (q-2)/(q-1)) ) * Ncols

        # d-split lower bound
        dsplit = Rfloat( (binomial(floor(n/d),floor(t/d))^d)/binomial(n,t) )
        dsplit *= Rfloat( binomial(n,t)*(q-1)^t + q^(n-k) - 1 )
        dsplit /= Rfloat( (binomial(floor(n/d),floor(t/d))^d)*(q-1)^t + q^(n-k) - 1 )


        # Total complexity
        T = reduction_factor*Nout*(TGauss + Nin*(Tlists + Tcheck)) * log(q,2)

        #verbosity
        if verbose:
            print("q = ", q)
            print("n = ", n)
            print("k = ", k)
            print("t = ", t)
            print("d = ", d)
            print("p = ",p)
            print("l = ",ell)
            print("c = ",c)
            print("reduction_factor = ", float(reduction_factor))
            print("dsplit = ", float(dsplit))
            print("  --> dsplit_old = ", float( (binomial(floor(n/2),floor(t/2))^2)/binomial(n,t) ))
            print("Nout = ", float(Nout))
            print("  --> Nsol = ",  float(Nsol))
            print("  --> Nout_tmp = ",  float(Nout_tmp))
            print("  --> Nout_tmp without [BLP08] = ", float( (binomial(floor(n/2), floor(t/2))^2)/(binomial(floor((k+1)/2), p)*binomial(k+1-floor((k+1)/2), p)*binomial(floor((n-k-1)/2), floor(t/2)-p)*binomial(n-k-1-floor((n-k-1)/2), floor(t/2)-p)) ))
            print("TGauss = ",  float(TGauss))
            print("  --> TGauss without [BLP08] = ",  float( ((q-1)/q)*(n-k-1)*(n-k-1)*(n+k+2) ))
            print("Nin = ", float(Nin))
            print("  --> Nsol_in = min(1, Nsol/Nout_tmp) = ",  max(1, Nsol/Nout_tmp))
            print("  --> Nin_tmp = ",  float(Nin_tmp))
            print("L1 = ", float(L1))
            print("L2 = ", float(L2))
            print("Tlists = ", float(Tlists))
            print("Ncols = ", float(Ncols))
            print("Tcheck = ", float(Tcheck))

            print("T = 2^", float(log(T,2)))

        return T
        

def dsplit_proj_Stern_opt(q, n, k, t, d):
    T_min = oo
    p_min = 0
    ell_min = 0
    c_min = 0

    for p in [2]:
        for ell in [4]:
            for c in [2]:
                T_cur = dsplit_proj_Stern_Complexity(q, n, k, t, d, p, ell, c, True)
                print()
                if T_min > T_cur:
                    T_min = T_cur
                    p_min = p
                    ell_min = ell
                    c_min = c
        
    
for params in SDitH_params_v10+SDitH_params_v11:
    q, n, k, t, d, version = params
    if d == 2:
        print(version)
        dsplit_proj_Stern_opt(q, n, k, t, d)
        print()

SDitH_L3_gf256_v10


KeyboardInterrupt: 

In [252]:
# Complexity of d-split projective Stern for SDitH
# We don't use the lower bound but adapt Stern to the d-split
# We use [CC98, BLP08] for the Gaussian elimination 
#     but here, we do not consider the d-split in the Markov chain
#     (we consider we can select the c positions to swap anywhere, not regularly)
# We use the factorization of the Gaussian elimination step

def dsplit_proj_Stern_Complexity(q, n, k, t, d, p, ell, c, verbose=False):
    if d!=2:
        if verbose:
            print("d must be 2")
        return oo
    else:
        if t%2 == 1:
            if verbose:
                print("d must divide t")
            return oo
        
        # number of solutions to the original syndrome decoding problem
        Nsol_SD = Rfloat( 1 + (binomial(floor(n/2),floor(t/2))^2*(q-1)^(t) - 1)/(q^(n-k)) )

        # reduction from the syndrome decoding to the low weight codeword search
        A = Rfloat( q + (q-1)*(1 - 1/(q^(n-k)))/Nsol_SD )
        reduction_factor = Rfloat( 1/(1 - 1/A) )


        # number of iteration of the inner loop to find one particular solution
        qin = Rfloat( binomial(floor((k+1)/4), floor(p/2)) * binomial(floor((k+1)/2) - floor((k+1)/4), p - floor(p/2)) / binomial(floor((k+1)/2), p) )
        qin *= Rfloat( binomial(floor((k+1)/2) - floor((k+1)/4), floor(p/2)) * binomial(k + 1 - 2*floor((k+1)/2) + floor((k+1)/4), p - floor(p/2)) / binomial(k + 1 - floor((k+1)/2), p) )
        qin *= Rfloat( binomial(floor((n-k-1)/2) - floor(ell/2), floor(t/2) - p) * binomial(n-k-1-ell-floor((n-k-1)/2) - ell + floor(ell/2), floor(t/2) - p) / ( binomial(floor((n-k-1)/2), floor(t/2) - p) * binomial(n-k-1-ell-floor((n-k-1)/2), floor(t/2) - p) ) )
                
        
        Nin_tmp = Rfloat( 1/qin ) 
        pin = Rfloat( 1 - (1 - qin)^Nin_tmp )

        # number of iteration of the outer loop to find one particular solution
        # Markov chain for [CC98, BLP08] technique

        distrib_init = vector(Rfloat, [0]*(t+2))
        for v in range(t+1):
            distrib_init[v] = binomial(k+1, v)*binomial(n-k-1, t-v)/binomial(n, t)

        Transition = matrix(Rfloat, t+2, t+2)
        Transition[t+1, t+1] = 1
        for u in range(t+1):
            for v in range(max(0, u-c),min(u+c, t)+1): 
                jmin = max(0, c-k-1+u, u-v, c - v - n + k + 1 + t)
                jmax = min(u, c, t-v, c-v+u)
                if jmin > jmax:
                    continue
                term = Rfloat( binomial(u,jmin)*binomial(k+1-u,c-jmin)*binomial(t-u,v-u+jmin)*binomial(n-k-1-t+u,c-v+u-jmin)/(binomial(k+1,c)*binomial(n-k-1,c)) )
                Transition[u, v] = term
                for j in range(jmin+1, jmax+1):
                    term *= Rfloat( ((u-j+1)/j) * ((c-j+1)/(k+1-u-c+j)) * ((t-v-j+1)/(v-u+j)) *  ((c-v+u-j+1)/(n-k-1-t-c+v+j)) )
                    Transition[u, v] += term
        Transition[2*p, t+1] = pin
        Transition[2*p, t+1] *= binomial(floor((k+1)/2), p) * binomial(k+1-floor((k+1)/2), p)/binomial(k+1, 2*p) # probability to respect the d-split
        for v in range(t+1):
            Transition[2*p, v] *= Rfloat( 1 - Transition[2*p, t+1] )

        F = (identity_matrix(Rfloat, t+1) - Transition.submatrix(0,0,t+1,t+1)).inverse()
        Nout_tmp = 0
        for v in range(t+1):
            for u in range(t+1):
                Nout_tmp += distrib_init[v] * F[u,v] 
            
        # number of solutions to the low weight codeword search
        Nsol = Rfloat( 1 + (binomial(floor(n/2),floor(t/2))^2*(q-1)^(t-1) - 1)/(q^(n-k-1)) )

        # Number of iterations of the inner loop and the outer loop considering the multiple solutions
        Nout = max(1, Nout_tmp/Nsol)
        Nin = max(1, Nin_tmp * min(1, Nout_tmp/Nsol))


        #lists sizes
        L1 = binomial(floor((k+1)/4), floor(p/2))*binomial(floor((k+1)/2) - floor((k+1)/4), p-floor(p/2))*(q-1)^(p-1)
        L2 = binomial(floor((k+1)/2) - floor((k+1)/4), floor(p/2))*binomial(k + 1 - 2*floor((k+1)/2) + floor((k+1)/4), p-floor(p/2))*(q-1)^(p-1)

        # TGauss
        TGauss = Rfloat( c * (n - k - 1) * (2*k + c + 3) )

        # Tlists
        Tlists = Rfloat( ell*(k + 2*p - 1 + 2*(L1 + L2)) )

        # Number of collisions
        Ncols = Rfloat( (q-1) * L1 * L2 / (q^(ell)) )

        # Tcheck
        Tcheck = Rfloat( 2*p + (q/(q-1))*(t - 2*p + 1)*2*p*(1 - (q-2)/(q-1)) ) * Ncols

        # d-split lower bound
        dsplit = Rfloat( (binomial(floor(n/d),floor(t/d))^d)/binomial(n,t) )
        dsplit *= Rfloat( binomial(n,t)*(q-1)^t + q^(n-k) - 1 )
        dsplit /= Rfloat( (binomial(floor(n/d),floor(t/d))^d)*(q-1)^t + q^(n-k) - 1 )


        # Total complexity
        T = reduction_factor*Nout*(TGauss + Nin*(Tlists + Tcheck)) * log(q,2)

        #verbosity
        if verbose:
            print("q = ", q)
            print("n = ", n)
            print("k = ", k)
            print("t = ", t)
            print("d = ", d)
            print("p = ",p)
            print("l = ",ell)
            print("c = ",c)
            print("reduction_factor = ", float(reduction_factor))
            print("dsplit = ", float(dsplit))
            print("  --> dsplit_old = ", float( (binomial(floor(n/2),floor(t/2))^2)/binomial(n,t) ))
            print("Nout = ", float(Nout))
            print("  --> Nsol = ",  float(Nsol))
            print("  --> Nout_tmp = ",  float(Nout_tmp))
            print("  --> Nout_tmp without [BLP08] = ", float( (binomial(floor(n/2), floor(t/2))^2)/(binomial(floor((k+1)/2), p)*binomial(k+1-floor((k+1)/2), p)*binomial(floor((n-k-1)/2), floor(t/2)-p)*binomial(n-k-1-floor((n-k-1)/2), floor(t/2)-p)) ))
            print("TGauss = ",  float(TGauss))
            print("  --> TGauss without [BLP08] = ",  float( ((q-1)/q)*(n-k-1)*(n-k-1)*(n+k+2) ))
            print("Nin = ", float(Nin))
            print("  --> Nsol_in = min(1, Nsol/Nout_tmp) = ",  max(1, Nsol/Nout_tmp))
            print("  --> Nin_tmp = ",  float(Nin_tmp))
            print("L1 = ", float(L1))
            print("L2 = ", float(L2))
            print("Tlists = ", float(Tlists))
            print("Ncols = ", float(Ncols))
            print("Tcheck = ", float(Tcheck))

            print("T = 2^", float(log(T,2)))

        return T
        

def dsplit_proj_Stern_opt(q, n, k, t, d):
    T_min = oo
    p_min = 0
    ell_min = 0
    c_min = 0

    for p in [1,2]:
        for ell in [2,3,4]:
            for c in [1,2,3]:
                T_cur = dsplit_proj_Stern_Complexity(q, n, k, t, d, p, ell, c)
                if T_min > T_cur:
                    T_min = T_cur
                    p_min = p
                    ell_min = ell
                    c_min = c
    dsplit_proj_Stern_Complexity(q, n, k, t, d, p_min, ell_min, c_min, True)
    
for params in SDitH_params_v10+SDitH_params_v11:
    q, n, k, t, d, version = params
    if d == 2:
        print(version)
        dsplit_proj_Stern_opt(q, n, k, t, d)
        print()

SDitH_L3_gf256_v10
q =  256
n =  352
k =  193
t =  120
d =  2
p =  1
l =  2
c =  1
reduction_factor =  1.0038205368512372
dsplit =  0.9759223229981863
  --> dsplit_old =  0.089497822120607
Nout =  4.246373860500128e+54
  --> Nsol =  37.95957360520238
  --> Nout_tmp =  1.61190541112862e+56
  --> Nout_tmp without [BLP08] =  7.427411608045246e+54
TGauss =  61620.0
  --> TGauss without [BLP08] =  13601966.953125
Nin =  67.59607308201058
  --> Nsol_in = min(1, Nsol/Nout_tmp) =  1
  --> Nin_tmp =  67.59607308201058
L1 =  49.0
L2 =  48.0
Tlists =  776.0
Ncols =  9.151611328125
Tcheck =  26.87822265625
T = 2^ 201.29826405910592

SDitH_L3_gf251_v10
q =  251
n =  352
k =  193
t =  120
d =  2
p =  1
l =  2
c =  1
reduction_factor =  1.0039504408938693
dsplit =  0.9885775600045428
  --> dsplit_old =  0.089497822120607
Nout =  2.0142132276555963e+54
  --> Nsol =  80.02655275006634
  --> Nout_tmp =  1.61190541112862e+56
  --> Nout_tmp without [BLP08] =  7.427411608045246e+54
TGauss =  61620.0
  --> 

In [273]:
# Complexity of d-split projective Stern for SDitH
# We don't use the lower bound but adapt Stern to the d-split
# We use [CC98, BLP08] for the Gaussian elimination 
#     but here, we do not consider the d-split in the Markov chain
#     (we consider we can select the c positions to swap anywhere, not regularly)
# We use the factorization of the Gaussian elimination step
# Another bet where we accept imbalances p, ell...


def dsplit_proj_Stern_Complexity(q, n, k, t, d, p, ell, c, verbose=False):
    if d!=2:
        if verbose:
            print("d must be 2")
        return oo
    else:
        if t%2 == 1:
            if verbose:
                print("d must divide t")
            return oo
        ell = ell + (ell%2)
        
        # number of solutions to the original syndrome decoding problem
        Nsol_SD = Rfloat( 1 + (binomial(floor(n/2),floor(t/2))^2*(q-1)^(t) - 1)/(q^(n-k)) )

        # reduction from the syndrome decoding to the low weight codeword search
        A = Rfloat( q + (q-1)*(1 - 1/(q^(n-k)))/Nsol_SD )
        reduction_factor = Rfloat( 1/(1 - 1/A) )


        # number of iteration of the inner loop to find one particular solution
        qin = Rfloat( binomial(floor((n-k-1)/2) - floor(ell/2), floor(t/2) - p) * binomial(n-k-1-ell-floor((n-k-1)/2) - floor(ell/2), floor(t/2) - p) / ( binomial(floor((n-k-1)/2), floor(t/2) - p) * binomial(n-k-1-ell-floor((n-k-1)/2), floor(t/2) - p) ) )
                
        
        Nin_tmp = Rfloat( 1/qin )
        pin = Rfloat( 1 - (1 - qin)^Nin_tmp )

        # number of iteration of the outer loop to find one particular solution
        # Markov chain for [CC98, BLP08] technique

        distrib_init = vector(Rfloat, [0]*(t+2))
        for v in range(t+1):
            distrib_init[v] = binomial(k+1, v)*binomial(n-k-1, t-v)/binomial(n, t)

        Transition = matrix(Rfloat, t+2, t+2)
        Transition[t+1, t+1] = 1
        for u in range(t+1):
            for v in range(max(0, u-c),min(u+c, t)+1): 
                jmin = max(0, c-k-1+u, u-v, c - v - n + k + 1 + t)
                jmax = min(u, c, t-v, c-v+u)
                if jmin > jmax:
                    continue
                term = Rfloat( binomial(u,jmin)*binomial(k+1-u,c-jmin)*binomial(t-u,v-u+jmin)*binomial(n-k-1-t+u,c-v+u-jmin)/(binomial(k+1,c)*binomial(n-k-1,c)) )
                Transition[u, v] = term
                for j in range(jmin+1, jmax+1):
                    term *= Rfloat( ((u-j+1)/j) * ((c-j+1)/(k+1-u-c+j)) * ((t-v-j+1)/(v-u+j)) *  ((c-v+u-j+1)/(n-k-1-t-c+v+j)) )
                    Transition[u, v] += term
        Transition[2*p, t+1] = pin
        Transition[2*p, t+1] *= binomial(floor((k+1)/2), p) * binomial(k+1-floor((k+1)/2), p) / binomial(k+1, 2*p) # probability to respect the d-split
        for v in range(t+1):
            Transition[2*p, v] *= Rfloat( 1 - Transition[2*p, t+1] )

        F = (identity_matrix(Rfloat, t+1) - Transition.submatrix(0,0,t+1,t+1)).inverse()
        Nout_tmp = 0
        for v in range(t+1):
            for u in range(t+1):
                Nout_tmp += distrib_init[v] * F[u,v] 
            
        # number of solutions to the low weight codeword search
        Nsol = Rfloat( 1 + (binomial(floor(n/2),floor(t/2))^2*(q-1)^(t-1) - 1)/(q^(n-k-1)) )

        # Number of iterations of the inner loop and the outer loop considering the multiple solutions
        Nout = max(1, Nout_tmp/Nsol)
        Nin = max(1, Nin_tmp * min(1, Nout_tmp/Nsol))


        #lists sizes
        L1 = binomial(floor((k+1)/2), p)*(q-1)^(p-1)
        L2 = binomial(k+1-floor((k+1)/2), p)*(q-1)^(p-1)

        # TGauss
        TGauss = Rfloat( c * (n - k - 1) * (2*k + c + 3) )

        # Tlists
        Tlists = Rfloat( ell*(k + 2*p - 1 + 2*(L1 + L2)) )

        # Number of collisions
        Ncols = Rfloat( (q-1) * L1 * L2 / (q^(ell)) )

        # Tcheck
        Tcheck = Rfloat( 2*p + (q/(q-1))*(t - 2*p + 1)*2*p*(1 - (q-2)/(q-1)) ) * Ncols

        # d-split lower bound
        dsplit = Rfloat( (binomial(floor(n/d),floor(t/d))^d)/binomial(n,t) )
        dsplit *= Rfloat( binomial(n,t)*(q-1)^t + q^(n-k) - 1 )
        dsplit /= Rfloat( (binomial(floor(n/d),floor(t/d))^d)*(q-1)^t + q^(n-k) - 1 )


        # Total complexity
        T = reduction_factor*Nout*(TGauss + Nin*(Tlists + Tcheck)) * log(q,2)

        #verbosity
        if verbose:
            print("q = ", q)
            print("n = ", n)
            print("k = ", k)
            print("t = ", t)
            print("d = ", d)
            print("p = ",p)
            print("l = ",ell)
            print("c = ",c)
            print("reduction_factor = ", float(reduction_factor))
            print("dsplit = ", float(dsplit))
            print("  --> dsplit_old = ", float( (binomial(floor(n/2),floor(t/2))^2)/binomial(n,t) ))
            print("Nout = ", float(Nout))
            print("  --> Nsol = ",  float(Nsol))
            print("  --> Nout_tmp = ",  float(Nout_tmp))
            print("  --> Nout_tmp without [BLP08] = ", float( (binomial(floor(n/2), floor(t/2))^2)/(binomial(floor((k+1)/2), p)*binomial(k+1-floor((k+1)/2), p)*binomial(floor((n-k-1)/2), floor(t/2)-p)*binomial(n-k-1-floor((n-k-1)/2), floor(t/2)-p)) ))
            print("TGauss = ",  float(TGauss))
            print("  --> TGauss without [BLP08] = ",  float( ((q-1)/q)*(n-k-1)*(n-k-1)*(n+k+2) ))
            print("Nin = ", float(Nin))
            print("  --> Nsol_in = min(1, Nsol/Nout_tmp) = ",  max(1, Nsol/Nout_tmp))
            print("  --> Nin_tmp = ",  float(Nin_tmp))
            print("L1 = ", float(L1))
            print("L2 = ", float(L2))
            print("Tlists = ", float(Tlists))
            print("Ncols = ", float(Ncols))
            print("Tcheck = ", float(Tcheck))

            print("T = 2^", float(log(T,2)))

        return T
        

def dsplit_proj_Stern_opt(q, n, k, t, d):
    T_min = oo
    p_min = 0
    ell_min = 0
    c_min = 0

    for p in [1]:
        for ell in [2,3,4]:
            for c in [1,2,3]:
                T_cur = dsplit_proj_Stern_Complexity(q, n, k, t, d, p, ell, c)
                if T_min > T_cur:
                    T_min = T_cur
                    p_min = p
                    ell_min = ell
                    c_min = c
    dsplit_proj_Stern_Complexity(q, n, k, t, d, p_min, ell_min, c_min, True)
    
for params in SDitH_params_v10+SDitH_params_v11:
    q, n, k, t, d, version = params
    if d == 2:
        print(version)
        dsplit_proj_Stern_opt(q, n, k, t, d)
        print()

SDitH_L3_gf256_v10
q =  256
n =  352
k =  193
t =  120
d =  2
p =  1
l =  2
c =  1
reduction_factor =  1.0038205368512372
dsplit =  0.9759223229981863
  --> dsplit_old =  0.089497822120607
Nout =  4.1960124832331087e+54
  --> Nsol =  37.95957360520238
  --> Nout_tmp =  1.592788447056352e+56
  --> Nout_tmp without [BLP08] =  7.427411608045246e+54
TGauss =  61620.0
  --> TGauss without [BLP08] =  13601966.953125
Nin =  16.897222222222222
  --> Nsol_in = min(1, Nsol/Nout_tmp) =  1
  --> Nin_tmp =  16.897222222222222
L1 =  97.0
L2 =  97.0
Tlists =  1164.0
Ncols =  36.61033630371094
Tcheck =  107.52431844075521
T = 2^ 200.8012890946255

SDitH_L3_gf251_v10
q =  251
n =  352
k =  193
t =  120
d =  2
p =  1
l =  2
c =  1
reduction_factor =  1.0039504408938693
dsplit =  0.9885775600045428
  --> dsplit_old =  0.089497822120607
Nout =  1.9903249513081538e+54
  --> Nsol =  80.02655275006634
  --> Nout_tmp =  1.592788447056352e+56
  --> Nout_tmp without [BLP08] =  7.427411608045246e+54
TGauss =  61