Below are parameters of the experiments reported in [KLNO24](https://eprint.iacr.org/2024/1972).

In [215]:
def largest_a_below_binom_sum(n, threshold_power):
    """
    Returns the largest a such that sum_{i=0}^a binomial(n, i) < 2^threshold_power

    Parameters:
    - n: total number of bits
    - threshold_power: the exponent k such that the threshold is 2^k

    Returns:
    - a: largest integer such that the cumulative binomial sum is less than 2^threshold_power
    """
    threshold = 2^threshold_power
    running_sum = 0
    a = 0

    while True:
        running_sum += binomial(n, a)
        if running_sum >= threshold:
            return a - 1
        a += 1

# Example usage:
assert largest_a_below_binom_sum(256, 128) == 29

In [255]:
from rok_estimator.rok_estimator import *


def RelationRPWithKJL(ratio = 18, height = 105):
    class JL:
        kjl = ratio
        njl = height
        mjl = kjl * njl
        alpha_inf = largest_a_below_binom_sum(mjl, mjl)
        def get_delta(self):
            return 2^(-self.njl)
    
        def get_right_bound(self):
            return sqrt(self.mjl * self.njl)
        def get_left_bound(self):
            return self.alpha_inf / (2 * sqrt(self.mjl))
    
        def get_right_bound_inf(self):
            return self.mjl
        def get_left_bound_inf(self):
            return self.alpha_inf / (2)
    
    
    class HJL: # heuristics from GHL, BS
        kjl = 34
        njl = 256
        mjl = kjl * njl
        alpha_inf = 29 
    
        def get_delta(self):
            return 2^(-128)
    
        def get_right_bound(self):
            return sqrt(337)
            
        def get_left_bound(self):
            return sqrt(30)
    
        def get_right_bound_inf(self):
            return self.mjl
        def get_left_bound_inf(self):
            return self.alpha_inf / (2)
    
    
    
    jl = JL()
    
    print("Limits of structure: ", jl.mjl)
    
    
    g_first_branch = None
    g_second_branch = None
    
    g_second_branch_ext_2_norm = None
    g_second_branch_ext_inf_norm = None
    
    class Relation_RP(Relation):
        def execute(self, op, **kwargs):
            match op:
                case "srp":
                    return self.pi_srp(**kwargs)
                case "to-first":
                    return self.pi_to_first(**kwargs)
                case "join":
                    return self.pi_join(**kwargs)
                case "norm-poly":
                    return self.pi_norm_poly()
                case _:
                    return super().execute(op, **kwargs)
                
        def pi_norm_poly(self):
            comm = (3 * ceil(log(self.wdim, 2)) + 3 * self.rep) * self.ring.size_Rq()  # TODO: Overestimating. Some of the communication are short elements. Assuming that wdim is a power of two for now. Even if not, this would be an upper bound of the communication cost.   
            # comm = (2 * self.rep) * self.ring.size_Rq() + (1 * ceil(log(self.wdim, 2)) + 3 * self.rep) * self.ring.log_q  # TODO: Overestimating. Some of the communication are short elements. Assuming that wdim is a power of two for now. Even if not, this would be an upper bound of the communication cost.   
            snd_err = 3 * ceil(log(self.wdim, 2))/(2**(self.ring.log_q * self.ring.residue_deg)) # TODO: Assuming that wdim is a power of two for now. Even if not, this would be an upper bound of the soundness error.
            rel_params = {
                # "ring": self.ring,
                # "trivial": self.trivial,
                "op_name": "norm-poly",
                "n_compress": self.n_compress + 2,
                # "n_commit": self.n_commit,
                "n_rel": self.n_rel + 2,
                # "wdim": self.wdim,
                # "rep": self.rep,
                # "log_beta_wit_2": bound_log_canon_2_from_log_coeff_inf(self.ring,self.log_beta_wit_inf, dim=self.wdim * (self.rep + ell)), # Measured in Frobenius norm
                # "log_beta_wit_2": self.log_beta_wit_2, # Measured in max ell_2-norm over all columns
                # "log_beta_wit_inf": self.log_beta_wit_inf
                "comm" : comm,      
                "acc_comm" : self.acc_comm + comm,       
                "snd_err" : snd_err,
                "acc_snd_err" : self.acc_snd_err + snd_err,           
                "log_beta_ext_2_func" : lambda x : self.log_beta_wit_2, # perfect extraction
                "log_beta_ext_inf_func" : lambda x : oo # extraction of ell_2-norm is perfect, then bound ell_inf-norm by norm conversion
            }      
            return replace(self, **rel_params)
                
        def pi_srp(self):
            global g_first_branch 
            rel_params = {
                "n_rel": self.n_rel + 1,
                "log_slack_2_func": lambda x: x,
                "log_slack_inf_func": lambda x: x, 
            }
    
            g_first_branch = replace(deepcopy(self), **rel_params)
            comm = (self.n_commit + 1) * self.ring.size_Rq()  # for the new comm
            snd_err = self.wdim * self.rep / jl.kjl * (1 / 2**(self.ring.log_q * self.ring.residue_deg) + jl.get_delta() * euler_phi(self.ring.f) / jl.njl)
            global g_second_branch_ext_2_norm
            global g_second_branch_ext_inf_norm
    
            def log_beta_ext_2_func(x):
                global g_second_branch_ext_2_norm
                return g_second_branch_ext_2_norm + log(1 / jl.get_left_bound(), 2) + log(sqrt(radical(self.ring.f)),2)
                
            def log_beta_ext_inf_func(x):
                global g_second_branch_ext_inf_norm 
                return g_second_branch_ext_inf_norm + log(1 / jl.get_left_bound_inf(), 2)
                
            rel_params = {
                "op_name": "srp 2 rel",
                "n_compress": self.n_commit + 1,
                "n_rel": 1,
                "wdim": ZZ(ceil(self.wdim / jl.kjl * self.rep)),
                "rep": 1,
                "comm": comm,      
                "acc_comm" : self.acc_comm + comm,       
                "snd_err" : snd_err,
                "acc_snd_err" : self.acc_snd_err + snd_err,    
                "log_beta_wit_2": self.log_beta_wit_2 + log(jl.get_right_bound(), 2) + log(sqrt(self.rep),2),
                "log_beta_wit_inf":self.log_beta_wit_inf + log(jl.get_right_bound_inf(), 2) + log(sqrt(self.rep),2), # can we say sth about infinity - norm?
                "log_beta_ext_2_func": log_beta_ext_2_func, # we extract norm from the second branch (relax it)
                "log_beta_ext_inf_func" : log_beta_ext_inf_func,  # can we say sth about infinity - norm?
                "log_slack_2_func": lambda x: 0,
                "log_slack_inf_func": lambda x: 0,
            }     
            
            # We immediately switch to the second branch to estimate binding and serve as an extraction checkpoint. 
            return replace(self, **rel_params)
    
    
        def pi_to_first(self):
            global g_second_branch 
            g_second_branch = deepcopy(self)
            
            rel_params = {
                "op_name": "    1 rel",
                "n_rel": 1,
                "log_beta_ext_2_func" : lambda x : x, # perfect extraction
                "log_beta_ext_inf_func" : lambda x : x, # perfect extraction
                "acc_comm": g_second_branch.acc_comm,
                "comm": 0,
                "snd_err" : g_second_branch.snd_err,
                "acc_snd_err" : g_second_branch.acc_snd_err,    
                # "log_slack_2_func" : lambda x: 0, # perfect extraction
                # "log_slack_inf_func" : lambda x: 0 # perfect extraction
            }      
            global g_first_branch
            return replace(g_first_branch, **rel_params)
            
        def pi_join(self):
            def log_beta_ext_2_func(x):
                global g_second_branch_ext_2_norm
                g_second_branch_ext_2_norm = x
                return x
            def log_beta_ext_inf_func(x):
                global g_second_branch_ext_inf_norm
                g_second_branch_ext_inf_norm = x
                return x
    
            global g_second_branch
    
            assert g_second_branch.wdim <= self.wdim
            assert g_second_branch.rep == 1
            assert self.rep == 1
            
            rel_params = {
                "op_name": "join",
                "rep": 2,
                "n_rel": self.n_rel + g_second_branch.n_rel,
                "log_beta_wit_2": max(self.log_beta_wit_2, g_second_branch.log_beta_wit_2),
                "log_beta_wit_inf": max(self.log_beta_wit_inf, g_second_branch.log_beta_wit_inf),
                "log_beta_ext_2_func": log_beta_ext_2_func, # perfect extraction, but we keep track of what was there
                "log_beta_ext_inf_func" : log_beta_ext_inf_func # perfect extraction, but we keep track of what was there
            }      
            return replace(self, **rel_params)
    return Relation_RP
        
        
f = 60
K = CyclotomicField(f)
phi = euler_phi(f)
R = K.ring_of_integers()

max_v = 100


C = ChallengeSet(cardinality = max_v^phi, gamma_2 = max_v * sqrt(phi) / 2, theta_2 = max_v * sqrt(phi), gamma_inf = max_v / 2, theta_inf = max_v)

In [256]:
# A NEW

ring_params = {
    "f": 60,
    "log_beta_sis_2": 62.6,
    "log_q": 64,
}

rel_params = {
    "wdim": 2**18 * 41 * 25,
    "rep": 1,
    "log_beta_wit_inf": 14
}

ops_params = {
    "ell": 3,
    "d": 2,
}

loop = lambda ell: ([
    ("bdecomp", {"ell":ell }), 
    ("norm", {}), 
    ("batch", {}), 
    ("srp", {}), # switches to the second branch to check hardness
    ("to-first", {}),
    ("split", {"d": ops_params["d"]}), 
    ("fold", {}),
    ("join", {})
])

ops = loop(2) + loop(2) * 15 + [("finish", {})]

sim = Simulation(ring_params, rel_params, RelationRPWithKJL(18, 105))
sim.ring.C = C


sim.execute(ops)
sim.extract()
sim.show()

Limits of structure:  1890
Execution Trace:
 operation  |    wdim    | rep | log_2-norm  (real | extr) | log_inf-norm  (real | extr) |  wit size  | communication  (growth | total) | soundness error  (growth | total) 
 init       |  268697600 |   1 |    ( 33 | 33/  0 )        |     ( 14 | 33/  0 )         | 7688. MB   |      (0.0000 B | 0.0000 B)      |         (2^-oo  | 2^-oo )         
 bdecomp    |  268697600 |   2 |    ( 25 | 26/  0 )        |     (  7 | 26/  0 )         | 8200. MB   |      (18.62 KB | 18.62 KB)      |         (2^-oo  | 2^-oo )         
 norm       |  268697600 |   8 |    ( 25 | 36/  0 )        |     (  7 | 28/  0 )         | 32800. MB  |      (114.8 KB | 133.4 KB)      |         (2^-125 | 2^-125)         
 batch      |  268697600 |   8 |    ( 25 | 36/  0 )        |     (  7 | 28/  0 )         | 32800. MB  |      (0.0000 B | 133.4 KB)      |         (2^-123 | 2^-123)         
 srp 2 rel  |  119421156 |   1 |    ( 36 | 40/ 20 )        |     ( 19 | 39/ 20 )         | 

In [92]:
# A

ring_params = {
    "f": 60,
    "log_beta_sis_2": 37.8,
    "log_q": 64,
}

rel_params = {
    "wdim": 2**18 * 41,
    "rep": 25,
    "log_beta_wit_inf": 14,
}

ops_params = {
    "ell": 4,
    "d": 2,
}

loop = [
    ("bdecomp", {"ell": ops_params["ell"]}), 
    ("norm", {}), 
    ("batch", {}), 
    ("split", {"d": ops_params["d"]}), 
    ("fold_old", {})
]
ops = 12 * loop + [("finish", {})]

sim = Simulation(ring_params, rel_params)
sim.execute(ops)
sim.extract()
sim.show()


Execution Trace:
 operation  |    wdim    | rep | log_2-norm  (real | extr) | log_inf-norm  (real | extr) |  wit size  | communication  (growth | total) | soundness error  (growth | total) 
 init       |   10747904 |  25 |    ( 31 | 34/  0 )        |     ( 14 | 34/  0 )         | 7688. MB   |      (0.0000 B | 0.0000 B)      |         (2^-oo  | 2^-oo )         
 bdecomp    |   10747904 | 100 |    ( 19 | 23/  0 )        |     (  3 | 23/  0 )         | 8200. MB   |      (515.6 KB | 515.6 KB)      |         (2^-oo  | 2^-oo )         
 norm       |   10747904 | 109 |    ( 19 | 37/  0 )        |     (  3 | 37/  0 )         | 8938. MB   |      (102.8 KB | 618.4 KB)      |         (2^-124 | 2^-124)         
 batch      |   10747904 | 109 |    ( 19 | 37/  0 )        |     (  3 | 37/  0 )         | 8938. MB   |      (0.0000 B | 618.4 KB)      |         (2^-119 | 2^-119)         
 split      |    5373952 | 218 |    ( 19 | 37/  0 )        |     (  3 | 37/  0 )         | 8938. MB   |      (790.2 KB

In [257]:
# B

ring_params = {
    "f": 60,
    "log_beta_sis_2": 38.8,
    "log_q": 64,
}

rel_params = {
    "wdim": 2**20 * 41,
    "rep": 25,
    "log_beta_wit_inf": 14,
}

ops_params = {
    "ell": 4,
    "d": 2,
}

loop = [
    ("bdecomp", {"ell": ops_params["ell"]}), 
    ("norm", {}), 
    ("batch", {}), 
    ("split", {"d": ops_params["d"]}), 
    ("fold_old", {})
]
ops = 14 * loop + [("finish", {})]

sim = Simulation(ring_params, rel_params)
sim.execute(ops)
sim.extract()
sim.show()


Execution Trace:
 operation  |    wdim    | rep | log_2-norm  (real | extr) | log_inf-norm  (real | extr) |  wit size  | communication  (growth | total) | soundness error  (growth | total) 
 init       |   42991616 |  25 |    ( 32 | 35/  0 )        |     ( 14 | 35/  0 )         | 30750. MB  |      (0.0000 B | 0.0000 B)      |         (2^-oo  | 2^-oo )         
 bdecomp    |   42991616 | 100 |    ( 20 | 24/  0 )        |     (  3 | 24/  0 )         | 32800. MB  |      (543.8 KB | 543.8 KB)      |         (2^-oo  | 2^-oo )         
 norm       |   42991616 | 109 |    ( 20 | 38/  0 )        |     (  3 | 38/  0 )         | 35750. MB  |      (106.1 KB | 649.9 KB)      |         (2^-124 | 2^-124)         
 batch      |   42991616 | 109 |    ( 20 | 38/  0 )        |     (  3 | 38/  0 )         | 35750. MB  |      (0.0000 B | 649.9 KB)      |         (2^-119 | 2^-119)         
 split      |   21495808 | 218 |    ( 20 | 38/  0 )        |     (  3 | 38/  0 )         | 35750. MB  |      (831.1 KB

In [274]:
# B NEW

ring_params = {
    "f": 60,
    "log_beta_sis_2": 63.99,
    "log_q": 65,
}

rel_params = {
    "wdim": 2**20 * 41 * 25,
    "rep": 1,
    "log_beta_wit_inf": 14
}

ops_params = {
    "ell": 3,
    "d": 2,
}

loop = lambda ell: ([
    ("bdecomp", {"ell":ell }), 
    ("norm", {}), 
    ("batch", {}), 
    ("srp", {}), # switches to the second branch to check hardness
    ("to-first", {}),
    ("split", {"d": ops_params["d"]}), 
    ("fold", {}),
    ("join", {})
])

ops = loop(2) + loop(2) * 17 + [("finish", {})]

sim = Simulation(ring_params, rel_params, RelationRPWithKJL(20, 108))
sim.ring.C = C


sim.execute(ops)
sim.extract()
sim.show()

Limits of structure:  2160
Execution Trace:
 operation  |    wdim    | rep | log_2-norm  (real | extr) | log_inf-norm  (real | extr) |  wit size  | communication  (growth | total) | soundness error  (growth | total) 
 init       | 1074790400 |   1 |    ( 34 | 34/  0 )        |     ( 14 | 34/  0 )         | 30750. MB  |      (0.0000 B | 0.0000 B)      |         (2^-oo  | 2^-oo )         
 bdecomp    | 1074790400 |   2 |    ( 26 | 27/  0 )        |     (  7 | 27/  0 )         | 32800. MB  |      (19.55 KB | 19.55 KB)      |         (2^-oo  | 2^-oo )         
 norm       | 1074790400 |   9 |    ( 26 | 38/  0 )        |     (  7 | 30/  0 )         | 147600. MB |      (140.3 KB | 159.8 KB)      |         (2^-127 | 2^-127)         
 batch      | 1074790400 |   9 |    ( 26 | 38/  0 )        |     (  7 | 30/  0 )         | 147600. MB |      (0.0000 B | 159.8 KB)      |         (2^-125 | 2^-124)         
 srp 2 rel  |  483655680 |   1 |    ( 37 | 41/ 20 )        |     ( 20 | 41/ 20 )         | 

In [105]:
# C

ring_params = {
    "f": 60,
    "log_beta_sis_2": 39.8,
    "log_q": 64,
}

rel_params = {
    "wdim": 2**22 * 41,
    "rep": 25,
    "log_beta_wit_inf": 14,
}

ops_params = {
    "ell": 4,
    "d": 2,
}

loop = [
    ("bdecomp", {"ell": ops_params["ell"]}), 
    ("norm", {}), 
    ("batch", {}), 
    ("split", {"d": ops_params["d"]}), 
    ("fold_old", {})
]
ops = 16 * loop + [("finish", {})]

sim = Simulation(ring_params, rel_params)
sim.execute(ops)
sim.extract()
sim.show()


Execution Trace:
 operation  |    wdim    | rep | log_2-norm  (real | extr) | log_inf-norm  (real | extr) |  wit size  | communication  (growth | total) | soundness error  (growth | total) 
 init       |  171966464 |  25 |    ( 33 | 36/  0 )        |     ( 14 | 36/  0 )         | 123000. MB |      (0.0000 B | 0.0000 B)      |         (2^-oo  | 2^-oo )         
 bdecomp    |  171966464 | 100 |    ( 21 | 25/  0 )        |     (  3 | 25/  0 )         | 131200. MB |      (571.9 KB | 571.9 KB)      |         (2^-oo  | 2^-oo )         
 norm       |  171966464 | 110 |    ( 21 | 39/  0 )        |     (  3 | 39/  0 )         | 144300. MB |      (117.5 KB | 689.4 KB)      |         (2^-124 | 2^-124)         
 batch      |  171966464 | 110 |    ( 21 | 39/  0 )        |     (  3 | 39/  0 )         | 144300. MB |      (0.0000 B | 689.4 KB)      |         (2^-119 | 2^-119)         
 split      |   85983232 | 220 |    ( 21 | 39/  0 )        |     (  3 | 39/  0 )         | 144300. MB |      (880.0 KB

In [271]:
# C NEW

ring_params = {
    "f": 60,
    "log_beta_sis_2": 65,
    "log_q": 67,
}

rel_params = {
    "wdim": 2**22 * 41 * 25,
    "rep": 1,
    "log_beta_wit_inf": 14
}

ops_params = {
    "ell": 3,
    "d": 2,
}

loop = lambda ell: ([
    ("bdecomp", {"ell":ell }), 
    ("norm", {}), 
    ("batch", {}), 
    ("srp", {}), # switches to the second branch to check hardness
    ("to-first", {}),
    ("split", {"d": ops_params["d"]}), 
    ("fold", {}),
    ("join", {})
])

ops = loop(2) + loop(2) * 19 + [("finish", {})]

sim = Simulation(ring_params, rel_params, RelationRPWithKJL(20, 110))
sim.ring.C = C


sim.execute(ops)
sim.extract()
sim.show()

Limits of structure:  2200
Execution Trace:
 operation  |    wdim    | rep | log_2-norm  (real | extr) | log_inf-norm  (real | extr) |  wit size  | communication  (growth | total) | soundness error  (growth | total) 
 init       | 4299161600 |   1 |    ( 35 | 35/  0 )        |     ( 14 | 35/  0 )         | 123000. MB |      (0.0000 B | 0.0000 B)      |         (2^-oo  | 2^-oo )         
 bdecomp    | 4299161600 |   2 |    ( 27 | 28/  0 )        |     (  7 | 28/  0 )         | 131200. MB |      (20.15 KB | 20.15 KB)      |         (2^-oo  | 2^-oo )         
 norm       | 4299161600 |   9 |    ( 27 | 39/  0 )        |     (  7 | 31/  0 )         | 590400. MB |      (144.6 KB | 164.8 KB)      |         (2^-131 | 2^-131)         
 batch      | 4299161600 |   9 |    ( 27 | 39/  0 )        |     (  7 | 31/  0 )         | 590400. MB |      (0.0000 B | 164.8 KB)      |         (2^-129 | 2^-128)         
 srp 2 rel  | 1934622720 |   1 |    ( 38 | 42/ 20 )        |     ( 20 | 42/ 20 )         | 