-rw-r--r-- 4272 cryptattacktester-20231020/isd0_cost.cpp raw
#include "ram_cost.h"
#include "bit_cost.h"
#include "bit_vector_cost.h"
#include "bit_matrix_cost.h"
#include "subset_cost.h"
#include "index_cost.h"
#include "sorting_cost.h"
#include "parity_cost.h"
#include "isd0_cost.h"
using namespace std;
bigint isd0_cost(const vector<bigint> ¶ms,const vector<bigint> &attackparams)
{
bigint N = params.at(0);
bigint K = params.at(1);
bigint W = params.at(2);
bigint pos = 0;
bigint ITERS = attackparams.at(pos++);
bigint RESET = attackparams.at(pos++);
bigint X = attackparams.at(pos++);
bigint YX = attackparams.at(pos++); auto Y = X+YX;
bigint P = attackparams.at(pos++);
bigint L = attackparams.at(pos++);
bigint Z = attackparams.at(pos++);
bigint QUEUE_SIZE = attackparams.at(pos++);
bigint QF = attackparams.at(pos++); auto PERIOD = QF*QUEUE_SIZE;
bigint FW = attackparams.at(pos++);
bigint fwcost = 0;
if (FW) {
fwcost = parity_known_cost(N,K);
--K;
}
bigint R = N - K;
bigint KK = K + L;
bigint RR = N - KK;
bigint result = 0;
bigint column_swaps = column_swaps_cost(N,K,L,X,Y); // column_swaps(s, H, column_map, perm_RR, perm_KK, N, K, L, X, Y);
result += column_swaps;
result += 1; // alwayssystematic &= swapssucceeded;
result += subset_cost(KK-Z,P,L != 0 ? L : R-L); // subset(L_sum, L_set, KK-Z, P, idx_bits, ss.at(L == 0), Hs.at(L == 0));
if (P > 0) {
if (L > 0) {
bigint persum = 0;
persum += bit_vector_iszero_cost(L); // bit zero_check = bit_vector_iszero(L_sum.at(i));
persum += bit_queue1_insert_cost(QUEUE_SIZE); // bit_queue1_insert(queue_valid, zero_check);
persum += QUEUE_SIZE*P*nbits(KK-Z-1)*bit_mux_cost; // bit_matrix_queue_insert(queue_set, L_set.at(i), zero_check);
result += binomial(KK-Z,P)*persum;
bigint postqueue = 0;
postqueue += R-L+bit_matrix_sum_of_cols_cost(R-L,KK-Z,P); // bit_vector_ixor(sum, bit_matrix_sum_of_cols(Hs.at(1), queue_set.at(j)));
postqueue += 2+bit_vector_hamming_weight_isnot_cost(R-L,W-P); // bit weight_check = alwayssystematic.andn(bit_vector_hamming_weight_isnot(sum,T-P)) & queue_valid.at(j);
postqueue += (R-L)*bit_mux_cost; // bit_vector_mux(s_ret, sum, weight_check);
postqueue += P*nbits(KK-Z-1)*bit_mux_cost; // bit_matrix_mux(set_ret, queue_set.at(j), weight_check);
postqueue += N*nbits(N-1)*bit_mux_cost; // bit_matrix_mux(map_ret, column_map, weight_check);
bigint queue_clears = (binomial(KK-Z,P)+PERIOD-1)/PERIOD;
result += queue_clears*QUEUE_SIZE*postqueue;
} else {
bigint persum = 0;
persum += 1+bit_vector_hamming_weight_isnot_cost(R,W-P); // bit weight_check = alwayssystematic.andn(bit_vector_hamming_weight_isnot(L_sum.at(i),T-P));
persum += (R-L)*bit_mux_cost; // bit_vector_mux(s_ret, L_sum.at(i), weight_check);
persum += P*nbits(KK-Z-1)*bit_mux_cost; // bit_matrix_mux(set_ret, L_set.at(i), weight_check);
persum += N*nbits(N-1)*bit_mux_cost; // bit_matrix_mux(map_ret, column_map, weight_check);
result += binomial(KK-Z,P)*persum;
}
} else {
result += bit_vector_iszero_cost(L); // bit zero_check = bit_vector_iszero(ss.at(0));
result += 1+bit_vector_hamming_weight_isnot_cost(R-L,W-P); // bit weight_check = alwayssystematic.andn(bit_vector_hamming_weight_isnot(ss.at(1),T-P));
if (L > 0) result += 1; // if (L > 0) check &= zero_check;
result += (R-L)*bit_mux_cost; // bit_vector_mux(s_ret, ss.at(1), check);
result += N*nbits(N-1)*bit_mux_cost; // bit_matrix_mux(map_ret, column_map, check);
}
result *= ITERS;
bigint perresetexceptfirst = 0;
perresetexceptfirst += bit_matrix_column_randompermutation_cost(N,K);
if (FW) perresetexceptfirst += 1; // alwayssystematic &= initial_alwayssystematic;
bigint perreset = perresetexceptfirst;
perreset -= column_swaps; // skipped on reset
perreset -= 1; // skipped on reset
perreset += 2*L*(N-K-1)*(N+1); // bit_matrix_randomize_rows
result += perreset*(ITERS/RESET);
result -= perresetexceptfirst; // skipped on iter == 0
result += P*ram_write_cost(KK-Z,nbits(KK-Z-1),1); // ram_write(e, 0, KK-Z, set_ret.at(i), bit(1));
result += N*ram_write_cost(N,nbits(N-1),1); // ram_write(e_ret, map_ret.at(i), e.at(i));
result += fwcost;
return result;
}