## Algorithm of S-polynomials

In [1]:
def S_polynomial(f1,f2):
    a = f1.lm()
    b = f2.lm()
    c= f1.lt()
    d = f2.lt()
    ppcm = a.lcm(b)
    s = (ppcm/c) * f1 - (ppcm/d) * f2
    return s

In [2]:
def S_polynomials(List):
    L = list()
    for i in range(len(List)-1):
        for j in range(i+1,len(List)):
            Lt_fi = List[i].lt()
            Lm_fi = List[i].lm()
            Lt_fj = List[j].lt()
            Lm_fj = List[j].lm()
            monomial_lcm = Lm_fi.lcm(Lm_fj)
            Sij = expand((monomial_lcm/Lt_fi)*List[i] - (monomial_lcm/Lt_fj)*List[j])
            L.append(Sij)
    return L

In [3]:
P.<x,y,z> = PolynomialRing(QQ)
f0 = x^3 - 2*x*y
f1 = x^2*y -2*y^2 + x
f2 = 3*x^3*y + x*z + 5*y - 4*y*z
F = [f0,f1,f2]

In [4]:
S_polynomials(F)

[-x^2,
 -2*x*y^2 - 1/3*x*z + 4/3*y*z - 5/3*y,
 -2*x*y^2 + x^2 - 1/3*x*z + 4/3*y*z - 5/3*y]

In [5]:
from sage.rings.polynomial.toy_buchberger import spol

In [6]:
S_polynomial(f0,f1), S_polynomial(f0,f2), S_polynomial(f1,f2), S_polynomial(f1,f2) == spol(f1,f2)

(-x^2,
 -2*x*y^2 - 1/3*x*z + 4/3*y*z - 5/3*y,
 -2*x*y^2 + x^2 - 1/3*x*z + 4/3*y*z - 5/3*y,
 True)

In [7]:
P.<x,y,z> = PolynomialRing(QQ)
p = 2*x^3*y^2*z + 3/2*y^3*z^3 - 3*x*y*z + y^2

In [8]:
print(p.variables())
print( p.args())
print( p.degree())
print(p.degrees())
print(p.dict())
print(p.exponents())
print(p.monomials())
print(p.variables())

(x, y, z)
(x, y, z)
6
(3, 3, 3)
{(3, 2, 1): 2, (0, 3, 3): 3/2, (1, 1, 1): -3, (0, 2, 0): 1}
[(3, 2, 1), (0, 3, 3), (1, 1, 1), (0, 2, 0)]
[x^3*y^2*z, y^3*z^3, x*y*z, y^2]
(x, y, z)


In [9]:
m = p.monomials()
m

[x^3*y^2*z, y^3*z^3, x*y*z, y^2]

## Function that determines whether two monomes are dividing 

In [10]:
""" Cette fonction détermine si deux monômes se divisent.
    Deux monômes se divisent lorsqque la différence de degrés de toutes les variables est positive. """
def does_divide(m1,m2):
    for c in (vector(ZZ, m1.degrees()) - vector(ZZ,m2.degrees())):
        if c < 0:
            return False
    return True

In [11]:
m1 = x^2*y
m2 = x^2*y
m3 = x^2
m4 = x*y

In [12]:
vector(ZZ, m1.degrees()), vector(ZZ, m2.degrees()), vector(ZZ, m1.degrees()) - vector(ZZ, m2.degrees())

((2, 1, 0), (2, 1, 0), (0, 0, 0))

In [13]:
vector(ZZ, m3.degrees()), vector(ZZ, m4.degrees()), vector(ZZ, m3.degrees()) - vector(ZZ, m4.degrees())

((2, 0, 0), (1, 1, 0), (1, -1, 0))

In [14]:
vector(ZZ, m1.degrees()), vector(ZZ, m3.degrees()), vector(ZZ, m1.degrees()) - vector(ZZ, m3.degrees())

((2, 1, 0), (2, 0, 0), (0, 1, 0))

In [15]:
vector(ZZ, m4.degrees()), vector(ZZ, m3.degrees()), vector(ZZ, m4.degrees()) - vector(ZZ, m3.degrees())

((1, 1, 0), (2, 0, 0), (-1, 1, 0))

In [16]:
does_divide(m1,m2), does_divide(m3,m4), does_divide(m1,m3), does_divide(m4,m3)

(True, False, True, False)

## Multivariate polynomial division algorithm

In [17]:
def division_Algo(f,List):
    a = [0 for j in range(0,len(List))]
    r = P(0)
    p = f
    while p != P(0):
        i = 0
        division_occured = False
        while (i < len(List) and division_occured == False):
            if does_divide(p.lm(), List[i].lm()):
                b = P((p.lt()/List[i].lt()))
                a[i] = a[i] + b
                p = p - b * List[i]
                division_occured = True
            else:
                i = i + 1
        if division_occured == False:
            r = r + p.lt()
            p = p - p.lt()
    return a, r

In [18]:
P.<x,y,z> = PolynomialRing(QQ)
List  = [x^2 + x,  y^2 + y]
f = x^3 + y^2

In [19]:
division_Algo(f,List)

([x - 1, 1], x - y)

In [20]:
P.<x,y> = PolynomialRing(QQ)
f0 = x*y - 1
f1 = y^2 - 1
f = x^2*y + x*y + y^2
List = [f0,f1]

In [21]:
division_Algo(f,List)

([x + 1, 1], x + 2)

In [22]:
P.<x,y> = PolynomialRing(QQ)
f1 = x*y - 1
f2 = y^2 - 1
p = x^2*y + x*y^2 + y^2
L = [f1,f2]
division_Algo(p,L)

([x + y, 1], x + y + 1)

In [23]:
P.<x,y> = PolynomialRing(QQ)
f1 = x*y + 1
f2 = y^2 - 1
p = x*y^2 - x
fs = [f1,f2]
division_Algo(p,fs)

([y, 0], -x - y)

In [24]:
P.<x,y,z> = PolynomialRing(QQ)
f0 = x^3 - 2*x*y
f1 = x^2*y -2*y^2 + x
f2 = 3*x^3*y + x*z + 5*y - 4*y*z
f = x^2*y + x*y + y
F = [f0,f1,f2]
division_Algo(f,F)

([0, 1, 0], x*y + 2*y^2 - x + y)

## Buchberger's algorithm

In [25]:
def buchberger(F):
    G = F
    G2 = []
    while G2 != G:
        G2 = copy(G)
        for f,g in cartesian_product_iterator([G2, G2 ]):
            if f<g:
                s = spol(f,g).reduce(G2)
                if s != 0:
                    G.append(s)
    return G

In [26]:
Poly_QQ__2.<x,y,z> = PolynomialRing(FiniteField(2),order="lex")
f1 = x^3*z-2*x*y
f2 = x^2*y-2*y^2+x*z
f3 = x*y^2 +4*x^2*z
F = [f1,f2,f3]
buchberger(F)

[x^3*z, x^2*y + x*z, x*y^2, x^2*z^2, x*y*z, x*z^3, x*z^2]

In [27]:
P.<x,y> = PolynomialRing(FiniteField(2),order="lex")
f0 = x*y - 1
f1 = y^2 - 1
#f = x^2*y + x*y + y^2
List = [f0,f1]
buchberger(List)

[x*y + 1, y^2 + 1, x + y]

In [28]:
P.<x,y,z,t,s> = PolynomialRing(FiniteField(2),order="lex")
f = x*t + z*t + x*s + x + y + z + t - 1
g = x*y + x*t + y*t + z*t + y*s + x + y - 1
h = x*y + y*z + y*t + z*t + x*s + z*s + x + z + t + s
k = x*y + x*z + y*z + x*t + x*s + z*s + y
l = x*y + x*z + y*s + z + t  + s

F = [f, g, h, k, l]
I = Ideal(F)
I

Ideal (x*t + x*s + x + y + z*t + z + t + 1, x*y + x*t + x + y*t + y*s + y + z*t + 1, x*y + x*s + x + y*z + y*t + z*t + z*s + z + t + s, x*y + x*z + x*t + x*s + y*z + y + z*s, x*y + x*z + y*s + z + t + s) of Multivariate Polynomial Ring in x, y, z, t, s over Finite Field of size 2

In [29]:
I.basis_is_groebner()

False

In [None]:
#buchberger(F)

## Generation of the HFE public key scheme

In [31]:
""" brief generates public key for an HFE instance
    parameter n: number of variables;
    parameter q: cardinality of base field to work over. This has to be power of prime.
    The function computes the public key by base transformation.
    It uses multivariate polynomials to simulate general vector.
    Hence, the orientation in code might be difficult as we work with polynomials such that coefficents are
multivariate polynomials. """

' brief generates public key for an HFE instance\n    parameter n: number of variables;\n    parameter q: cardinality of base field to work over. This has to be power of prime.\n    The function computes the public key by base transformation.\n    It uses multivariate polynomials to simulate general vector.\n    Hence, the orientation in code might be difficult as we work with polynomials such that coefficents are\nmultivariate polynomials. '

In [32]:
def HFEkeyGeneration (n, q):
    
    # initialyzes basic structures
    k = GF(q)
    
    # variables name, use whatever you want
    v = ['x'+ str(num) for num in range (1, n+1)]
    R = PolynomialRing(k, v, n)
    
    # The quotient ring for x_i^q = x_i
    J = R.ideal([ x^q-x for x in R.gens()])
    H = R.quotient_ring(J, v)

    # Initializes affine transformations S = (A, c) , T = (B, d)
    A = Matrix([[1,0,1],[0,1,0],[0,1,1]])
    B = Matrix([[0,1,1],[1,1,0],[0,0,1]])
    c = vector([0,1,0])
    d = vector([1,0,0])
    
    # The general vector we encrypt
    # Serves for construction of public key
    m = vector(R, n, R.gens())
    
    # Apply S to general message m
    m = A*m
    m = m + c
    
    # Transforms vector to list and reverses it
    list = m.list()
    
    # Setup of quotient ring
    P.<x> = PolynomialRing(k)
    g = x^3+x+1
    L.<t> = PolynomialRing(R)
   

    #Sets the quotient ring with irreducible polynomial gof degree n
    g = L(g) # t^3+t+1
    I = L.ideal([g]) # Principal ideal (t^3 + t + 1) of Univariate Polynomial Ring in t over 
    # Multivariate Polynomial Ring in x, y, z over Integer Ring
    Q = L.quotient_ring(I) # Univariate Quotient Polynomial Ring in tbar over Multivariate Polynomial Ring 
    # in x, y, z over Integer Ring with modulus (t^3 + t + 1)
   
    pol = L(list)
    pol = Q(pol^(q+1) + (t+1)*pol + 1)
    list = pol.list()
    list.reverse()
    m = vector(R, n, list )
    # Apply affine transformation T
    m = B*m
    m = m + d
    # Following part prints the setup of current HFE instance and can be turned off  by commenting
    print(" setup the HFE instance with n=%d and q=%d" %(n, q ))
    print("---------------------------------------------------------------------------------------\n")
    print("The affine transformation S is : ")
    print(A)
    print("")
    print (c)
    print("\n The affine transformation T is : ")
    print(B)
    print("")
    print(d)
    print("")
    print("generator g of quotient_ring is : ")
    print(g)
    # Forces x^q = x and prints the public key .
    print("\n The public key is : ")
    list = m.list()
    for i in range(n):
        list[i] = H(list[i])
        print("p" + str(i+1) + " = " + str(list[i]) + ' , ')
    return m

In [33]:
HFEkeyGeneration(3, 2)

 setup the HFE instance with n=3 and q=2
---------------------------------------------------------------------------------------

The affine transformation S is : 
[1 0 1]
[0 1 0]
[0 1 1]

(0, 1, 0)

 The affine transformation T is : 
[0 1 1]
[1 1 0]
[0 0 1]

(1, 0, 0)

generator g of quotient_ring is : 
t^3 + t + 1

 The public key is : 
p1 = x1*x3 + x2*x3 + x3 + 1 , 
p2 = x1*x2 + x1*x3 + x2*x3 + x1 + x3 + 1 , 
p3 = x2*x3 + x2 + x3 , 


(x1^3 + x1^2*x2 + x1*x2^2 + x1^2*x3 + x2^2*x3 + x3^3 + x1^2 + x3^2 + x3 + 1, x1*x2^2 + x1^2*x3 + x2*x3^2 + x1^2 + x2^2 + x3^2 + x2 + 1, x1^3 + x2^3 + x1^2*x3 + x2^2*x3 + x1*x3^2 + x3^2 + x1)

In [34]:
def HFEencrypt(list, q):
    n = len(list)
    m = HFEkeyGeneration(n, q)
    print("\n The plaintext is : ")
    print(list)
    print("\n The ciphertext is ")
    return m(list).list()

In [35]:
HFEencrypt([1, 1, 1], 2)

 setup the HFE instance with n=3 and q=2
---------------------------------------------------------------------------------------

The affine transformation S is : 
[1 0 1]
[0 1 0]
[0 1 1]

(0, 1, 0)

 The affine transformation T is : 
[0 1 1]
[1 1 0]
[0 0 1]

(1, 0, 0)

generator g of quotient_ring is : 
t^3 + t + 1

 The public key is : 
p1 = x1*x3 + x2*x3 + x3 + 1 , 
p2 = x1*x2 + x1*x3 + x2*x3 + x1 + x3 + 1 , 
p3 = x2*x3 + x2 + x3 , 

 The plaintext is : 
[1, 1, 1]

 The ciphertext is 


[0, 0, 1]

## The public key system 

In [66]:
P.<x,y,z> = PolynomialRing(FiniteField(2),order="lex")
c = [0,0,1]
p1 = x*z + y*z + z + 1
p2 = x*y + x*z + y*z + x + z + 1
p3 = y*z + y + z

In [67]:
""" 
f1 = p1 - c[0] = x*z + y*z + z + 1
f2 = p2 - c[1] = x*y + x*z + y*z + x + z + 1
f3 = p3 - c[2] = y*z + y + z - 1
"""
f1 =  x*z + y*z + z + 1
f2 =  x*y + x*z + y*z + x + z + 1
f3 =  y*z + y + z - 1

In [68]:
F = [f1, f2, f3]
I = P.ideal(F)
I

Ideal (x*z + y*z + z + 1, x*y + x*z + x + y*z + z + 1, y*z + y + z + 1) of Multivariate Polynomial Ring in x, y, z over Finite Field of size 2

## Solving the polynomials system equations using Groebner basis

In [69]:
""" Test if the ideal I is a Groebner basis """
I.basis_is_groebner()

False

In [70]:
""" Construction of the Groebner basis """
gb = buchberger(F)
gb

[x*z + y*z + z + 1,
 x*y + x*z + x + y*z + z + 1,
 y*z + y + z + 1,
 y^2 + y,
 y^2 + y]

In [85]:
I = P.ideal((x*z + y*z + z + 1, x*y + x*z + x + y*z + z + 1, y*z + y + z + 1, y^2 + y, y^2 + y))
dim(I)

1

In [89]:
""" The dimension of the ideal is 1, but it should be 0 to compute I.variety() and get the answer.  """

' The dimension of the ideal is 1, but it should be 0 to compute I.variety() and get the answer.  '

In [71]:
""" Sage provides much of the functionality of gfan, which is a software package whose main function is to enumerate 
    all reduced Groebner bases of a polynomial ideal. """
I = P.ideal([x*z + y*z + z + 1, x*y + x*z + x + y*z + z + 1, y*z + y + z + 1, y^2 + y, y^2 + y]).groebner_fan()
I

Groebner fan of the ideal:
Ideal (x*z + y*z + z + 1, x*y + x*z + x + y*z + z + 1, y*z + y + z + 1, y^2 + y, y^2 + y) of Multivariate Polynomial Ring in x, y, z over Finite Field of size 2

In [92]:
I = P.ideal([x*z + y*z + z + 1, x*y + x*z + x + y*z + z + 1, y*z + y + z + 1, y^2 + y, y^2 + y]).groebner_fan()
X = I.reduced_groebner_bases()
X

[[y*z + y + z + 1, y^2 + y, x*z + y, x*y + x],
 [x*z^2 + x*z + z + 1, x^2*z + x, x*z + y]]

In [95]:
#I = P.ideal([x*z + y*z + z + 1, x*y + x*z + x + y*z + z + 1, y*z + y + z + 1, y^2 + y, y^2 + y])
#I.interreduced_basis()

In [97]:
""" For the first reduce greobner basis, we get: """
X1 = X[0]
X1

[y*z + y + z + 1, y^2 + y, x*z + y, x*y + x]

In [132]:
x, y, z = var('x, y, z')
a = solve([x*y + x == 0, x*z + y == 0, y^2 + y == 0], x, y, z)
b = solve([x*y + x == 0, x*z + y == 0, y*z + y + z + 1 == 0], x, y, z)
c = solve([x*z + y == 0, y^2 + y == 0, y*z + y + z + 1 == 0], x, y, z)
print(a)
print("-----------------------------------------------")
print(b)
print("-----------------------------------------------")
print(c)
print("\n")
print("Since we manage the bits it's means that x, y, z are in {0,1}.")
print("For the -1 values of the variables, we can add a bit 1 to get the right answer.")
print("\n")
print("For the above resolutions we can affirm that x == 1, y == 1, z == 1 is a solution of the polynomials system of equations.")

[
[x == 0, y == 0, z == r59],
[x == (1/r60), y == -1, z == r60]
]
-----------------------------------------------
[
[x == (1/r61), y == -1, z == r61],
[x == 0, y == 0, z == -1],
[x == -1, y == -1, z == -1]
]
-----------------------------------------------
[
[x == (1/r62), y == -1, z == r62],
[x == 0, y == 0, z == -1],
[x == -1, y == -1, z == -1]
]


Since we manage the bits it's means that x, y, z are in {0,1}.
For the -1 values of the variables, we can add a bit 1 to get the right answer.


For the above resolutions we can affirm that x == 1, y == 1, z == 1 is a solution of the polynomials system of equations.


In [98]:
""" For the second reduce greobner basis, we get """
X1 = X[1]
X1

[x*z^2 + x*z + z + 1, x^2*z + x, x*z + y]

In [124]:
x, y, z = var('x, y, z')
d = solve([x*z^2 + x*z + z + 1 == 0, x^2*z + x == 0, x*z + y == 0], x, y, z)
print(d)
print("\n")
print("Since we manage the bits it's means that x, y, z are in {0,1}.")
print("For the -1 values of the variables, we can add a bit 1 to get the right answer.")
print("\n")
print("For the above resolutions we can affirm that x == 1, y == 1, z == 1 is a solution of the polynomials system of equations.")

[
[x == -1/r50, y == 1, z == r50],
[x == 0, y == 0, z == -1]
]


Since we manage the bits it's means that x, y, z are in {0,1}.
For the -1 values of the variables, we can add a bit 1 to get the right answer.


For the above resolutions we can affirm that x == 1, y == 1, z == 1 is a solution of the polynomials system of equations.


In [129]:
print("\n")
print("After resolution of the polynomials systems equations for the reduce groebner basis, we get the plaintext (1, 1, 1).")
print("\n")



After resolution of the polynomials systems equations for the reduce groebner basis, we get the plaintext (1, 1, 1).


