### Code of basic MIMC 2^n


In [40]:
from math import ceil, log
from sage.all import GF, gcd, inverse_mod

def find_exponent_GF2n(n):
    """
    For GF(2^n), return an odd exponent (starting at 3) 
    that is relatively prime to (2^n - 1).
    """
    field_size = 2**n
    d = 3  # start with 3 (do not choose 2 because the squaring map is linear)
    while gcd(d, field_size - 1) != 1:
        d += 2  # only consider odd numbers
    return d

class miniMiMC:
    def __init__(self, n, number_of_rounds=None, optional_x=None):
        """
        Initialize MiMC over GF(2^n). 
        n: the extension degree (with GF size = 2^n, n odd)
        """
        # Set up the field GF(2^n)
        self.field_size = 2**n
        self.field = GF(self.field_size, 'a')
        
        # Choose a non-linear exponent appropriate for fields of characteristic 2.
        self.exponent = find_exponent_GF2n(n)
        
        # Determine number of rounds if not explicitly provided.
        if number_of_rounds is None:
            self.number_of_rounds = ceil(log(self.field_size, self.exponent))
        else:       
            self.number_of_rounds = number_of_rounds
        
        # Define a polynomial ring over GF(2^n)
        self.R = self.field['X']
        self.X = self.R.gen()
        # Reduction polynomial: X^(2^n) - X ensures unique representation 
        # of functions GF(2^n) -> GF(2^n) with degree < 2^n.
        self.reduction_poly = self.X**self.field_size - self.X

    def round_function(self, x, ki):
        """
        MiMC round function: adds the round constant then raises to the chosen exponent.
        Reduction modulo X^(2^n) - X is applied.
        """
        result = (x + ki) ** self.exponent
        result = result % self.reduction_poly
        return result

    def encrypt(self, plaintext, master_key):
        """
        Encrypt plaintext by applying the MiMC rounds.
        Each round uses a round constant defined as (master_key + field(i)).
        """
        x = plaintext
        for i in range(self.number_of_rounds):
            round_key = master_key + self.field(i)
            print(f'Round {i} key: {round_key}')
            x = self.round_function(x, round_key)
            print(f'After round {i}: {x}')
        return x

    def decrypt(self, ciphertext, master_key):
        """
        Decrypt by reversing the rounds.
        For each round in reverse order, apply the inverse exponent and then
        add back the corresponding round constant (note: in characteristic 2,
        subtraction is the same as addition).
        """
        x = ciphertext 
        inv_exp = inverse_mod(self.exponent, self.field_size - 1)
        for i in reversed(range(self.number_of_rounds)):
            round_key = master_key + self.field(i)
            x = (x ** inv_exp) + round_key
            x = x % self.reduction_poly
        return x

# Example test code for MiMC over GF(2^n) with input X from the polynomial ring

def test_mimc_with_X():
    # Choose an odd n; here we use n = 5 (GF(2^5))
    n = 5
    mimc = miniMiMC(n, number_of_rounds=20)
    
    print("MiMC over GF(2^%d)" % n)
    print("Field:", mimc.field)
    print("Chosen exponent:", mimc.exponent)
    print("Number of rounds:", mimc.number_of_rounds)
    
    # Set a master key (ensure it is in GF(2^n); here we choose 2)
    master_key = mimc.field(2)
    print("\nMaster key:", master_key)
    
    # Use the polynomial ring generator X as plaintext.
    plaintext = mimc.X
    print("\nPlaintext (polynomial X):", plaintext)
    
    # Encrypt the plaintext
    ciphertext = mimc.encrypt(plaintext, master_key)
    print("\nCiphertext:", ciphertext)
    
    # Decrypt the ciphertext
    decrypted = mimc.decrypt(ciphertext, master_key)
    print("\nDecrypted:", decrypted)
    
    # Verify if decryption recovers the original plaintext
    if decrypted == plaintext:
        print("\nTest Passed: Decrypted text equals plaintext.")
    else:
        print("\nTest Failed: Decrypted text does not equal plaintext.")

# Run the test
if __name__ == "__main__":
    test_mimc_with_X()


MiMC over GF(2^5)
Field: Finite Field in a of size 2^5
Chosen exponent: 3
Number of rounds: 20

Master key: 0

Plaintext (polynomial X): X
Round 0 key: 0
After round 0: X^3
Round 1 key: 1
After round 1: X^9 + X^6 + X^3 + 1
Round 2 key: 0
After round 2: X^27 + X^24 + X^3 + 1
Round 3 key: 1
After round 3: X^30 + X^26 + X^20 + X^19 + X^16 + X^13 + X^10 + X^9 + X^2
Round 4 key: 0
After round 4: X^30 + X^27 + X^26 + X^23 + X^20 + X^17 + X^9
Round 5 key: 1
After round 5: X^30 + X^29 + X^28 + X^26 + X^25 + X^23 + X^22 + X^20 + X^19 + X^17 + X^16 + X^15 + X^11 + X^10 + X^9 + X^8 + X^5 + X^4 + X^3 + X^2 + X + 1
Round 6 key: 0
After round 6: X^30 + X^29 + X^25 + X^24 + X^21 + X^20 + X^19 + X^18 + X^16 + X^10 + X^9 + X^8 + X^6 + X^2 + X + 1
Round 7 key: 1
After round 7: X^30 + X^29 + X^28 + X^26 + X^25 + X^22 + X^19 + X^17 + X^16 + X^14 + X^13 + X^11 + X^10 + X^8 + X^5 + X^3 + X
Round 8 key: 0
After round 8: X^28 + X^25 + X^24 + X^23 + X^22 + X^21 + X^20 + X^19 + X^18 + X^16 + X^15 + X^13 + X^11 