In [12]:
# Define the finite field GF(2^5) with generator a.
F.<a> = GF(2^5)
print("Irreducible polynomial:", F.modulus())

# --- MiMC encryption functions ---

def mimc_round(x):
    """
    One round of MiMC: add constant 1 and cube.
    """
    return (x + 1)**3

def two_round_mimc(x):
    """
    Two rounds of MiMC encryption.
    """
    return mimc_round(mimc_round(x))

# --- Integral over a subspace ---

def integral_attack_two_round_mimc(base, subspace_basis=None):
    """
    Given a base element in GF(2^5), compute the sum of the two-round MiMC encryption
    over an affine subspace of dimension 3. That is, if U is a 3-dimensional subspace of GF(2^5)
    and base is an offset, then compute:
    
         S(base) = sum_{u in U} f(base + u),
         
    where f is the two-round MiMC function.
    
    Parameters:
      base : an element of GF(2^5) representing the offset of the affine subspace.
      subspace_basis : a list of 3 elements of GF(2^5) forming a basis for a subspace.
                       If None, defaults to [1, a, a^2].
    
    Returns:
      The sum S(base) in GF(2^5) of f(x) over x in (base + U).
    """
    # Default subspace basis: span{1, a, a^2} (they are linearly independent in GF(2^5)).
    if subspace_basis is None:
        subspace_basis = [F(1), a, a^2]
    
    # Construct the subspace U = { c0*v0 + c1*v1 + c2*v2 : c_i in GF(2) }.
    U = []
    for c0 in [F(0), F(1)]:
        for c1 in [F(0), F(1)]:
            for c2 in [F(0), F(1)]:
                U.append(c0 * subspace_basis[0] + c1 * subspace_basis[1] + c2 * subspace_basis[2])
    
    # Compute the sum over the affine subspace: base + U.
    s = F(0)
    for u in U:
        print(base,u)
        print(s)
        s += two_round_mimc(base + u)
    return s

# --- Example usage ---
# Choose a base element (for example, 0) and compute the sum over the affine subspace.
base = F(0)
result = integral_attack_two_round_mimc(base)
print("\nSum over affine subspace (base = %s): %s" % (base, result))


Irreducible polynomial: x^5 + x^2 + 1
0 0
0
0 a^2
0
0 a
a^4 + 1
0 a^2 + a
a^4 + a^2
0 1
a^3 + a + 1
0 a^2 + 1
a^3 + a
0 a + 1
a^3 + a^2
0 a^2 + a + 1
a^4 + a^2 + 1

Sum over affine subspace (base = 0): 0


In [13]:
# Define the finite field GF(2^5) with generator a.
F.<a> = GF(2^5)
print("Irreducible polynomial:", F.modulus())

# Define a polynomial ring for the round constants over F.
# For example, if we want three rounds, we define three symbolic constants: k1, k2, k3.
Rk.<k1, k2, k3> = PolynomialRing(F)

# Now define a polynomial ring in x over Rk.
P.<x> = PolynomialRing(Rk)

def mimc_round_symbolic(x, k):
    """
    One round of MiMC: (x + k)^3,
    where k is a symbolic round constant.
    """
    return (x + k)**3

def iterated_mimc_symbolic(x, k_list):
    """
    Iterated MiMC encryption with a list of symbolic round constants.
    
    Parameters:
      x : an element of the polynomial ring P.
      k_list : a list of round constants (from Rk) to be used symbolically.
    
    Returns:
      The symbolic expression of the iterated MiMC function.
    """
    for k in k_list:
        x = mimc_round_symbolic(x, k)
    return x

# Example: Build a 3-round MiMC symbolic expression.
f_symbolic = iterated_mimc_symbolic(x, [k1, k2, k3])
print("\nSymbolic expression for 3-round MiMC with variable round constants:")
print(f_symbolic)


Irreducible polynomial: x^5 + x^2 + 1

Symbolic expression for 3-round MiMC with variable round constants:
x^27 + k1*x^26 + k1^2*x^25 + (k1^3 + k2)*x^24 + k1^8*x^19 + (k1^9 + k3)*x^18 + k1^10*x^17 + (k1^11 + k1^8*k2 + k1^2*k3)*x^16 + k2^2*k3*x^12 + k1^16*x^11 + k1^17*x^10 + (k1^18 + k3^2)*x^9 + (k1^19 + k1^16*k2 + k1^4*k2^2*k3 + k1*k3^2)*x^8 + (k2^4*k3 + k2*k3^2)*x^6 + (k1^8*k2^2*k3 + k1^2*k2^4*k3 + k1^2*k2*k3^2)*x^4 + (k1^24 + k2^8 + k2^2*k3^2)*x^3 + (k1^25 + k1^16*k3 + k1*k2^8 + k1^4*k2^4*k3 + k1^4*k2*k3^2 + k1*k2^2*k3^2)*x^2 + (k1^26 + k1^2*k2^8 + k1^8*k3^2 + k1^2*k2^2*k3^2)*x + k1^27 + k1^24*k2 + k1^18*k3 + k1^12*k2^2*k3 + k1^3*k2^8 + k1^6*k2^4*k3 + k1^9*k3^2 + k2^9 + k1^6*k2*k3^2 + k2^6*k3 + k1^3*k2^2*k3^2 + k2^3*k3^2 + k3^3
