In [1]:
# 80-bit key and 64-bit IV.
# Two 80-bit shift registers, one linear and one non-linear

def h(x):
    hx = x[1] + x[4] + x[0]*x[3] + x[2]*x[3] + x[3]*x[4] + x[0]*x[1]*x[2] + \
    x[0]*x[2]*x[3] + x[0]*x[2]*x[4] + x[1]*x[2]*x[4] + x[2]*x[3]*x[4] + l0 + l0
    return hx

def keystream(S,B):
    z = B[1] + B[2] + B[4] + B[10] + B[31] + B[43] + B[56] + h([S[3], S[25], S[46], S[64], B[63]]) + l0 + l0
    return z

def lfsr_update_fw(S):
    temp = S[62] + S[51] + S[38] + S[23] + S[13] + S[0] + l0 + l0
    
    S = S[1:80] + [temp]
    return S

def nfsr_update_fw(B,s):
    temp = S[0] + B[62] + B[60] + B[52] + B[45] + B[37] + B[33] + B[28] + B[21]\
    + B[14] + B[9] + B[0] + B[63]*B[60] + B[37]*B[33] + B[15]*B[9] + B[60]*B[52]*B[45]\
    + B[33]*B[28]*B[21] + B[63]*B[45]*B[28]*B[9] + B[60]*B[52]*B[37]*B[33] + B[63]*B[60]*B[21]*B[15]\
    + B[63]*B[60]*B[52]*B[45]*B[37] + B[33]*B[28]*B[21]*B[15]*B[9] + B[52]*B[45]*B[37]*B[33]*B[28]*B[21] + l0 + l0
    
    B = B[1:80] + [temp]
    return B
    

    
def intersection(A,B):
    temp = []
    for i in range(len(A)):
        if A[i] in B:
            temp.append(A[i])
    return temp

In [None]:
filename = 'Grain-v1_TMDTO_Output.txt'
filename = 'temp.txt'

for keys in range(24):
    import time
    start2 = time.time()

    state_len = 160
    r = [80,80]
    V = BooleanPolynomialRing(state_len,['l%d'%i for i in range(r[0])] + ['n%d'%i for i in range(r[1])])
    V.inject_variables()
    g = list(V.gens())

    S = g[:r[0]]
    B = g[r[0]:]

    
    R = []
    F = []
    G = []
    for i in F:
        if i < r[0]:
            S[i] = 0
        else:
            B[i-r[0]] = 0


    linear = []
    linear_all = []
    n1 = 0
    Z = [0]*keys

    for loop in range(keys):
        Z[loop] = keystream(S,B)
        monom = list(Z[loop].monomials())
        lin = []
        for i in monom:
            if i.degree() > 1:
                n1 += 1
            if i.degree() == 1 and g.index(i) not in linear_all:
                lin = lin + [g.index(i)]
        linear.append(lin)
        linear_all = linear_all + lin
        #print("loop 1st part ",loop)
        if loop != keys-1:
            B = nfsr_update_fw(B,S[0])
            S = lfsr_update_fw(S)

    #print("1st part done")

    #Assigning variables to the registers
    S = g[:r[0]]
    B = g[r[0]:]

    for i in F:
        if i < r[0]:
            S[i] = 0
        else:
            B[i-r[0]] = 0



    import gurobipy as gp
    from gurobipy import GRB
    import numpy as np
    model = gp.Model()


    v = [0,1,2]             # Temporary variable to be used for gurobi variable definition
    aux = [i for i in range(n1)]

    #Let D, F, G represents the class of determined/recovery, Fixed bit, and Guess bit
    #Since these are set and we need variables to denote R,F and G therefore let 2=R, 3=F and 4=G
    #x represents variables for each register and m contains 3 variables for each x[i] i.e. for R,F and G
    x = model.addVars(len(S)+len(B), lb = 2, ub = 4, vtype = GRB.INTEGER, name = "x")
    m = model.addVars(len(S)+len(B), len(v), vtype = GRB.BINARY, name = "m")
    q = model.addVars(len(aux), vtype = GRB.BINARY, name = "q")
    #p = model.addVars(len(aux), vtype = GRB.BINARY, name = "p")
    #r = model.addVars(len(aux), vtype = GRB.BINARY, name = "r")
    model.update()

    model.addConstrs((m[i,0] == 1) for i in R)
    model.addConstrs((m[i,1] == 1) for i in F)
    model.addConstrs((m[i,2] == 1) for i in G)

    #Objective function is to maximize recovery bit and minimize the number of FIXED bit
    model.setObjectiveN(gp.quicksum((m[i,0]) for i in range(state_len)),0,1, GRB.MAXIMIZE)
    model.setObjectiveN(gp.quicksum((m[i,1]) for i in range(state_len)),1,0, GRB.MINIMIZE)
    
    model.addConstrs((x[i] == (2*m[i,0] + 3*m[i,1] + 4*m[i,2])) for i in range(state_len))
    model.addConstrs(m[i,0] + m[i,1] + m[i,2] == 1 for i in range(state_len))

    #Number of recovered bit should be less than or equal to the number of keystream equations
    #model.addConstr(gp.quicksum(m[i,0] for i in range(state_len)) == keys)
    model.addConstr(gp.quicksum(m[i,0] for i in range(state_len) if i not in linear_all) == 0)

    count = 0
    cnt = 0
    for loop in range(keys):
        z = Z[loop]
        #z_var contains the index of variables in Z
        #z_var = np.array(z.variables())
        #z_var = [g.index(i) for i in z_var]
        z_monom = np.array(z.monomials())

        z_linear = [g.index(i) for i in z_monom if i.degree() == 1]

        #z_nlinear = [list(i.variables()) for i in z_monom if len(i.variables()) > 1]
        #z_nlinear = [g.index(z_nlinear[i][j]) for i in range(len(z_nlinear)) for j in range(len(z_nlinear[i]))]
        #z_nlinear = list(set(z_nlinear))


        #linear_new = [i for i in z_linear if i not in (linear + z_nlinear)]
        #z_linear_org = [i for i in z_linear if i not in z_nlinear]


        #One of the linear term variables which is not in the previous linear term has one recovered bit
        model.addConstr(gp.quicksum(m[i,0] for i in linear[loop]) <= 1)    
        #model.addConstr(gp.quicksum(m[i,0] for i in z_linear) <= loop + 1) 



        for mon in z_monom:
            if mon.degree() > 1:
                var = list(mon.variables())
                var = [g.index(i) for i in var]
                inters = [0]*len(linear)
                n = [0]*len(linear)
                for l in range(len(linear)):
                    inters[l] = intersection(var,linear[l])
                    n[l] = len(inters[l])

                C_prev = [n[i] for i in range(loop)] 
                C_current = [n[loop]]
                C_future = [n[i] for i in range(loop+1,keys,1)]

                #Case 1: recovered var in mon and is in linear
                #if sum(C_prev) > 0 and sum(C_current) == 0 and sum(C_future) == 0 :
                #    #if recovery found then guess
                #    model.addConstr((p[count] == 0) >> (gp.quicksum(m[i,0] for i in var) == 0))
                #    model.addConstr((p[count] == 1) >> (gp.quicksum((m[i,1] + m[i,2]) for i in var) >= len(var) - sum(C_prev)))
                #    count += 1

                #Case 2: recovered var in mon and is in z_linear-linear
                if (sum(C_current + C_future) > 0):
                    #if recovery found then fix to zero
                    prev = []
                    for k in range(loop):
                        prev = prev + inters[k]
                    #var_ge = [i for i in var if i not in prev]
                    
                    var_ge = []
                    for k in range(loop,len(linear),1):
                        var_ge = var_ge + inters[k]

                    model.addConstr((q[count] == 0) >> (gp.quicksum(m[i,0] for i in var_ge) == 0))
                    model.addConstr((q[count] == 1) >> (gp.quicksum(m[i,1] for i in var) >= 1))
                    count += 1

                #if (sum(C_prev + C_current + C_future) == 0): 
                #    model.addConstr(gp.quicksum((m[i,0]) for i in var) == 0)
        #print("2nd part loop ", loop)
    #print("2nd part done")
    import time

    model.params.outputflag = 0
    start = time.time()
    model.optimize()
    end = time.time() - start

    print("Keystream = ",keys)
    print("status",model.STATUS)
    
    f = open(filename,'a')
    f.write("\nKeystream = " + str(keys))
    f.write("\nStatus " + str(model.STATUS) + "\n")
    
    if model.STATUS == 2:
        val = model.x
        R = []
        F = []
        G = []
        for i in range(state_len):
            if round(val[i]) == 2:
                R.append(i)
            if round(val[i]) == 3:
                F.append(i)
            if round(val[i]) == 4:
                G.append(i)



        Rec = [g[i] for i in R]
        Fix = [g[i] for i in F]
        Guess = [g[i] for i in G]
        print("Recovery Bit ",Rec)
        print("Fixed Bit ",Fix)
        print("Guessed Bit ",Guess)
        
        f.write(str("Recovery Bit ") + str(Rec) + "\n")
        f.write(str("Fixed Bit ") + str(Fix) + "\n")
        f.write(str("Guessed Bit ") + str(Guess) + "\n")
        
        print(len(R),len(F))
        if (len(R) + len(F) + len(G) == state_len) and len(intersection(R,F) + intersection(F,G) + intersection(R,G)) == 0:
            print("Length verified")
            f.write("\nLength Verified\n\n")
    end2 = time.time()-start2
    print("Gurobi Time = ", end)
    print("Overall Time = ", end2)
    f.close()
    
    
    
    #keys = len(R)
    S = g[:r[0]]
    B = g[r[0]:]

    #########################Fixed bit##########################
    for i in F:
        if i < r[0]:
            S[i] = 0
        else:
            B[i-r[0]] = 0
            

    Rec = [g[i] for i in R]
    print("Recovered Bits are ", Rec)
    Fix = [g[i] for i in F]
    print("Fixed Bits are ", Fix)



    R_past = []
    L_rec = []
    cnt = 0
    flag = 1
    for i in range(keys):
        z = keystream(S,B)
        monom = list(z.monomials())
        t_var = list(z.variables())

        R_past = R_past + list(set(L_rec))
        m_rec = []
        for m in monom:
            m_var = list(m.variables())
            if (len(m_var) == 1) and (len(intersection(m_var,Rec)) > 0):
                L_rec = L_rec + m_var

            if (len(m_var) > 1) and (len(intersection(m_var,Rec)) > 0):
                m_rec = m_rec + [m]
        #print("monomials containing recovery bits (degree > 1) ",m_rec)

        for m in m_rec:
            m_var = list(m.variables())
            #Now L_rec contains current and past recovery bit in linear terms
            #Whereas R_past contains only the past recovery bit in linear terms
            if len(intersection(m_var,Rec)) > len(intersection(m_var,R_past)):
                f = open(filename,'a')
                f.write("\nError --- Future recovery bits found\n" + str(m))
                f.close()
                print("Error --- Future recovery bits found")
                print(m)

        L_rec = list(set(L_rec))
        if len(L_rec) != cnt + 1:
            flag = 0
        cnt = len(L_rec)
        #print("Recovery bits till now in linear terms ",L_rec)
        
        B = nfsr_update_fw(B,S[0])
        S = lfsr_update_fw(S)
        

    f = open(filename,'a')
    if flag == 0:
        print("Failed")
        f.write("\nFailed\n")
    else:
        print("Passed")
        f.write("\nPassed\n")
        
        #import csv
        #with open('Grainv1_TMDTO_MILP_DATA.csv','a') as f:
        #    writer = csv.writer(f)
        #    #writer.writerow(['Number of Recovered bits','Number of Fixed bits','Recovered bits','Fixed bits'])
        #    writer.writerow([len(R),len(F),Rec,Fix])
    f.close()

Defining l0, l1, l2, l3, l4, l5, l6, l7, l8, l9, l10, l11, l12, l13, l14, l15, l16, l17, l18, l19, l20, l21, l22, l23, l24, l25, l26, l27, l28, l29, l30, l31, l32, l33, l34, l35, l36, l37, l38, l39, l40, l41, l42, l43, l44, l45, l46, l47, l48, l49, l50, l51, l52, l53, l54, l55, l56, l57, l58, l59, l60, l61, l62, l63, l64, l65, l66, l67, l68, l69, l70, l71, l72, l73, l74, l75, l76, l77, l78, l79, n0, n1, n2, n3, n4, n5, n6, n7, n8, n9, n10, n11, n12, n13, n14, n15, n16, n17, n18, n19, n20, n21, n22, n23, n24, n25, n26, n27, n28, n29, n30, n31, n32, n33, n34, n35, n36, n37, n38, n39, n40, n41, n42, n43, n44, n45, n46, n47, n48, n49, n50, n51, n52, n53, n54, n55, n56, n57, n58, n59, n60, n61, n62, n63, n64, n65, n66, n67, n68, n69, n70, n71, n72, n73, n74, n75, n76, n77, n78, n79
Set parameter Username
Academic license - for non-commercial use only - expires 2023-12-30
Keystream =  0
status 2
Recovery Bit  []
Fixed Bit  []
Guessed Bit  [l0, l1, l2, l3, l4, l5, l6, l7, l8, l9, l10, l11, l1

Passed
Defining l0, l1, l2, l3, l4, l5, l6, l7, l8, l9, l10, l11, l12, l13, l14, l15, l16, l17, l18, l19, l20, l21, l22, l23, l24, l25, l26, l27, l28, l29, l30, l31, l32, l33, l34, l35, l36, l37, l38, l39, l40, l41, l42, l43, l44, l45, l46, l47, l48, l49, l50, l51, l52, l53, l54, l55, l56, l57, l58, l59, l60, l61, l62, l63, l64, l65, l66, l67, l68, l69, l70, l71, l72, l73, l74, l75, l76, l77, l78, l79, n0, n1, n2, n3, n4, n5, n6, n7, n8, n9, n10, n11, n12, n13, n14, n15, n16, n17, n18, n19, n20, n21, n22, n23, n24, n25, n26, n27, n28, n29, n30, n31, n32, n33, n34, n35, n36, n37, n38, n39, n40, n41, n42, n43, n44, n45, n46, n47, n48, n49, n50, n51, n52, n53, n54, n55, n56, n57, n58, n59, n60, n61, n62, n63, n64, n65, n66, n67, n68, n69, n70, n71, n72, n73, n74, n75, n76, n77, n78, n79
Keystream =  5
status 2
Recovery Bit  [n6, n8, n13, n31, n44]
Fixed Bit  []
Guessed Bit  [l0, l1, l2, l3, l4, l5, l6, l7, l8, l9, l10, l11, l12, l13, l14, l15, l16, l17, l18, l19, l20, l21, l22, l23, l24, 

Passed
Defining l0, l1, l2, l3, l4, l5, l6, l7, l8, l9, l10, l11, l12, l13, l14, l15, l16, l17, l18, l19, l20, l21, l22, l23, l24, l25, l26, l27, l28, l29, l30, l31, l32, l33, l34, l35, l36, l37, l38, l39, l40, l41, l42, l43, l44, l45, l46, l47, l48, l49, l50, l51, l52, l53, l54, l55, l56, l57, l58, l59, l60, l61, l62, l63, l64, l65, l66, l67, l68, l69, l70, l71, l72, l73, l74, l75, l76, l77, l78, l79, n0, n1, n2, n3, n4, n5, n6, n7, n8, n9, n10, n11, n12, n13, n14, n15, n16, n17, n18, n19, n20, n21, n22, n23, n24, n25, n26, n27, n28, n29, n30, n31, n32, n33, n34, n35, n36, n37, n38, n39, n40, n41, n42, n43, n44, n45, n46, n47, n48, n49, n50, n51, n52, n53, n54, n55, n56, n57, n58, n59, n60, n61, n62, n63, n64, n65, n66, n67, n68, n69, n70, n71, n72, n73, n74, n75, n76, n77, n78, n79
Keystream =  10
status 2
Recovery Bit  [n1, n8, n12, n17, n37, n44, n46, n48, n51, n52]
Fixed Bit  []
Guessed Bit  [l0, l1, l2, l3, l4, l5, l6, l7, l8, l9, l10, l11, l12, l13, l14, l15, l16, l17, l18, l19,

Passed
Defining l0, l1, l2, l3, l4, l5, l6, l7, l8, l9, l10, l11, l12, l13, l14, l15, l16, l17, l18, l19, l20, l21, l22, l23, l24, l25, l26, l27, l28, l29, l30, l31, l32, l33, l34, l35, l36, l37, l38, l39, l40, l41, l42, l43, l44, l45, l46, l47, l48, l49, l50, l51, l52, l53, l54, l55, l56, l57, l58, l59, l60, l61, l62, l63, l64, l65, l66, l67, l68, l69, l70, l71, l72, l73, l74, l75, l76, l77, l78, l79, n0, n1, n2, n3, n4, n5, n6, n7, n8, n9, n10, n11, n12, n13, n14, n15, n16, n17, n18, n19, n20, n21, n22, n23, n24, n25, n26, n27, n28, n29, n30, n31, n32, n33, n34, n35, n36, n37, n38, n39, n40, n41, n42, n43, n44, n45, n46, n47, n48, n49, n50, n51, n52, n53, n54, n55, n56, n57, n58, n59, n60, n61, n62, n63, n64, n65, n66, n67, n68, n69, n70, n71, n72, n73, n74, n75, n76, n77, n78, n79
Keystream =  15
status 2
Recovery Bit  [n4, n15, n17, n19, n21, n22, n23, n24, n37, n39, n41, n44, n46, n47, n58]
Fixed Bit  []
Guessed Bit  [l0, l1, l2, l3, l4, l5, l6, l7, l8, l9, l10, l11, l12, l13, l14

Keystream =  19
status 2
Recovery Bit  [l43, n10, n15, n18, n21, n22, n23, n24, n25, n26, n27, n37, n38, n44, n45, n46, n52, n53, n60]
Fixed Bit  [l64]
Guessed Bit  [l0, l1, l2, l3, l4, l5, l6, l7, l8, l9, l10, l11, l12, l13, l14, l15, l16, l17, l18, l19, l20, l21, l22, l23, l24, l25, l26, l27, l28, l29, l30, l31, l32, l33, l34, l35, l36, l37, l38, l39, l40, l41, l42, l44, l45, l46, l47, l48, l49, l50, l51, l52, l53, l54, l55, l56, l57, l58, l59, l60, l61, l62, l63, l65, l66, l67, l68, l69, l70, l71, l72, l73, l74, l75, l76, l77, l78, l79, n0, n1, n2, n3, n4, n5, n6, n7, n8, n9, n11, n12, n13, n14, n16, n17, n19, n20, n28, n29, n30, n31, n32, n33, n34, n35, n36, n39, n40, n41, n42, n43, n47, n48, n49, n50, n51, n54, n55, n56, n57, n58, n59, n61, n62, n63, n64, n65, n66, n67, n68, n69, n70, n71, n72, n73, n74, n75, n76, n77, n78, n79]
19 1
Length verified
Gurobi Time =  0.049721479415893555
Overall Time =  6.822531223297119
Recovered Bits are  [l43, n10, n15, n18, n21, n22, n23, n24, n2

In [4]:
#keys = len(R)
R = [r[0]+i for i in range(32)]
F = []
G = [i for i in range(160) if i not in R+F]
#keys = len(R)
S = g[:r[0]]
B = g[r[0]:]

#########################Fixed bit##########################
for i in F:
    if i < r[0]:
        S[i] = 0
    else:
        B[i-r[0]] = 0


Rec = [g[i] for i in R]
print("Recovered Bits are ", Rec)
Fix = [g[i] for i in F]
print("Fixed Bits are ", Fix)
keys = 34
R_past = []
L_rec = []
cnt = 0
flag = 1
for i in range(keys):
    z = keystream(S,B)
    monom = list(z.monomials())
    t_var = list(z.variables())

    R_past = R_past + list(set(L_rec))
    m_rec = []
    for m in monom:
        m_var = list(m.variables())
        if (len(m_var) == 1) and (len(intersection(m_var,Rec)) > 0):
            L_rec = L_rec + m_var

        if (len(m_var) > 1) and (len(intersection(m_var,Rec)) > 0):
            m_rec = m_rec + [m]
    #print("monomials containing recovery bits (degree > 1) ",m_rec)

    for m in m_rec:
        m_var = list(m.variables())
        #Now L_rec contains current and past recovery bit in linear terms
        #Whereas R_past contains only the past recovery bit in linear terms
        #if len(intersection(m_var,Rec)) > len(intersection(m_var,R_past)):
        #    print("Error --- Future recovery bits found")
        #    print(m)

    L_rec = list(set(L_rec))
    if len(L_rec) != cnt + 1:
        flag = 0
    cnt = len(L_rec)
    print("Recovery bits till now in linear terms ",L_rec)

    B = nfsr_update_fw(B,S[0])
    S = lfsr_update_fw(S)



if flag == 0:
    print("Failed")
else:
    print("Passed")
    

    

Recovered Bits are  [n0, n1, n2, n3, n4, n5, n6, n7, n8, n9, n10, n11, n12, n13, n14, n15, n16, n17, n18, n19, n20, n21, n22, n23, n24, n25, n26, n27, n28, n29, n30, n31]
Fixed Bits are  []
Recovery bits till now in linear terms  [n10, n4, n2, n1, n31]
Recovery bits till now in linear terms  [n10, n11, n5, n4, n3, n2, n1, n31]
Recovery bits till now in linear terms  [n10, n11, n5, n4, n6, n3, n2, n1, n31, n12]
Recovery bits till now in linear terms  [n10, n11, n6, n5, n4, n3, n2, n1, n31, n12, n7, n13]
Recovery bits till now in linear terms  [n10, n14, n11, n5, n6, n4, n3, n8, n2, n1, n31, n12, n7, n13]
Recovery bits till now in linear terms  [n10, n14, n11, n6, n5, n4, n15, n3, n8, n2, n1, n31, n12, n7, n13, n9]
Recovery bits till now in linear terms  [n10, n14, n11, n16, n5, n6, n4, n15, n3, n8, n2, n1, n31, n12, n7, n13, n9]
Recovery bits till now in linear terms  [n10, n14, n11, n16, n5, n6, n4, n15, n17, n3, n8, n2, n1, n31, n12, n7, n13, n9]
Recovery bits till now in linear terms