# Ciminion Polynomial Model
Usage example of the Ciminion polynomial model.

In [1]:
using Oscar
include("Ciminion.jl")
include("Ciminion_polynomial_model.jl")

generate_Ciminion_polynomials (generic function with 1 method)

## Ciminion Instance

In [2]:
K = GF(10007)

ciminion = Ciminion_constructor(field=K, rounds_C=3, rounds_E=3, info_level=1);

Ciminion parameters
Field: Prime field of characteristic 10007
Rounds_C: 3
Rounds_E: 3
Constants_C: [7860 3302 205; 1232 7053 6913; 4278 4502 1979; 4869 5685 3680]
Constants_E: [1549 1454 5521; 8640 4234 1968; 9709 4345 4575; 6600 2818 3944]


In [3]:
plain = zero_matrix(K, 2, 1)
plain[1, 1] = rand(K)
plain[2, 1] = rand(K)
plain

In [4]:
key = zero_matrix(K, 2, 1)
key[1, 1] = rand(K)
key[2, 1] = rand(K)
key

In [5]:
nonce = rand(K)
nonce

In [6]:
cipher = encrypt(plain, key, nonce, ciminion)

In [7]:
plain == decrypt(cipher, key, nonce, ciminion)

true

## Ciminion Polynomial model
Generate the Ciminion polynomial model, and compute a DRL Gröbner basis.

In [8]:
polys = generate_Ciminion_polynomials(ciminion=ciminion);

Plaintext: [5679; 9510]
Key: [5517; 2014]
Ciphertext: [3773; 2354]
Nonce: 8738
Term order: degrevlex


### Inefficient Term Order
Compute the DRL Gröbner basis with F4 with respect to an inefficient term order.

In [9]:
gb = groebner_basis_f4(ideal(polys), nr_thrds=16, info_level=2)


Legend for f4 information
--------------------------------------------------------
deg       current degree of pairs selected in this round
sel       number of pairs selected in this round
pairs     total number of pairs in pair list
mat       matrix dimensions (# rows x # columns)
density   density of the matrix
new data  # new elements for basis in this round
          # zero reductions during linear algebra
time(rd)  time of the current f4 round in seconds given
          for real and cpu time
--------------------------------------------------------

deg     sel   pairs        mat          density            new data         time(rd) in sec (real|cpu)
------------------------------------------------------------------------------------------------------
  2      11      11      21 x 29         15.93%       11 new       0 zero         0.00 | 0.01         
  2       4       4      29 x 45         11.42%        4 new       0 zero         0.00 | 0.00         
  3       2       2      26


--------------- INPUT DATA ---------------
#variables                      18
#equations                      18
#invalid equations               0
field characteristic         10007
homogeneous input?               0
signature-based computation      0
monomial order                 DRL
basis hash table resetting     OFF
linear algebra option            2
initial hash table size     131072 (2^17)
max pair selection             ALL
reduce gb                        1
#threads                        16
info level                       2
generate pbm files               0
------------------------------------------

---------------- TIMINGS ----------------
overall(elapsed)        0.01 sec
overall(cpu)            0.02 sec
select                  0.00 sec   0.0%
symbolic prep.          0.00 sec   0.0%
update                  0.00 sec   0.0%
convert                 0.00 sec   0.0%
linear algebra          0.00 sec   0.0%
reduce gb               0.00 sec   0.0%
--------------------------------

Gröbner basis with elements
  1: x_E_2__3 + 10006*x + 7155
  2: x_E_1__3 + 3944*x + 7945
  3: x_E_2__2 + 10006*x_E_3__3 + 6063*x + 4953
  4: x_E_1__2 + 2818*x_E_3__3 + 10006*x + 5740
  5: x_E_3__1 + 4865*x_E_3__2 + 2525*x_E_3__3 + 8276*y_1 + 5802*y_2 + 4390*x + 2246
  6: x_E_2__1 + 10006*x_E_3__2 + 7189*x_E_3__3 + x + 2420
  7: x_E_1__1 + 6600*x_E_3__2 + 10006*x_E_3__3 + 6063*x + 9014
  8: x_C_3__2 + 9329*x_E_3__2 + 1685*x_E_3__3 + 5201*y_1 + 8716*y_2 + 6106*x + 1041
  9: x_C_2__2 + 8272*x_E_3__2 + 2526*x_E_3__3 + 8276*y_1 + 5802*y_2 + 8334*x + 5013
  10: x_C_1__2 + 9329*x_E_3__2 + 1685*x_E_3__3 + 5628*y_1 + 3578*y_2 + 6106*x + 2204
  11: x_C_3__1 + 1268*y_1 + 10006*y_2 + 5729
  12: x_C_2__1 + 9580*y_1 + 5138*y_2 + 37
  13: x_C_1__1 + 1269*y_1 + 10006*y_2 + 2147
  14: x^2 + 1804*x_E_3__3 + 96*x + 4325
  15: y_1^2 + 3709*y_1*y_2 + 6850*y_2^2 + 8936*x_E_3__2 + 3503*x_E_3__3 + 9424*y_1 + 4153*y_2 + 5306*x + 9300
  16: x_E_3__3^2 + 6689*x_E_3__3*x + 2745*x_E_3__2 + 2517*x_E_3__3 + 8740*x +

### Efficient Term Order
Compute the DRL Gröbner basis with F4 with respect to an efficient term order.

First we generate a homomorphism to a ring with an efficient DRL term order.

In [10]:
P = parent(polys[1])
variables = gens(P)

18-element Vector{FqMPolyRingElem}:
 x_C_1__1
 x_C_2__1
 x_C_3__1
 x_C_1__2
 x_C_2__2
 x_C_3__2
 x_E_1__1
 x_E_2__1
 x_E_3__1
 x_E_1__2
 x_E_2__2
 x_E_3__2
 x_E_1__3
 x_E_2__3
 x_E_3__3
 y_1
 y_2
 x

In [11]:
variables_Q = String[]

for var in variables
    push!(variables_Q, string(var))
end

In [12]:
variables_Q = [
variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 1:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 2] 
variables_Q[1:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E)];
variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3]
]

Q, variables_Q = polynomial_ring(base_ring(P), variables_Q, internal_ordering=:degrevlex)

(Multivariate polynomial ring in 18 variables over K, FqMPolyRingElem[y_1, y_2, x_C_1__1, x_C_2__1, x_C_3__1, x_C_1__2, x_C_2__2, x_C_3__2, x_E_1__1, x_E_2__1, x_E_3__1, x_E_1__2, x_E_2__2, x_E_3__2, x_E_1__3, x_E_2__3, x_E_3__3, x])

In [13]:
variables_tmp = [
                 variables_Q[2 + 1:2 + 3 * (ciminion.rounds_C - 1 + ciminion.rounds_E)];
                 variables_Q[1:2];
                 variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3];
                ]

18-element Vector{FqMPolyRingElem}:
 x_C_1__1
 x_C_2__1
 x_C_3__1
 x_C_1__2
 x_C_2__2
 x_C_3__2
 x_E_1__1
 x_E_2__1
 x_E_3__1
 x_E_1__2
 x_E_2__2
 x_E_3__2
 x_E_1__3
 x_E_2__3
 x_E_3__3
 y_1
 y_2
 x

In [14]:
h = hom(P, Q, variables_tmp)

Ring homomorphism
  from multivariate polynomial ring in 18 variables over K
  to multivariate polynomial ring in 18 variables over K
defined by
  x_C_1__1 -> x_C_1__1
  x_C_2__1 -> x_C_2__1
  x_C_3__1 -> x_C_3__1
  x_C_1__2 -> x_C_1__2
  x_C_2__2 -> x_C_2__2
  x_C_3__2 -> x_C_3__2
  x_E_1__1 -> x_E_1__1
  x_E_2__1 -> x_E_2__1
  x_E_3__1 -> x_E_3__1
  x_E_1__2 -> x_E_1__2
  x_E_2__2 -> x_E_2__2
  x_E_3__2 -> x_E_3__2
  x_E_1__3 -> x_E_1__3
  x_E_2__3 -> x_E_2__3
  x_E_3__3 -> x_E_3__3
  y_1 -> y_1
  y_2 -> y_2
  x -> x

Now we compute the DRL Gröbner basis with respect to the efficient term order.

In [15]:
gb_Q = groebner_basis_f4(h(ideal(polys)), nr_thrds=16, info_level=2)


Legend for f4 information
--------------------------------------------------------
deg       current degree of pairs selected in this round
sel       number of pairs selected in this round
pairs     total number of pairs in pair list
mat       matrix dimensions (# rows x # columns)
density   density of the matrix
new data  # new elements for basis in this round
          # zero reductions during linear algebra
time(rd)  time of the current f4 round in seconds given
          for real and cpu time
--------------------------------------------------------

deg     sel   pairs        mat          density            new data         time(rd) in sec (real|cpu)
------------------------------------------------------------------------------------------------------
  1       2      12       3 x 6          66.67%        2 new       0 zero         0.00 | 0.00         
  2      11      11      17 x 23         20.20%       11 new       0 zero         0.00 | 0.00         
  2       5       5      33


--------------- INPUT DATA ---------------
#variables                      18
#equations                      18
#invalid equations               0
field characteristic         10007
homogeneous input?               0
signature-based computation      0
monomial order                 DRL
basis hash table resetting     OFF
linear algebra option            2
initial hash table size     131072 (2^17)
max pair selection             ALL
reduce gb                        1
#threads                        16
info level                       2
generate pbm files               0
------------------------------------------

---------------- TIMINGS ----------------
overall(elapsed)        0.00 sec
overall(cpu)            0.00 sec
select                  0.00 sec   0.0%
symbolic prep.          0.00 sec   0.0%
update                  0.00 sec   0.0%
convert                 0.00 sec   0.0%
linear algebra          0.00 sec   0.0%
reduce gb               0.00 sec   0.0%
--------------------------------

Gröbner basis with elements
  1: x_E_2__3 + 10006*x + 7155
  2: x_E_1__3 + 3944*x + 7945
  3: x_E_2__2 + 10006*x_E_3__3 + 6063*x + 4953
  4: x_E_1__2 + 2818*x_E_3__3 + 10006*x + 5740
  5: x_E_2__1 + 10006*x_E_3__2 + 7189*x_E_3__3 + x + 2420
  6: x_E_1__1 + 6600*x_E_3__2 + 10006*x_E_3__3 + 6063*x + 9014
  7: x_C_2__2 + 10006*x_E_3__1 + 3407*x_E_3__2 + x_E_3__3 + 3944*x + 2767
  8: x_C_1__2 + 3680*x_E_3__1 + 10006*x_E_3__2 + 7189*x_E_3__3 + x + 1702
  9: x_C_3__1 + 9635*x_C_3__2 + 1999*x_E_3__1 + 372*x_E_3__2 + 7568*x_E_3__3 + 9635*x + 5361
  10: x_C_2__1 + 10006*x_C_3__2 + 6327*x_E_3__1 + x_E_3__2 + 2818*x_E_3__3 + 10006*x + 9505
  11: x_C_1__1 + 5685*x_C_3__2 + 10006*x_E_3__1 + 3407*x_E_3__2 + x_E_3__3 + 3944*x + 3849
  12: y_2 + 4728*x_C_3__2 + 6228*x_E_3__1 + 4687*x_E_3__2 + 5811*x_E_3__3 + 769*x + 6713
  13: y_1 + 3950*x_C_3__2 + 2000*x_E_3__1 + 6972*x_E_3__2 + 7567*x_E_3__3 + 5691*x + 7937
  14: x^2 + 1804*x_E_3__3 + 96*x + 4325
  15: x_E_3__3^2 + 6689*x_E_3__3*x + 2745*x_E_3__2 + 