# Ciminion_2 Polynomial Model
Usage example of the Ciminion_2 polynomial model.

In [1]:
using Oscar
include("Ciminion_2.jl")
include("Ciminion_2_polynomial_model.jl")



generate_Ciminion_2_polynomials (generic function with 1 method)

## Ciminion_2 Instance

In [2]:
K = GF(10007)

ciminion_2 = Ciminion_2_constructor(field=K, rounds_C=5, rounds_E=5);

In [3]:
plain = zero_matrix(K, 2, 1)
plain[1, 1] = rand(K)
plain[2, 1] = rand(K)
plain

In [4]:
key = zero_matrix(K, 2, 1)
key[1, 1] = rand(K)
key[2, 1] = rand(K)
key

In [5]:
nonce = rand(K)
nonce

In [6]:
cipher = encrypt(plain, key, nonce, ciminion_2)

In [7]:
decrypt(cipher, key, nonce, ciminion_2)

In [8]:
plain == decrypt(cipher, key, nonce, ciminion_2)

true

## Ciminion_2 Polynomial model
Generate the Ciminion_2 polynomial model, and compute a DRL Gröbner basis.

In [9]:
polys = generate_Ciminion_2_polynomials(ciminion_2=ciminion_2);

Plaintext: [3100; 7924]
Key: [7728; 4019]
Ciphertext: [9422; 8225]
Nonce: 1734
Term order: degrevlex


### Inefficient Term Order
Compute the DRL Gröbner basis with F4 with respect to an inefficient term order.

In [10]:
gb = groebner_basis_f4(ideal(polys), nr_thrds=16, info_level=2)


Legend for f4 information
--------------------------------------------------------
deg       current degree of pairs selected in this round
sel       number of pairs selected in this round
pairs     total number of pairs in pair list
mat       matrix dimensions (# rows x # columns)
density   density of the matrix
new data  # new elements for basis in this round
          # zero reductions during linear algebra
time(rd)  time of the current f4 round in seconds given
          for real and cpu time
--------------------------------------------------------

deg     sel   pairs        mat          density            new data         time(rd) in sec (real|cpu)
------------------------------------------------------------------------------------------------------
  2      19      19      33 x 45         13.00%       19 new       0 zero         0.07 | 0.77         
  2       8       8      71 x 117         6.27%        8 new       0 zero         0.03 | 0.39         
  3       2       2      82


--------------- INPUT DATA ---------------
#variables                      30
#equations                      30
#invalid equations               0
field characteristic         10007
homogeneous input?               0
signature-based computation      0
monomial order                 DRL
basis hash table resetting     OFF
linear algebra option            2
initial hash table size     131072 (2^17)
max pair selection             ALL
reduce gb                        1
#threads                        16
info level                       2
generate pbm files               0
------------------------------------------

---------------- TIMINGS ----------------
overall(elapsed)        0.57 sec
overall(cpu)            6.17 sec
select                  0.00 sec   0.0%
symbolic prep.          0.00 sec   0.0%
update                  0.00 sec   0.0%
convert                 0.00 sec   0.0%
linear algebra          0.00 sec   0.0%
reduce gb               0.00 sec   0.0%
--------------------------------

Gröbner basis with elements
  1: x_E_2__5 + 10006*x + 7081
  2: x_E_1__5 + 4734*x + 5948
  3: x_E_2__4 + 10006*x_E_3__5 + 5273*x + 1353
  4: x_E_1__4 + 4835*x_E_3__5 + 10006*x + 8986
  5: x_E_2__3 + 10006*x_E_3__4 + 5172*x_E_3__5 + x + 124
  6: x_E_1__3 + 645*x_E_3__4 + 10006*x_E_3__5 + 5273*x + 2778
  7: x_E_2__2 + 10006*x_E_3__3 + 9362*x_E_3__4 + x_E_3__5 + 4734*x + 4685
  8: x_E_1__2 + 7428*x_E_3__3 + 10006*x_E_3__4 + 5172*x_E_3__5 + x + 3845
  9: x_E_2__1 + 10006*x_E_3__2 + 2579*x_E_3__3 + x_E_3__4 + 4835*x_E_3__5 + 10006*x + 8704
  10: x_E_1__1 + 6770*x_E_3__2 + 10006*x_E_3__3 + 9362*x_E_3__4 + x_E_3__5 + 4734*x + 5154
  11: x_C_2__4 + 10006*x_E_3__1 + 3237*x_E_3__2 + x_E_3__3 + 645*x_E_3__4 + 10006*x_E_3__5 + 5273*x + 1854
  12: x_C_1__4 + 7885*x_E_3__1 + 10006*x_E_3__2 + 2579*x_E_3__3 + x_E_3__4 + 4835*x_E_3__5 + 10006*x + 8883
  13: x_C_3__3 + 4022*x_C_3__4 + 4975*x_E_3__1 + 5356*x_E_3__2 + 8572*x_E_3__3 + 7927*x_E_3__4 + 7363*x_E_3__5 + 4982*y_1 + 7274*y_2 + 1568*x + 5374
  14

### Efficient Term Order
Compute the DRL Gröbner basis with F4 with respect to an efficient term order.

First we generate a homomorphism to a ring with an efficient DRL term order.

In [11]:
P = parent(polys[1])
variables = gens(P)

30-element Vector{FqMPolyRingElem}:
 x_C_1__1
 x_C_2__1
 x_C_3__1
 x_C_1__2
 x_C_2__2
 x_C_3__2
 x_C_1__3
 x_C_2__3
 x_C_3__3
 x_C_1__4
 ⋮
 x_E_1__4
 x_E_2__4
 x_E_3__4
 x_E_1__5
 x_E_2__5
 x_E_3__5
 y_1
 y_2
 x

In [12]:
variables_Q = String[]

for var in variables
    push!(variables_Q, string(var))
end

In [13]:
variables_Q = [
variables_Q[3 * (ciminion_2.rounds_C - 1 + ciminion_2.rounds_E) + 1:3 * (ciminion_2.rounds_C - 1 + ciminion_2.rounds_E) + 2] 
variables_Q[1:3 * (ciminion_2.rounds_C - 1 + ciminion_2.rounds_E)];
variables_Q[3 * (ciminion_2.rounds_C - 1 + ciminion_2.rounds_E) + 3:3 * (ciminion_2.rounds_C - 1 + ciminion_2.rounds_E) + 3]
]

Q, variables_Q = polynomial_ring(base_ring(P), variables_Q, internal_ordering=:degrevlex)

(Multivariate polynomial ring in 30 variables over K, FqMPolyRingElem[y_1, y_2, x_C_1__1, x_C_2__1, x_C_3__1, x_C_1__2, x_C_2__2, x_C_3__2, x_C_1__3, x_C_2__3  …  x_E_1__3, x_E_2__3, x_E_3__3, x_E_1__4, x_E_2__4, x_E_3__4, x_E_1__5, x_E_2__5, x_E_3__5, x])

In [14]:
variables_tmp = [
variables_Q[2 + 1:2 + 3 * (ciminion_2.rounds_C - 1 + ciminion_2.rounds_E)];
variables_Q[1:2];
variables_Q[3 * (ciminion_2.rounds_C - 1 + ciminion_2.rounds_E) + 3:3 * (ciminion_2.rounds_C - 1 + ciminion_2.rounds_E) + 3]
]

30-element Vector{FqMPolyRingElem}:
 x_C_1__1
 x_C_2__1
 x_C_3__1
 x_C_1__2
 x_C_2__2
 x_C_3__2
 x_C_1__3
 x_C_2__3
 x_C_3__3
 x_C_1__4
 ⋮
 x_E_1__4
 x_E_2__4
 x_E_3__4
 x_E_1__5
 x_E_2__5
 x_E_3__5
 y_1
 y_2
 x

In [15]:
h = hom(P, Q, variables_tmp)

Ring homomorphism
  from multivariate polynomial ring in 30 variables over K
  to multivariate polynomial ring in 30 variables over K
defined by
  x_C_1__1 -> x_C_1__1
  x_C_2__1 -> x_C_2__1
  x_C_3__1 -> x_C_3__1
  x_C_1__2 -> x_C_1__2
  x_C_2__2 -> x_C_2__2
  x_C_3__2 -> x_C_3__2
  x_C_1__3 -> x_C_1__3
  x_C_2__3 -> x_C_2__3
  x_C_3__3 -> x_C_3__3
  x_C_1__4 -> x_C_1__4
  x_C_2__4 -> x_C_2__4
  x_C_3__4 -> x_C_3__4
  x_E_1__1 -> x_E_1__1
  x_E_2__1 -> x_E_2__1
  x_E_3__1 -> x_E_3__1
  x_E_1__2 -> x_E_1__2
  x_E_2__2 -> x_E_2__2
  x_E_3__2 -> x_E_3__2
  x_E_1__3 -> x_E_1__3
  x_E_2__3 -> x_E_2__3
  x_E_3__3 -> x_E_3__3
  x_E_1__4 -> x_E_1__4
  x_E_2__4 -> x_E_2__4
  x_E_3__4 -> x_E_3__4
  x_E_1__5 -> x_E_1__5
  x_E_2__5 -> x_E_2__5
  x_E_3__5 -> x_E_3__5
  y_1 -> y_1
  y_2 -> y_2
  x -> x

In [16]:
for var in variables
    println(h(var))
end

x_C_1__1
x_C_2__1
x_C_3__1
x_C_1__2
x_C_2__2
x_C_3__2
x_C_1__3
x_C_2__3
x_C_3__3
x_C_1__4
x_C_2__4
x_C_3__4
x_E_1__1
x_E_2__1
x_E_3__1
x_E_1__2
x_E_2__2
x_E_3__2
x_E_1__3
x_E_2__3
x_E_3__3
x_E_1__4
x_E_2__4
x_E_3__4
x_E_1__5
x_E_2__5
x_E_3__5
y_1
y_2
x


Now we compute the DRL Gröbner basis with respect to the efficient term order.

In [17]:
gb_Q = groebner_basis_f4(h(ideal(polys)), nr_thrds=16, info_level=2)


Legend for f4 information
--------------------------------------------------------
deg       current degree of pairs selected in this round
sel       number of pairs selected in this round
pairs     total number of pairs in pair list
mat       matrix dimensions (# rows x # columns)
density   density of the matrix
new data  # new elements for basis in this round
          # zero reductions during linear algebra
time(rd)  time of the current f4 round in seconds given
          for real and cpu time
--------------------------------------------------------

deg     sel   pairs        mat          density            new data         time(rd) in sec (real|cpu)
------------------------------------------------------------------------------------------------------
  1       2      20       3 x 6          66.67%        2 new       0 zero         0.02 | 0.24         
  2      19      19      31 x 41         14.40%       19 new       0 zero         0.07 | 0.97         
  2       9       9      82


--------------- INPUT DATA ---------------
#variables                      30
#equations                      30
#invalid equations               0
field characteristic         10007
homogeneous input?               0
signature-based computation      0
monomial order                 DRL
basis hash table resetting     OFF
linear algebra option            2
initial hash table size     131072 (2^17)
max pair selection             ALL
reduce gb                        1
#threads                        16
info level                       2
generate pbm files               0
------------------------------------------

---------------- TIMINGS ----------------
overall(elapsed)        0.23 sec
overall(cpu)            3.09 sec
select                  0.00 sec   0.0%
symbolic prep.          0.00 sec   0.0%
update                  0.00 sec   0.0%
convert                 0.00 sec   0.0%
linear algebra          0.00 sec   0.0%
reduce gb               0.00 sec   0.0%
--------------------------------

Gröbner basis with elements
  1: x_E_2__5 + 10006*x + 7081
  2: x_E_1__5 + 4734*x + 5948
  3: x_E_2__4 + 10006*x_E_3__5 + 5273*x + 1353
  4: x_E_1__4 + 4835*x_E_3__5 + 10006*x + 8986
  5: x_E_2__3 + 10006*x_E_3__4 + 5172*x_E_3__5 + x + 124
  6: x_E_1__3 + 645*x_E_3__4 + 10006*x_E_3__5 + 5273*x + 2778
  7: x_E_2__2 + 10006*x_E_3__3 + 9362*x_E_3__4 + x_E_3__5 + 4734*x + 4685
  8: x_E_1__2 + 7428*x_E_3__3 + 10006*x_E_3__4 + 5172*x_E_3__5 + x + 3845
  9: x_E_2__1 + 10006*x_E_3__2 + 2579*x_E_3__3 + x_E_3__4 + 4835*x_E_3__5 + 10006*x + 8704
  10: x_E_1__1 + 6770*x_E_3__2 + 10006*x_E_3__3 + 9362*x_E_3__4 + x_E_3__5 + 4734*x + 5154
  11: x_C_2__4 + 10006*x_E_3__1 + 3237*x_E_3__2 + x_E_3__3 + 645*x_E_3__4 + 10006*x_E_3__5 + 5273*x + 1854
  12: x_C_1__4 + 7885*x_E_3__1 + 10006*x_E_3__2 + 2579*x_E_3__3 + x_E_3__4 + 4835*x_E_3__5 + 10006*x + 8883
  13: x_C_2__3 + 10006*x_C_3__4 + 2122*x_E_3__1 + x_E_3__2 + 7428*x_E_3__3 + 10006*x_E_3__4 + 5172*x_E_3__5 + x + 7033
  14: x_C_1__3 + 398*x_C_3__4 + 10