# Ciminion Polynomial Model
Usage example of the Ciminion polynomial model.

In [1]:
using Oscar
include("Ciminion.jl")
include("Ciminion_polynomial_model.jl")



generate_Ciminion_polynomials (generic function with 1 method)

## Ciminion Instance

In [2]:
K = GF(10007)

ciminion = Ciminion_constructor(field=K, rounds_C=3, rounds_E=3, info_level=1);

Ciminion parameters
Field: Prime field of characteristic 10007
Rounds_C: 3
Rounds_E: 3
Constants_C: [2921 6802 2028; 9288 3041 9275; 246 7277 6019; 5131 284 6173]
Constants_E: [8798 3880 6168; 7540 9032 4960; 9005 3649 535; 1114 8551 2628]


In [3]:
plain = zero_matrix(K, 2, 1)
plain[1, 1] = rand(K)
plain[2, 1] = rand(K)
plain

In [4]:
key = zero_matrix(K, 2, 1)
key[1, 1] = rand(K)
key[2, 1] = rand(K)
key

In [5]:
nonce = rand(K)
nonce

In [6]:
cipher = encrypt(plain, key, nonce, ciminion)

In [7]:
plain == decrypt(cipher, key, nonce, ciminion)

true

## Ciminion Polynomial model
Generate the Ciminion polynomial model, and compute a DRL Gröbner basis.

In [8]:
polys = generate_Ciminion_polynomials(ciminion=ciminion);

Plaintext: [1362; 9448]
Key: [585; 7992]
Ciphertext: [7092; 7720]
Nonce: 5768
Term order: degrevlex


### Inefficient Term Order
Compute the DRL Gröbner basis with F4 with respect to an inefficient term order.

In [9]:
gb = groebner_basis_f4(ideal(polys), nr_thrds=16, info_level=2)


Legend for f4 information
--------------------------------------------------------
deg       current degree of pairs selected in this round
sel       number of pairs selected in this round
pairs     total number of pairs in pair list
mat       matrix dimensions (# rows x # columns)
density   density of the matrix
new data  # new elements for basis in this round
          # zero reductions during linear algebra
time(rd)  time of the current f4 round in seconds given
          for real and cpu time
--------------------------------------------------------

deg     sel   pairs        mat          density            new data         time(rd) in sec (real|cpu)
------------------------------------------------------------------------------------------------------
  2      11      11      21 x 29         15.93%       11 new       0 zero         0.04 | 0.46         
  2       4       4      29 x 45         11.42%        4 new       0 zero         0.03 | 0.26         
  3       2       2      26


--------------- INPUT DATA ---------------
#variables                      18
#equations                      18
#invalid equations               0
field characteristic         10007
homogeneous input?               0
signature-based computation      0
monomial order                 DRL
basis hash table resetting     OFF
linear algebra option            2
initial hash table size     131072 (2^17)
max pair selection             ALL
reduce gb                        1
#threads                        16
info level                       2
generate pbm files               0
------------------------------------------

---------------- TIMINGS ---------------
overall(elapsed)        0.20 sec
overall(cpu)            2.04 sec
select                  0.00 sec   0.0%
symbolic prep.          0.00 sec   0.0%
update                  0.00 sec   0.0%
convert                 0.00 sec   0.0%
linear algebra          0.00 sec   0.0%
reduce gb               0.00 sec   0.0%
---------------------------------

Gröbner basis with elements
1 -> x_E_2__3 + 10006*x + 97
2 -> x_E_1__3 + 2628*x + 1688
3 -> x_E_2__2 + 10006*x_E_3__3 + 7379*x + 8088
4 -> x_E_1__2 + 8551*x_E_3__3 + 10006*x + 8356
5 -> x_E_3__1 + 7941*x_E_3__2 + 9694*x_E_3__3 + 7062*y_1 + 9259*y_2 + 6775*x + 6193
6 -> x_E_2__1 + 10006*x_E_3__2 + 1456*x_E_3__3 + x + 1858
7 -> x_E_1__1 + 1114*x_E_3__2 + 10006*x_E_3__3 + 7379*x + 1065
8 -> x_C_3__2 + 4499*x_E_3__2 + 2254*x_E_3__3 + 6740*y_1 + 9053*y_2 + 7186*x + 3664
9 -> x_C_2__2 + 6827*x_E_3__2 + 9695*x_E_3__3 + 7062*y_1 + 9259*y_2 + 9403*x + 9119
10 -> x_C_1__2 + 4499*x_E_3__2 + 2254*x_E_3__3 + 6773*y_1 + 4177*y_2 + 7186*x + 9188
11 -> x_C_3__1 + 4238*y_1 + 10006*y_2 + 9761
12 -> x_C_2__1 + 9974*y_1 + 4876*y_2 + 4958
13 -> x_C_1__1 + 4239*y_1 + 10006*y_2 + 7086
14 -> x^2 + 3012*x_E_3__3 + 9210*x + 6190
15 -> y_1^2 + 3201*y_1*y_2 + 4103*y_2^2 + 875*x_E_3__2 + 5939*x_E_3__3 + 527*y_1 + 220*y_2 + 1362*x + 114
16 -> x_E_3__3^2 + 5549*x_E_3__3*x + 2921*x_E_3__2 + 4037*x_E_3__3 + 5267*x + 9

### Efficient Term Order
Compute the DRL Gröbner basis with F4 with respect to an efficient term order.

First we generate a homomorphism to a ring with an efficient DRL term order.

In [10]:
P = parent(polys[1])
variables = gens(P)

18-element Vector{FqMPolyRingElem}:
 x_C_1__1
 x_C_2__1
 x_C_3__1
 x_C_1__2
 x_C_2__2
 x_C_3__2
 x_E_1__1
 x_E_2__1
 x_E_3__1
 x_E_1__2
 x_E_2__2
 x_E_3__2
 x_E_1__3
 x_E_2__3
 x_E_3__3
 y_1
 y_2
 x

In [11]:
variables_Q = String[]

for var in variables
    push!(variables_Q, string(var))
end

In [12]:
variables_Q = [
variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 1:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 2] 
variables_Q[1:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E)];
variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3]
]

Q, variables_Q = polynomial_ring(base_ring(P), variables_Q, internal_ordering=:degrevlex)

(Multivariate polynomial ring in 18 variables over GF(10007), FqMPolyRingElem[y_1, y_2, x_C_1__1, x_C_2__1, x_C_3__1, x_C_1__2, x_C_2__2, x_C_3__2, x_E_1__1, x_E_2__1, x_E_3__1, x_E_1__2, x_E_2__2, x_E_3__2, x_E_1__3, x_E_2__3, x_E_3__3, x])

In [13]:
variables_tmp = [
                 variables_Q[2 + 1:2 + 3 * (ciminion.rounds_C - 1 + ciminion.rounds_E)];
                 variables_Q[1:2];
                 variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3];
                ]

18-element Vector{FqMPolyRingElem}:
 x_C_1__1
 x_C_2__1
 x_C_3__1
 x_C_1__2
 x_C_2__2
 x_C_3__2
 x_E_1__1
 x_E_2__1
 x_E_3__1
 x_E_1__2
 x_E_2__2
 x_E_3__2
 x_E_1__3
 x_E_2__3
 x_E_3__3
 y_1
 y_2
 x

In [14]:
h = hom(P, Q, variables_tmp)

Ring homomorphism
  from multivariate polynomial ring in 18 variables over GF(10007)
  to multivariate polynomial ring in 18 variables over GF(10007)
defined by
  x_C_1__1 -> x_C_1__1
  x_C_2__1 -> x_C_2__1
  x_C_3__1 -> x_C_3__1
  x_C_1__2 -> x_C_1__2
  x_C_2__2 -> x_C_2__2
  x_C_3__2 -> x_C_3__2
  x_E_1__1 -> x_E_1__1
  x_E_2__1 -> x_E_2__1
  x_E_3__1 -> x_E_3__1
  x_E_1__2 -> x_E_1__2
  x_E_2__2 -> x_E_2__2
  x_E_3__2 -> x_E_3__2
  x_E_1__3 -> x_E_1__3
  x_E_2__3 -> x_E_2__3
  x_E_3__3 -> x_E_3__3
  y_1 -> y_1
  y_2 -> y_2
  x -> x

Now we compute the DRL Gröbner basis with respect to the efficient term order.

In [15]:
gb_Q = groebner_basis_f4(h(ideal(polys)), nr_thrds=16, info_level=2)


Legend for f4 information
--------------------------------------------------------
deg       current degree of pairs selected in this round
sel       number of pairs selected in this round
pairs     total number of pairs in pair list
mat       matrix dimensions (# rows x # columns)
density   density of the matrix
new data  # new elements for basis in this round
          # zero reductions during linear algebra
time(rd)  time of the current f4 round in seconds given
          for real and cpu time
--------------------------------------------------------

deg     sel   pairs        mat          density            new data         time(rd) in sec (real|cpu)
------------------------------------------------------------------------------------------------------
  1       2      12       3 x 6          66.67%        2 new       0 zero         0.02 | 0.19         
  2      11      11      17 x 23         20.20%       11 new       0 zero         0.05 | 0.49         
  2       5       5      33


--------------- INPUT DATA ---------------
#variables                      18
#equations                      18
#invalid equations               0
field characteristic         10007
homogeneous input?               0
signature-based computation      0
monomial order                 DRL
basis hash table resetting     OFF
linear algebra option            2
initial hash table size     131072 (2^17)
max pair selection             ALL
reduce gb                        1
#threads                        16
info level                       2
generate pbm files               0
------------------------------------------

---------------- TIMINGS ---------------
overall(elapsed)        0.16 sec
overall(cpu)            1.62 sec
select                  0.00 sec   0.0%
symbolic prep.          0.00 sec   0.0%
update                  0.00 sec   0.0%
convert                 0.00 sec   0.0%
linear algebra          0.00 sec   0.0%
reduce gb               0.00 sec   0.0%
---------------------------------

Gröbner basis with elements
1 -> x_E_2__3 + 10006*x + 97
2 -> x_E_1__3 + 2628*x + 1688
3 -> x_E_2__2 + 10006*x_E_3__3 + 7379*x + 8088
4 -> x_E_1__2 + 8551*x_E_3__3 + 10006*x + 8356
5 -> x_E_2__1 + 10006*x_E_3__2 + 1456*x_E_3__3 + x + 1858
6 -> x_E_1__1 + 1114*x_E_3__2 + 10006*x_E_3__3 + 7379*x + 1065
7 -> x_C_2__2 + 10006*x_E_3__1 + 8893*x_E_3__2 + x_E_3__3 + 2628*x + 2926
8 -> x_C_1__2 + 6173*x_E_3__1 + 10006*x_E_3__2 + 1456*x_E_3__3 + x + 1830
9 -> x_C_3__1 + 7103*x_C_3__2 + 6152*x_E_3__1 + 2904*x_E_3__2 + 4737*x_E_3__3 + 7103*x + 9633
10 -> x_C_2__1 + 10006*x_C_3__2 + 3834*x_E_3__1 + x_E_3__2 + 8551*x_E_3__3 + 10006*x + 8652
11 -> x_C_1__1 + 284*x_C_3__2 + 10006*x_E_3__1 + 8893*x_E_3__2 + x_E_3__3 + 2628*x + 741
12 -> y_2 + 5809*x_C_3__2 + 4324*x_E_3__1 + 9281*x_E_3__2 + 1863*x_E_3__3 + 8888*x + 9094
13 -> y_1 + 6819*x_C_3__2 + 6153*x_E_3__1 + 4018*x_E_3__2 + 4736*x_E_3__3 + 4475*x + 6217
14 -> x^2 + 3012*x_E_3__3 + 9210*x + 6190
15 -> x_E_3__3^2 + 5549*x_E_3__3*x + 2921*x_E_3__2 + 