# Ciminion Polynomial Model
Usage example of the Ciminion polynomial model.

In [1]:
using Oscar
include("Ciminion.jl")
include("Ciminion_polynomial_model.jl")



generate_Ciminion_polynomials (generic function with 1 method)

## Ciminion Instance

In [2]:
K = GF(10007)

ciminion = Ciminion_constructor(field=K, rounds_C=3, rounds_E=3, info_level=1);

Ciminion parameters
Field: Prime field of characteristic 10007
Rounds_C: 3
Rounds_E: 3
Constants_C: [4165 1634 9341; 1443 1952 6484; 6168 1260 2655; 5462 610 5039]
Constants_E: [4057 9170 3489; 3883 3105 3273; 2791 9930 1300; 8557 2791 1937]


In [3]:
plain = zero_matrix(K, 2, 1)
plain[1, 1] = rand(K)
plain[2, 1] = rand(K)
plain

In [4]:
key = zero_matrix(K, 2, 1)
key[1, 1] = rand(K)
key[2, 1] = rand(K)
key

In [5]:
nonce = rand(K)
nonce

In [6]:
cipher = encrypt(plain, key, nonce, ciminion)

In [7]:
plain == decrypt(cipher, key, nonce, ciminion)

true

## Ciminion Polynomial model
Generate the Ciminion polynomial model, and compute a DRL Gröbner basis.

In [8]:
polys = generate_Ciminion_polynomials(ciminion=ciminion);

Plaintext: [6415; 6930]
Key: [5862; 4338]
Ciphertext: [9925; 2521]
Nonce: 5710
Term order: degrevlex


### Inefficient Term Order
Compute the DRL Gröbner basis with F4 with respect to an inefficient term order.

In [9]:
gb = groebner_basis_f4(ideal(polys), nr_thrds=16, info_level=2)


Legend for f4 information
--------------------------------------------------------
deg       current degree of pairs selected in this round
sel       number of pairs selected in this round
pairs     total number of pairs in pair list
mat       matrix dimensions (# rows x # columns)
density   density of the matrix
new data  # new elements for basis in this round
          # zero reductions during linear algebra
time(rd)  time of the current f4 round in seconds given
          for real and cpu time
--------------------------------------------------------

deg     sel   pairs        mat          density            new data         time(rd) in sec (real|cpu)
------------------------------------------------------------------------------------------------------
  2      11      11      21 x 29         15.93%       11 new       0 zero         0.04 | 0.53         
  2       4       4      29 x 45         11.42%        4 new       0 zero         0.02 | 0.28         
  3       2       2      26


--------------- INPUT DATA ---------------
#variables                      18
#equations                      18
#invalid equations               0
field characteristic         10007
homogeneous input?               0
signature-based computation      0
monomial order                 DRL
basis hash table resetting     OFF
linear algebra option            2
initial hash table size     131072 (2^17)
max pair selection             ALL
reduce gb                        1
#threads                        16
info level                       2
generate pbm files               0
------------------------------------------

---------------- TIMINGS ---------------
overall(elapsed)        0.19 sec
overall(cpu)            2.26 sec
select                  0.00 sec   0.0%
symbolic prep.          0.00 sec   0.0%
update                  0.00 sec   0.0%
convert                 0.00 sec   0.0%
linear algebra          0.00 sec   0.0%
reduce gb               0.00 sec   0.0%
---------------------------------

Gröbner basis with elements
1 -> x_E_2__3 + 10006*x + 1321
2 -> x_E_1__3 + 1937*x + 1339
3 -> x_E_2__2 + 10006*x_E_3__3 + 8070*x + 9428
4 -> x_E_1__2 + 2791*x_E_3__3 + 10006*x + 9186
5 -> x_E_3__1 + 2985*x_E_3__2 + 7282*x_E_3__3 + 4949*y_1 + 7082*y_2 + 9671*x + 3054
6 -> x_E_2__1 + 10006*x_E_3__2 + 7216*x_E_3__3 + x + 9562
7 -> x_E_1__1 + 8557*x_E_3__2 + 10006*x_E_3__3 + 8070*x + 7426
8 -> x_C_3__2 + 9112*x_E_3__2 + 8887*x_E_3__3 + 7777*y_1 + 3309*y_2 + 1922*x + 1734
9 -> x_C_2__2 + 4435*x_E_3__2 + 7283*x_E_3__3 + 4949*y_1 + 7082*y_2 + 1601*x + 8956
10 -> x_C_1__2 + 9112*x_E_3__2 + 8887*x_E_3__3 + 9440*y_1 + 8771*y_2 + 1922*x + 8513
11 -> x_C_3__1 + 4296*y_1 + 10006*y_2 + 3839
12 -> x_C_2__1 + 8344*y_1 + 4545*y_2 + 2854
13 -> x_C_1__1 + 4297*y_1 + 10006*y_2 + 5842
14 -> x^2 + 5998*x_E_3__3 + 2978*x + 9130
15 -> y_1^2 + 7324*y_1*y_2 + 8894*y_2^2 + 4999*x_E_3__2 + 2566*x_E_3__3 + 9194*y_1 + 3015*y_2 + 6640*x + 7094
16 -> x_E_3__3^2 + 951*x_E_3__3*x + 9021*x_E_3__2 + 654*x_E_3__3 + 4723*x

### Efficient Term Order
Compute the DRL Gröbner basis with F4 with respect to an efficient term order.

First we generate a homomorphism to a ring with an efficient DRL term order.

In [10]:
P = parent(polys[1])
variables = gens(P)

18-element Vector{FqMPolyRingElem}:
 x_C_1__1
 x_C_2__1
 x_C_3__1
 x_C_1__2
 x_C_2__2
 x_C_3__2
 x_E_1__1
 x_E_2__1
 x_E_3__1
 x_E_1__2
 x_E_2__2
 x_E_3__2
 x_E_1__3
 x_E_2__3
 x_E_3__3
 y_1
 y_2
 x

In [11]:
variables_Q = String[]

for var in variables
    push!(variables_Q, string(var))
end

In [12]:
variables_Q = [
variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 1:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 2] 
variables_Q[1:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E)];
variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3]
]

Q, variables_Q = polynomial_ring(base_ring(P), variables_Q, internal_ordering=:degrevlex)

(Multivariate polynomial ring in 18 variables over K, FqMPolyRingElem[y_1, y_2, x_C_1__1, x_C_2__1, x_C_3__1, x_C_1__2, x_C_2__2, x_C_3__2, x_E_1__1, x_E_2__1, x_E_3__1, x_E_1__2, x_E_2__2, x_E_3__2, x_E_1__3, x_E_2__3, x_E_3__3, x])

In [13]:
variables_tmp = [
                 variables_Q[2 + 1:2 + 3 * (ciminion.rounds_C - 1 + ciminion.rounds_E)];
                 variables_Q[1:2];
                 variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3];
                ]

18-element Vector{FqMPolyRingElem}:
 x_C_1__1
 x_C_2__1
 x_C_3__1
 x_C_1__2
 x_C_2__2
 x_C_3__2
 x_E_1__1
 x_E_2__1
 x_E_3__1
 x_E_1__2
 x_E_2__2
 x_E_3__2
 x_E_1__3
 x_E_2__3
 x_E_3__3
 y_1
 y_2
 x

In [14]:
h = hom(P, Q, variables_tmp)

Ring homomorphism
  from multivariate polynomial ring in 18 variables over K
  to multivariate polynomial ring in 18 variables over K
defined by
  x_C_1__1 -> x_C_1__1
  x_C_2__1 -> x_C_2__1
  x_C_3__1 -> x_C_3__1
  x_C_1__2 -> x_C_1__2
  x_C_2__2 -> x_C_2__2
  x_C_3__2 -> x_C_3__2
  x_E_1__1 -> x_E_1__1
  x_E_2__1 -> x_E_2__1
  x_E_3__1 -> x_E_3__1
  x_E_1__2 -> x_E_1__2
  x_E_2__2 -> x_E_2__2
  x_E_3__2 -> x_E_3__2
  x_E_1__3 -> x_E_1__3
  x_E_2__3 -> x_E_2__3
  x_E_3__3 -> x_E_3__3
  y_1 -> y_1
  y_2 -> y_2
  x -> x

Now we compute the DRL Gröbner basis with respect to the efficient term order.

In [15]:
gb_Q = groebner_basis_f4(h(ideal(polys)), nr_thrds=16, info_level=2)


Legend for f4 information
--------------------------------------------------------
deg       current degree of pairs selected in this round
sel       number of pairs selected in this round
pairs     total number of pairs in pair list
mat       matrix dimensions (# rows x # columns)
density   density of the matrix
new data  # new elements for basis in this round
          # zero reductions during linear algebra
time(rd)  time of the current f4 round in seconds given
          for real and cpu time
--------------------------------------------------------

deg     sel   pairs        mat          density            new data         time(rd) in sec (real|cpu)
------------------------------------------------------------------------------------------------------
  1       2      12       3 x 6          66.67%        2 new       0 zero         0.02 | 0.21         
  2      11      11      17 x 23         20.20%       11 new       0 zero         0.04 | 0.52         
  2       5       5      33


--------------- INPUT DATA ---------------
#variables                      18
#equations                      18
#invalid equations               0
field characteristic         10007
homogeneous input?               0
signature-based computation      0
monomial order                 DRL
basis hash table resetting     OFF
linear algebra option            2
initial hash table size     131072 (2^17)
max pair selection             ALL
reduce gb                        1
#threads                        16
info level                       2
generate pbm files               0
------------------------------------------

---------------- TIMINGS ---------------
overall(elapsed)        0.15 sec
overall(cpu)            1.76 sec
select                  0.00 sec   0.0%
symbolic prep.          0.00 sec   0.0%
update                  0.00 sec   0.0%
convert                 0.00 sec   0.0%
linear algebra          0.00 sec   0.0%
reduce gb               0.00 sec   0.0%
---------------------------------

Gröbner basis with elements
1 -> x_E_2__3 + 10006*x + 1321
2 -> x_E_1__3 + 1937*x + 1339
3 -> x_E_2__2 + 10006*x_E_3__3 + 8070*x + 9428
4 -> x_E_1__2 + 2791*x_E_3__3 + 10006*x + 9186
5 -> x_E_2__1 + 10006*x_E_3__2 + 7216*x_E_3__3 + x + 9562
6 -> x_E_1__1 + 8557*x_E_3__2 + 10006*x_E_3__3 + 8070*x + 7426
7 -> x_C_2__2 + 10006*x_E_3__1 + 1450*x_E_3__2 + x_E_3__3 + 1937*x + 5902
8 -> x_C_1__2 + 5039*x_E_3__1 + 10006*x_E_3__2 + 7216*x_E_3__3 + x + 6853
9 -> x_C_3__1 + 3252*x_C_3__2 + 5369*x_E_3__1 + 6755*x_E_3__2 + 17*x_E_3__3 + 3252*x + 4319
10 -> x_C_2__1 + 10006*x_C_3__2 + 4968*x_E_3__1 + x_E_3__2 + 2791*x_E_3__3 + 10006*x + 2780
11 -> x_C_1__1 + 610*x_C_3__2 + 10006*x_E_3__1 + 1450*x_E_3__2 + x_E_3__3 + 1937*x + 9793
12 -> y_2 + 5346*x_C_3__2 + 8754*x_E_3__1 + 1089*x_E_3__2 + 8711*x_E_3__3 + 8544*x + 9501
13 -> y_1 + 2642*x_C_3__2 + 5370*x_E_3__1 + 5305*x_E_3__2 + 16*x_E_3__3 + 1315*x + 6536
14 -> x^2 + 5998*x_E_3__3 + 2978*x + 9130
15 -> x_E_3__3^2 + 951*x_E_3__3*x + 9021*x_E_3__2 + 65