# Ciminion Polynomial Model
Usage example of the Ciminion polynomial model.

In [1]:
using Oscar
include("Ciminion.jl")
include("Ciminion_polynomial_model.jl")



generate_Ciminion_polynomials (generic function with 1 method)

## Ciminion Instance

In [2]:
K = GF(10007)

ciminion = Ciminion_constructor(field=K, rounds_C=3, rounds_E=3, info_level=1);

Ciminion parameters
Field: Prime field of characteristic 10007
Rounds_C: 3
Rounds_E: 3
Constants_C: [6114 5012 7033; 4247 1770 9656; 2536 3722 1371; 293 1868 2396]
Constants_E: [3651 6594 7384; 4666 2451 7209; 4584 2584 6025; 7082 9966 8273]


In [3]:
plain = zero_matrix(K, 2, 1)
plain[1, 1] = rand(K)
plain[2, 1] = rand(K)
plain

In [4]:
key = zero_matrix(K, 2, 1)
key[1, 1] = rand(K)
key[2, 1] = rand(K)
key

In [5]:
nonce = rand(K)
nonce

In [6]:
cipher = encrypt(plain, key, nonce, ciminion)

In [7]:
plain == decrypt(cipher, key, nonce, ciminion)

true

## Ciminion Polynomial model
Generate the Ciminion polynomial model, and compute a DRL Gröbner basis.

In [8]:
polys = generate_Ciminion_polynomials(ciminion=ciminion);

Plaintext: [9190; 9601]
Key: [5843; 4755]
Ciphertext: [3406; 7904]
Nonce: 7048
Term order: degrevlex


### Inefficient Term Order
Compute the DRL Gröbner basis with F4 with respect to an inefficient term order.

In [9]:
gb = groebner_basis_f4(ideal(polys), nr_thrds=16, info_level=2)


Legend for f4 information
--------------------------------------------------------
deg       current degree of pairs selected in this round
sel       number of pairs selected in this round
pairs     total number of pairs in pair list
mat       matrix dimensions (# rows x # columns)
density   density of the matrix
new data  # new elements for basis in this round
          # zero reductions during linear algebra
time(rd)  time of the current f4 round in seconds given
          for real and cpu time
--------------------------------------------------------

deg     sel   pairs        mat          density            new data         time(rd) in sec (real|cpu)
------------------------------------------------------------------------------------------------------
  2      11      11      21 x 29         15.93%       11 new       0 zero         0.06 | 0.57         
  2       4       4      29 x 45         11.42%        4 new       0 zero         0.02 | 0.25         
  3       2       2      26


--------------- INPUT DATA ---------------
#variables                      18
#equations                      18
#invalid equations               0
field characteristic         10007
homogeneous input?               0
signature-based computation      0
monomial order                 DRL
basis hash table resetting     OFF
linear algebra option            2
initial hash table size     131072 (2^17)
max pair selection             ALL
reduce gb                        1
#threads                        16
info level                       2
generate pbm files               0
------------------------------------------

---------------- TIMINGS ----------------
overall(elapsed)        0.21 sec
overall(cpu)            2.25 sec
select                  0.00 sec   0.0%
symbolic prep.          0.00 sec   0.0%
update                  0.00 sec   0.0%
convert                 0.00 sec   0.0%
linear algebra          0.00 sec   0.0%
reduce gb               0.00 sec   0.0%
--------------------------------

Gröbner basis with elements
  1: x_E_2__3 + 10006*x + 2864
  2: x_E_1__3 + 8273*x + 8948
  3: x_E_2__2 + 10006*x_E_3__3 + 1734*x + 7056
  4: x_E_1__2 + 9966*x_E_3__3 + 10006*x + 1182
  5: x_E_3__1 + 7692*x_E_3__2 + 8724*x_E_3__3 + 6899*y_1 + 3927*y_2 + 4289*x + 9387
  6: x_E_2__1 + 10006*x_E_3__2 + 41*x_E_3__3 + x + 9758
  7: x_E_1__1 + 7082*x_E_3__2 + 10006*x_E_3__3 + 1734*x + 535
  8: x_C_3__2 + 2861*x_E_3__2 + 1960*x_E_3__3 + 7652*y_1 + 7202*y_2 + 746*x + 1266
  9: x_C_2__2 + 610*x_E_3__2 + 8725*x_E_3__3 + 6899*y_1 + 3927*y_2 + 2555*x + 3190
  10: x_C_1__2 + 2861*x_E_3__2 + 1960*x_E_3__3 + 1560*y_1 + 7495*y_2 + 746*x + 1264
  11: x_C_3__1 + 2958*y_1 + 10006*y_2 + 7471
  12: x_C_2__1 + 6092*y_1 + 9714*y_2 + 8719
  13: x_C_1__1 + 2959*y_1 + 10006*y_2 + 3893
  14: x^2 + 6100*x_E_3__3 + 2521*x + 6765
  15: y_1^2 + 2119*y_1*y_2 + 644*y_2^2 + 653*x_E_3__2 + 2532*x_E_3__3 + 2255*y_1 + 9559*y_2 + 9051*x + 2238
  16: x_E_3__3^2 + 4856*x_E_3__3*x + 6590*x_E_3__2 + 5607*x_E_3__3 + 8243*x + 493

### Efficient Term Order
Compute the DRL Gröbner basis with F4 with respect to an efficient term order.

First we generate a homomorphism to a ring with an efficient DRL term order.

In [10]:
P = parent(polys[1])
variables = gens(P)

18-element Vector{FqMPolyRingElem}:
 x_C_1__1
 x_C_2__1
 x_C_3__1
 x_C_1__2
 x_C_2__2
 x_C_3__2
 x_E_1__1
 x_E_2__1
 x_E_3__1
 x_E_1__2
 x_E_2__2
 x_E_3__2
 x_E_1__3
 x_E_2__3
 x_E_3__3
 y_1
 y_2
 x

In [11]:
variables_Q = String[]

for var in variables
    push!(variables_Q, string(var))
end

In [12]:
variables_Q = [
variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 1:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 2] 
variables_Q[1:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E)];
variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3]
]

Q, variables_Q = polynomial_ring(base_ring(P), variables_Q, internal_ordering=:degrevlex)

(Multivariate polynomial ring in 18 variables over K, FqMPolyRingElem[y_1, y_2, x_C_1__1, x_C_2__1, x_C_3__1, x_C_1__2, x_C_2__2, x_C_3__2, x_E_1__1, x_E_2__1, x_E_3__1, x_E_1__2, x_E_2__2, x_E_3__2, x_E_1__3, x_E_2__3, x_E_3__3, x])

In [13]:
variables_tmp = [
                 variables_Q[2 + 1:2 + 3 * (ciminion.rounds_C - 1 + ciminion.rounds_E)];
                 variables_Q[1:2];
                 variables_Q[3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3:3 * (ciminion.rounds_C - 1 + ciminion.rounds_E) + 3];
                ]

18-element Vector{FqMPolyRingElem}:
 x_C_1__1
 x_C_2__1
 x_C_3__1
 x_C_1__2
 x_C_2__2
 x_C_3__2
 x_E_1__1
 x_E_2__1
 x_E_3__1
 x_E_1__2
 x_E_2__2
 x_E_3__2
 x_E_1__3
 x_E_2__3
 x_E_3__3
 y_1
 y_2
 x

In [14]:
h = hom(P, Q, variables_tmp)

Ring homomorphism
  from multivariate polynomial ring in 18 variables over K
  to multivariate polynomial ring in 18 variables over K
defined by
  x_C_1__1 -> x_C_1__1
  x_C_2__1 -> x_C_2__1
  x_C_3__1 -> x_C_3__1
  x_C_1__2 -> x_C_1__2
  x_C_2__2 -> x_C_2__2
  x_C_3__2 -> x_C_3__2
  x_E_1__1 -> x_E_1__1
  x_E_2__1 -> x_E_2__1
  x_E_3__1 -> x_E_3__1
  x_E_1__2 -> x_E_1__2
  x_E_2__2 -> x_E_2__2
  x_E_3__2 -> x_E_3__2
  x_E_1__3 -> x_E_1__3
  x_E_2__3 -> x_E_2__3
  x_E_3__3 -> x_E_3__3
  y_1 -> y_1
  y_2 -> y_2
  x -> x

Now we compute the DRL Gröbner basis with respect to the efficient term order.

In [15]:
gb_Q = groebner_basis_f4(h(ideal(polys)), nr_thrds=16, info_level=2)


Legend for f4 information
--------------------------------------------------------
deg       current degree of pairs selected in this round
sel       number of pairs selected in this round
pairs     total number of pairs in pair list
mat       matrix dimensions (# rows x # columns)
density   density of the matrix
new data  # new elements for basis in this round
          # zero reductions during linear algebra
time(rd)  time of the current f4 round in seconds given
          for real and cpu time
--------------------------------------------------------

deg     sel   pairs        mat          density            new data         time(rd) in sec (real|cpu)
------------------------------------------------------------------------------------------------------
  1       2      12       3 x 6          66.67%        2 new       0 zero         0.02 | 0.27         
  2      11      11      17 x 23         20.20%       11 new       0 zero         0.05 | 0.58         
  2       5       5      33


--------------- INPUT DATA ---------------
#variables                      18
#equations                      18
#invalid equations               0
field characteristic         10007
homogeneous input?               0
signature-based computation      0
monomial order                 DRL
basis hash table resetting     OFF
linear algebra option            2
initial hash table size     131072 (2^17)
max pair selection             ALL
reduce gb                        1
#threads                        16
info level                       2
generate pbm files               0
------------------------------------------

---------------- TIMINGS ----------------
overall(elapsed)        0.17 sec
overall(cpu)            1.95 sec
select                  0.00 sec   0.0%
symbolic prep.          0.00 sec   0.0%
update                  0.00 sec   0.0%
convert                 0.00 sec   0.0%
linear algebra          0.00 sec   0.0%
reduce gb               0.00 sec   0.0%
--------------------------------

Gröbner basis with elements
  1: x_E_2__3 + 10006*x + 2864
  2: x_E_1__3 + 8273*x + 8948
  3: x_E_2__2 + 10006*x_E_3__3 + 1734*x + 7056
  4: x_E_1__2 + 9966*x_E_3__3 + 10006*x + 1182
  5: x_E_2__1 + 10006*x_E_3__2 + 41*x_E_3__3 + x + 9758
  6: x_E_1__1 + 7082*x_E_3__2 + 10006*x_E_3__3 + 1734*x + 535
  7: x_C_2__2 + 10006*x_E_3__1 + 2925*x_E_3__2 + x_E_3__3 + 8273*x + 3810
  8: x_C_1__2 + 2396*x_E_3__1 + 10006*x_E_3__2 + 41*x_E_3__3 + x + 6787
  9: x_C_3__1 + 9563*x_C_3__2 + 6925*x_E_3__1 + 444*x_E_3__2 + 1810*x_E_3__3 + 9563*x + 5262
  10: x_C_2__1 + 10006*x_C_3__2 + 7611*x_E_3__1 + x_E_3__2 + 9966*x_E_3__3 + 10006*x + 1930
  11: x_C_1__1 + 1868*x_C_3__2 + 10006*x_E_3__1 + 2925*x_E_3__2 + x_E_3__3 + 8273*x + 7749
  12: y_2 + 5448*x_C_3__2 + 9704*x_E_3__1 + 6784*x_E_3__2 + 9094*x_E_3__3 + 2709*x + 72
  13: y_1 + 7695*x_C_3__2 + 6926*x_E_3__1 + 7526*x_E_3__2 + 1809*x_E_3__3 + 1290*x + 3942
  14: x^2 + 6100*x_E_3__3 + 2521*x + 6765
  15: x_E_3__3^2 + 4856*x_E_3__3*x + 6590*x_E_3__2 + 5607