# MiMC Solving Degree For Attack With One Field Equation Remainder
Empirical solving degree for increasing round numbers of MiMC together the remainder of the field equation for the key variable.

Primes: $p \in \{ 5, 11 \}$.

Round numbers: $r \in \{ 3, 4, 5, 6 \}$.

In [1]:
from lazard_gb_algorithm import *
load("MiMC.sage")
load("utilities.sage")

## p = 5, r = 3

In [2]:
p = 5
field = GF(p, "a")

rounds = 3

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 3
Constants: [1, 0, 3]

Plain: 2
Key: 4
Cipher: 4

y^3 - y^2 - x_1 + 2*y + 2
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 2*x_2 - 2*y - 2


In [3]:
highest_degree_component(fe)

x_1*y^2

In [4]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, y over Finite Field of size 5
Input polynomials:
[y^3 - y^2 - x_1 + 2*y + 2, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 2*x_2 - 2*y - 2, x_1*y^2 + x_1*y - x_1 - y + 2]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.09919095039367676
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 0.00021982192993164062
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.016994476318359375
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 0.00014472007751464844
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.000957489013671875
Computing Macaulay matrix.
Time needed: 7.152557373046875e-07
Performing Gaussian Elimination.
Time needed: 0.00012731552124023438
Is

[y^2 - y - 2, x_1 + y - 2, x_2 + 2]

In [5]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, y, h over Finite Field of size 5
Input polynomials:
[y^3 - y^2*h - x_1*h^2 + 2*y*h^2 + 2*h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2*h^2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2*h - 2*x_2*y*h - y^2*h + 2*x_2*h^2 - 2*y*h^2 - 2*h^3, x_1*y^2 + x_1*y*h - x_1*h^2 - y*h^2 + 2*h^3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0007517337799072266
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 0.00013303756713867188
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0020058155059814453
Computing Macaulay matrix.
Time needed: 2.1457672119140625e-06
Performing Gaussian Elimination.
Time needed: 0.0001678466796875
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0016930103302001953
Computing Macaulay matrix.
Time needed: 1.9073486328125e-06
Performing Gaussian E

[x_1*h^7 + y*h^7 - 2*h^8,
 x_2*h^7 + 2*h^8,
 x_2^2*h^5 + 2*x_1*h^6 - x_2*h^6 + 2*y*h^6,
 y^2*h^5 + x_2*h^6 - y*h^6,
 x_1*x_2*h^4 - 2*x_1*h^5 + 2*x_2*h^5 + y*h^5 + 2*h^6,
 x_2*y*h^4 + x_1*h^5 - 2*y*h^5 - 2*h^6,
 x_2*y^2*h^2 + x_2*y*h^3 + 2*y^2*h^3 - 2*x_2*h^4 + 2*y*h^4 + h^5,
 x_1*y*h^3 + y^2*h^3 + x_1*h^4 + 2*x_2*h^4 - y*h^4 + 2*h^5,
 x_1^2*h^2 - y^2*h^2 - y*h^3 + h^4,
 x_1^3 - 2*x_1^2*y + 2*x_1*y*h + y^2*h - x_1*h^2 - x_2*h^2 + y*h^2 + 2*h^3,
 x_2^3 - 2*x_2^2*y - 2*x_2*y^2 - x_2^2*h - 2*x_2*y*h + x_1*h^2 + 2*x_2*h^2 + y*h^2 + h^3,
 x_1*y^2 + x_1*y*h - x_1*h^2 - y*h^2 + 2*h^3,
 y^3 - y^2*h - x_1*h^2 + 2*y*h^2 + 2*h^3]

In [6]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-8) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-10) <-- S(-10)⊕S(-11)⊕S(-11) <-- 0

In [7]:
cm_regularity(res)

8

## p = 5, r = 4

In [8]:
p = 5
field = GF(p, "a")

rounds = 4

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 4
Constants: [3, 3, 2, 0]

Plain: 1
Key: 3
Cipher: 1

y^3 + 2*y^2 - x_1 - 2*y - 1
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 + y - 1


In [9]:
highest_degree_component(fe)

x_1*y^2

In [10]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y over Finite Field of size 5
Input polynomials:
[y^3 + 2*y^2 - x_1 - 2*y - 1, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 + y - 1, x_1*y^2 - 2*x_1*y + x_1 - y + 1]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006375312805175781
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 8.869171142578125e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0007910728454589844
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 5.91278076171875e-05
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0014791488647460938
Computing Macaulay matrix.
Time 

[x_1 + 2, x_2 + 1, x_3 + 1, y + 2]

In [11]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y, h over Finite Field of size 5
Input polynomials:
[y^3 + 2*y^2*h - x_1*h^2 - 2*y*h^2 - h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2*h - 2*x_1*y*h - y^2*h + 2*x_1*h^2 - x_2*h^2 + 2*y*h^2 + 2*h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2*h + 2*x_2*y*h + y^2*h + 2*x_2*h^2 - x_3*h^2 + 2*y*h^2 - 2*h^3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 + y*h^2 - h^3, x_1*y^2 - 2*x_1*y*h + x_1*h^2 - y*h^2 + h^3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0005726814270019531
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 7.605552673339844e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0017962455749511719
Computing Macaulay matrix.
Time needed: 3.337860107421875e-06
Performing Gaussian Elimination.
Time needed: 0.00022864341735839844
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up 

[x_1*h^9 + 2*h^10,
 x_2*h^9 + h^10,
 x_3*h^9 + h^10,
 y*h^9 + 2*h^10,
 x_2*x_3^2*h^6 + x_1*h^8 + 2*x_2*h^8 - 2*x_3*h^8 + y*h^8,
 x_2*x_3*h^7 + x_3*h^8,
 x_3^2*h^7 + 2*x_2*h^8 - x_3*h^8 + 2*y*h^8 - h^9,
 x_1*x_3*h^6 + x_2*h^7 + x_3*h^7 + y*h^7 + 2*h^8,
 x_3*y*h^6 - x_2*h^7 - 2*x_3*h^7 - y*h^7 - 2*h^8,
 y^2*h^6 - 2*x_1*h^7 + 2*x_2*h^7 - x_3*h^7 + 2*y*h^7 + 2*h^8,
 x_3*y^2*h^4 - 2*x_3*y*h^5 - y^2*h^5 + 2*x_1*h^6 + x_2*h^6 + y*h^6 - h^7,
 x_2^2*h^5 - 2*x_1*h^6 + 2*x_2*h^6 - 2*y*h^6 - 2*h^7,
 x_1*x_2*h^4 - 2*x_1*h^5 + 2*x_2*h^5 + 2*y*h^5,
 x_2*y*h^4 + 2*x_1*h^5 + x_2*h^5 - 2*y*h^5 - h^6,
 x_2*y^2*h^2 - 2*x_2*y*h^3 + y^2*h^3 - 2*y*h^4,
 x_1*y*h^3 + y^2*h^3 + 2*x_1*h^4 + x_2*h^4 + y*h^4 - h^5,
 x_1^2*h^2 - y^2*h^2 + 2*y*h^3 - h^4,
 x_1^3 - 2*x_1^2*y - x_1^2*h - x_1*y*h + 2*y^2*h - x_2*h^2 + 2*y*h^2,
 x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + x_2^2*h + 2*x_2*y*h - y^2*h + x_1*h^2 + 2*x_2*h^2 - x_3*h^2 - y*h^2 - h^3,
 x_3^3 - 2*x_3^2*y - 2*x_3*y^2 - 2*y^2*h + x_1*h^2 - 2*y*h^2,
 x_1*y^2 - 2*x_1*y*h + x_1

In [12]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-11) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13) <-- S(-14)⊕S(-14)⊕S(-14)⊕S(-14) <-- 0

In [13]:
cm_regularity(res)

10

## p = 5, r = 5

In [14]:
p = 5
field = GF(p, "a")

rounds = 5

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 5
Constants: [2, 0, 3, 3, 4]

Plain: 2
Key: 0
Cipher: 0

y^3 + 2*y^2 - x_1 - 2*y - 1
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 2*x_2 - x_3 + 2*y + 2
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - x_4 + 2*y + 2
x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2 - x_4*y + 2*y^2 - 2*x_4 - y - 1


In [15]:
highest_degree_component(fe)

x_1*y^2

In [16]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y over Finite Field of size 5
Input polynomials:
[y^3 + 2*y^2 - x_1 - 2*y - 1, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 2*x_2 - x_3 + 2*y + 2, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - x_4 + 2*y + 2, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2 - x_4*y + 2*y^2 - 2*x_4 - y - 1, x_1*y^2 - 2*x_1*y + x_1 - y + 1]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006167888641357422
Computing Macaulay matrix.
Time needed: 9.5367431640625e-07
Performing Gaussian Elimination.
Time needed: 7.414817810058594e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0013015270233154297
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 9.679794311523438e-05
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up

[y^2 - y, x_1 - y + 1, x_2 - 2*y + 1, x_3 - 2*y + 2, x_4 + 2*y - 1]

In [17]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y, h over Finite Field of size 5
Input polynomials:
[y^3 + 2*y^2*h - x_1*h^2 - 2*y*h^2 - h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2*h^2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2*h - 2*x_2*y*h - y^2*h + 2*x_2*h^2 - x_3*h^2 + 2*y*h^2 + 2*h^3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2*h - 2*x_3*y*h - y^2*h + 2*x_3*h^2 - x_4*h^2 + 2*y*h^2 + 2*h^3, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2*h - x_4*y*h + 2*y^2*h - 2*x_4*h^2 - y*h^2 - h^3, x_1*y^2 - 2*x_1*y*h + x_1*h^2 - y*h^2 + h^3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0005929470062255859
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 8.368492126464844e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0012440681457519531
Computing Macaulay matrix.
Time needed: 2.86102294921875e-06
Performing Gaussian Elimination.
Time needed:

[x_3*h^11 - 2*y*h^11 + 2*h^12,
 x_4*h^11 + 2*y*h^11 - h^12,
 x_3*x_4*h^9 + x_3*h^10 + 2*x_4*h^10 + 2*h^11,
 x_4^2*h^9 + 2*x_3*h^10 - 2*x_4*h^10 + 2*y*h^10,
 y^2*h^9 - 2*x_3*h^10 + x_4*h^10,
 x_1*x_4*h^8 - x_3*h^9 + x_4*h^9 - 2*y*h^9 - 2*h^10,
 x_4*y*h^8 - x_3*h^9 + x_4*h^9 + 2*h^10,
 x_1*h^9 + x_4*h^9 + y*h^9,
 x_4*y^2*h^6 - 2*x_4*y*h^7 + y^2*h^7 - 2*y*h^8,
 x_3^2*h^7 - y^2*h^7 - 2*x_1*h^8 - x_3*h^8 - y*h^8 + 2*h^9,
 x_1*x_3*h^6 - y^2*h^6 + 2*x_3*h^7 - y*h^7 + 2*h^8,
 x_3*y*h^6 + y^2*h^6 + 2*x_1*h^7 + 2*x_3*h^7 - 2*y*h^7 + h^8,
 x_2*h^7 + x_3*h^7 + y*h^7 - 2*h^8,
 x_3*y^2*h^4 - 2*x_3*y*h^5 + x_1*h^6 - y*h^6 + h^7,
 x_2^2*h^5 + 2*x_1*h^6 - 2*x_2*h^6 + 2*y*h^6 - h^7,
 x_1*x_2*h^4 + 2*x_1*h^5 - 2*x_2*h^5 - 2*y*h^5 - h^6,
 x_2*y*h^4 - 2*x_1*h^5 + 2*x_2*h^5 + 2*y*h^5,
 x_2*y^2*h^2 - 2*x_2*y*h^3 - y^2*h^3 + 2*y*h^4,
 x_1*y*h^3 + y^2*h^3 + x_1*h^4 - x_2*h^4,
 x_1^2*h^2 - y^2*h^2 + 2*y*h^3 - h^4,
 x_1^3 - 2*x_1^2*y + x_1*y*h - 2*y^2*h - 2*x_1*h^2 - x_2*h^2 - 2*h^3,
 x_2^3 - 2*x_2^2*y - 2*x_2*y

In [18]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-12) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-14) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15) <-- S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16) <-- S(-16)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17) <-- 0

In [19]:
cm_regularity(res)

12

## p = 5, r = 6

In [20]:
p = 5
field = GF(p, "a")

rounds = 6

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 6
Constants: [1, 0, 3, 3, 4, 3]

Plain: 0
Key: 3
Cipher: 2

y^3 - 2*y^2 - x_1 - 2*y + 1
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 2*x_2 - x_3 + 2*y + 2
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - x_4 + 2*y + 2
x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2 - x_4*y + 2*y^2 - 2*x_4 - x_5 - 2*y - 1
x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 - x_5^2 - 2*x_5*y - y^2 + 2*x_5 - 2*y


In [21]:
highest_degree_component(fe)

x_1*y^2

In [22]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y over Finite Field of size 5
Input polynomials:
[y^3 - 2*y^2 - x_1 - 2*y + 1, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 2*x_2 - x_3 + 2*y + 2, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - x_4 + 2*y + 2, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2 - x_4*y + 2*y^2 - 2*x_4 - x_5 - 2*y - 1, x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 - x_5^2 - 2*x_5*y - y^2 + 2*x_5 - 2*y, x_1*y^2 + 2*x_1*y + x_1 - y - 1]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006852149963378906
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 8.58306884765625e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0015079975128173828
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 7

[x_5^2 + 2*x_5,
 x_5*y + 2*x_5,
 y^2 + 2*x_5 - y - 2,
 x_1 - x_5 + y + 1,
 x_2 + 2*x_5 + 1,
 x_3 + 2*x_5 - y - 2,
 x_4 + x_5 + y - 1]

In [23]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y, h over Finite Field of size 5
Input polynomials:
[y^3 - 2*y^2*h - x_1*h^2 - 2*y*h^2 + h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2*h^2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2*h - 2*x_2*y*h - y^2*h + 2*x_2*h^2 - x_3*h^2 + 2*y*h^2 + 2*h^3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2*h - 2*x_3*y*h - y^2*h + 2*x_3*h^2 - x_4*h^2 + 2*y*h^2 + 2*h^3, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2*h - x_4*y*h + 2*y^2*h - 2*x_4*h^2 - x_5*h^2 - 2*y*h^2 - h^3, x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 - x_5^2*h - 2*x_5*y*h - y^2*h + 2*x_5*h^2 - 2*y*h^2, x_1*y^2 + 2*x_1*y*h + x_1*h^2 - y*h^2 - h^3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006086826324462891
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 9.846687316894531e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.002295255661010742


[x_3*h^13 + 2*x_5*h^13 - y*h^13 - 2*h^14,
 x_4*h^13 + x_5*h^13 + y*h^13 - h^14,
 x_5^2*h^11 + x_4*h^12 - 2*x_5*h^12 + y*h^12 - h^13,
 x_3*x_5*h^10 + x_4*h^11 + 2*x_5*h^11 + y*h^11 - h^12,
 x_4*x_5*h^10 + 2*x_3*h^11 + x_4*h^11 - y*h^11,
 x_5*y*h^10 - 2*x_3*h^11 + 2*x_4*h^11 - y*h^11 + 2*h^12,
 x_2*h^11 - x_3*h^11 + 2*x_4*h^11 + 2*x_5*h^11 - 2*y*h^11 + h^12,
 x_2*x_4*h^9 - x_2*h^10 - x_3*h^10 + 2*h^11,
 x_4^2*h^9 - 2*x_3*h^10 - x_4*h^10 + 2*y*h^10 + 2*h^11,
 x_1*x_4*h^8 + x_2*h^9 + 2*x_3*h^9 + x_4*h^9 - 2*y*h^9,
 x_3*x_4*h^8 - 2*x_2*h^9 + x_4*h^9 - 2*y*h^9 + 2*h^10,
 x_4*y*h^8 - 2*x_2*h^9 + 2*x_3*h^9 - x_4*h^9 + 2*y*h^9 + 2*h^10,
 x_1*h^9 + 2*x_3*h^9 + 2*x_4*h^9 + y*h^9,
 x_2*x_3^2*h^6 - x_1*x_4*h^7 - x_3*x_4*h^7 + x_4*y*h^7 - x_1*h^8 + x_2*h^8 - 2*y*h^8 - h^9,
 x_2*x_3*h^7 + x_2*h^8 + x_3*h^8 + h^9,
 x_3^2*h^7 + 2*x_2*h^8 - 2*x_3*h^8 + 2*y*h^8,
 x_1*x_3*h^6 + x_1*h^7 + x_2*h^7 - x_3*h^7 + y*h^7 - 2*h^8,
 x_3*y*h^6 - x_2*h^7 + 2*x_3*h^7 - 2*h^8,
 y^2*h^6 - 2*x_1*h^7 - 2*x_3*h^7 - y*h^7,


In [24]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-14)⊕S(-14) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-17) <-- S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(

In [25]:
cm_regularity(res)

14

## p = 11, r = 3

In [26]:
p = 11
field = GF(p, "a")

rounds = 3

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 3
Constants: [5, 9, 7]

Plain: 8
Key: 9
Cipher: 0

y^3 - 5*y^2 - x_1 + y - 3
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 5*x_1^2 - x_1*y + 5*y^2 + x_1 - x_2 + y + 3
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 4*x_2 + 5*y + 2


In [27]:
highest_degree_component(fe)

x_1^2*y^2

In [28]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, y over Finite Field of size 11
Input polynomials:
[y^3 - 5*y^2 - x_1 + y - 3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 5*x_1^2 - x_1*y + 5*y^2 + x_1 - x_2 + y + 3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 4*x_2 + 5*y + 2, x_1^2*y^2 - x_1^2*y + 4*x_1*y^2 + x_2*y^2 + 4*x_1^2 + 4*x_2*y - 5*y^2 - 5*x_1 + x_2 + 2*y - 3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0008199214935302734
Computing Macaulay matrix.
Time needed: 9.5367431640625e-07
Performing Gaussian Elimination.
Time needed: 0.00046372413635253906
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.002127408981323242
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 0.00018262863159179688
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0012793540954589844
Computing Macaulay matrix.
T

[x_1, x_2 - 2, y + 2]

In [29]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, y, h over Finite Field of size 11
Input polynomials:
[y^3 - 5*y^2*h - x_1*h^2 + y*h^2 - 3*h^3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 5*x_1^2*h - x_1*y*h + 5*y^2*h + x_1*h^2 - x_2*h^2 + y*h^2 + 3*h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2*h - 2*x_2*y*h - y^2*h + 4*x_2*h^2 + 5*y*h^2 + 2*h^3, x_1^2*y^2 - x_1^2*y*h + 4*x_1*y^2*h + x_2*y^2*h + 4*x_1^2*h^2 + 4*x_2*y*h^2 - 5*y^2*h^2 - 5*x_1*h^3 + x_2*h^3 + 2*y*h^3 - 3*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0005686283111572266
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 8.177757263183594e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0011072158813476562
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 0.0001277923583984375
Is Groebner Basis: False

--- Degree 2 ---
Computing 

[x_1*h^8,
 x_2*h^8 - 2*h^9,
 y*h^8 + 2*h^9,
 x_2*y^2*h^5 + x_1*h^7 + 4*x_2*h^7 + 2*y*h^7 - h^8,
 x_1*x_2*h^6 - 5*x_1*h^7 - 3*x_2*h^7 - 2*y*h^7 + 2*h^8,
 x_2^2*h^6 + 4*x_1*h^7 - x_2*h^7 + 4*y*h^7 - 5*h^8,
 x_1*y*h^6 - 4*x_1*h^7 + 3*y*h^7 - 5*h^8,
 x_2*y*h^6 + 5*x_1*h^7 + 2*x_2*h^7 - y*h^7 - 2*h^8,
 y^2*h^6 + 5*x_1*h^7 - x_2*h^7 - 2*y*h^7 + 5*h^8,
 x_1*x_2^2*h^4 - 4*x_2*y^2*h^4 + 2*x_1*x_2*h^5 - 5*x_2^2*h^5 - x_1*y*h^5 - 4*x_2*y*h^5 + 3*x_1*h^6 + 2*x_2*h^6 - 5*y*h^6,
 x_2^2*y*h^4 - 5*x_2*y^2*h^4 - 2*x_1*x_2*h^5 - 2*x_2^2*h^5 + x_1*y*h^5 + 3*x_2*y*h^5 + 5*y^2*h^5 - 4*x_1*h^6 - 4*x_2*h^6 - 3*y*h^6 - 5*h^7,
 x_1*y^2*h^4 + 4*x_2*y^2*h^4 - 2*x_1*x_2*h^5 + x_2^2*h^5 - 3*x_1*y*h^5 - 3*x_2*y*h^5 - 2*y^2*h^5 + 2*x_1*h^6 + x_2*h^6 - 3*y*h^6 - 4*h^7,
 x_1^2*h^5 - 3*x_1*x_2*h^5 + 4*x_2^2*h^5 + 4*x_1*y*h^5 + 5*x_2*y*h^5 - 4*y^2*h^5 - 5*x_1*h^6 + 5*x_2*h^6 + y*h^6 + h^7,
 x_2^2*y^2*h^2 - 4*x_1*x_2^2*h^3 + 5*x_2^2*y*h^3 - 4*x_1*y^2*h^3 - x_2*y^2*h^3 + 5*x_1^2*h^4 - 3*x_1*x_2*h^4 - x_2^2*h^4 - 5*x_1*y*h

In [30]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-4) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-10) <-- S(-9)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-11)⊕S(-11)⊕S(-11) <-- S(-12)⊕S(-12)⊕S(-12) <-- 0

In [31]:
cm_regularity(res)

9

## p = 11, r = 4

In [32]:
p = 11
field = GF(p, "a")

rounds = 4

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 4
Constants: [1, 8, 4, 4]

Plain: 8
Key: 8
Cipher: 0

y^3 + 5*y^2 - x_1 + y + 3
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 2*x_1^2 + 4*x_1*y + 2*y^2 + 5*x_1 - x_2 + 5*y - 5
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 4*x_2 - x_3 + 4*y - 2
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + x_3^2 + 2*x_3*y + y^2 + 4*x_3 + 5*y - 2


In [33]:
highest_degree_component(fe)

3*x_1^2*y^2

In [34]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y over Finite Field of size 11
Input polynomials:
[y^3 + 5*y^2 - x_1 + y + 3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 2*x_1^2 + 4*x_1*y + 2*y^2 + 5*x_1 - x_2 + 5*y - 5, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 4*x_2 - x_3 + 4*y - 2, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + x_3^2 + 2*x_3*y + y^2 + 4*x_3 + 5*y - 2, 3*x_1^2*y^2 + 5*x_1^2*y + 5*x_1*y^2 + x_2*y^2 - 3*x_1^2 - 2*x_1*y - 4*x_2*y + 3*y^2 + 4*x_1 + x_2 - 4*y + 4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006618499755859375
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 0.00010895729064941406
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0010232925415039062
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 6.937980651855469e-05
Is Groebner Basis: False

--- Degr

[y^2 + 2, x_1 + y - 4, x_2 - 1, x_3 + 4*y + 4]

In [35]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y, h over Finite Field of size 11
Input polynomials:
[y^3 + 5*y^2*h - x_1*h^2 + y*h^2 + 3*h^3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 2*x_1^2*h + 4*x_1*y*h + 2*y^2*h + 5*x_1*h^2 - x_2*h^2 + 5*y*h^2 - 5*h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + x_2^2*h + 2*x_2*y*h + y^2*h + 4*x_2*h^2 - x_3*h^2 + 4*y*h^2 - 2*h^3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + x_3^2*h + 2*x_3*y*h + y^2*h + 4*x_3*h^2 + 5*y*h^2 - 2*h^3, 3*x_1^2*y^2 + 5*x_1^2*y*h + 5*x_1*y^2*h + x_2*y^2*h - 3*x_1^2*h^2 - 2*x_1*y*h^2 - 4*x_2*y*h^2 + 3*y^2*h^2 + 4*x_1*h^3 + x_2*h^3 - 4*y*h^3 + 4*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006000995635986328
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 7.510185241699219e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0015079975128173828
Computing Macaulay matrix.
Time needed: 1.6689300

[x_1*h^10 + y*h^10 - 4*h^11,
 x_2*h^10 - h^11,
 x_3*h^10 + 4*y*h^10 + 4*h^11,
 x_2*x_3^2*h^7 + 2*x_2*h^9 + y*h^9 + 3*h^10,
 x_3^2*y*h^7 + 3*x_1*h^9 - 4*x_2*h^9 + 5*x_3*h^9 - 5*y*h^9 - h^10,
 x_1*x_3*h^8 - 4*x_1*h^9 + 4*x_2*h^9 + x_3*h^9 + y*h^9 - 4*h^10,
 x_2*x_3*h^8 + 5*x_1*h^9 + 2*x_2*h^9 - x_3*h^9 + 5*y*h^9,
 x_3^2*h^8 - 4*x_1*h^9 + 5*x_2*h^9 - 5*x_3*h^9 - y*h^9 - 4*h^10,
 x_1*y*h^8 - x_1*h^9 - x_2*h^9 - 5*x_3*h^9 - 3*y*h^9 + 5*h^10,
 x_2*y*h^8 - 5*x_1*h^9 - 3*x_2*h^9 + 4*x_3*h^9 - y*h^9 - 5*h^10,
 x_3*y*h^8 - 3*x_1*h^9 - 2*x_3*h^9 + 4*y*h^9 - 4*h^10,
 y^2*h^8 + x_1*h^9 + x_2*h^9 + 5*x_3*h^9 - y*h^9 - 5*h^10,
 x_2^2*x_3^2*h^5 - 5*x_2*x_3^2*y*h^5 + x_2*x_3^2*h^6 - 5*x_3^2*y*h^6 + 2*x_1*x_3*h^7 - 4*x_2*x_3*h^7 - 5*x_3^2*h^7 - x_1*y*h^7 + x_3*y*h^7 + 4*y^2*h^7 + x_1*h^8 - 3*x_2*h^8 + x_3*h^8 + y*h^8 - 2*h^9,
 x_2^2*x_3*h^6 - 2*x_1*x_3*h^7 - 5*x_3^2*h^7 - 2*x_2*y*h^7 - x_3*y*h^7 - 2*y^2*h^7 + 5*x_2*h^8 - 5*x_3*h^8 - 3*y*h^8 - 2*h^9,
 x_1*x_3^2*h^6 - 3*x_3^2*y*h^6 + 3*x_1*x_3*h^7 + 3*x_3

In [36]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-4) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-11) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-13) <-- S(-12)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-14)⊕S(-14)⊕S(-14) <-- S(-14)⊕S(-15)⊕S(-15)⊕S(-15) <-- 0

In [37]:
cm_regularity(res)

11

## p = 11, r = 5

In [38]:
p = 11
field = GF(p, "a")

rounds = 5

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 5
Constants: [7, 6, 7, 5, 2]

Plain: 4
Key: 0
Cipher: 1

y^3 - x_1
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 4*x_1^2 + 3*x_1*y - 4*y^2 - 2*x_1 - x_2 - 2*y - 4
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 4*x_2 - x_3 + 4*y + 2
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 4*x_3^2 - 3*x_3*y + 4*y^2 - 2*x_3 - x_4 - 2*y + 4
x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 5*x_4^2 + x_4*y - 5*y^2 + x_4 + 2*y - 4


In [39]:
highest_degree_component(fe)

4*x_1^2*y^2

In [40]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y over Finite Field of size 11
Input polynomials:
[y^3 - x_1, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 4*x_1^2 + 3*x_1*y - 4*y^2 - 2*x_1 - x_2 - 2*y - 4, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 4*x_2 - x_3 + 4*y + 2, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 4*x_3^2 - 3*x_3*y + 4*y^2 - 2*x_3 - x_4 - 2*y + 4, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 5*x_4^2 + x_4*y - 5*y^2 + x_4 + 2*y - 4, 4*x_1^2*y^2 - 5*x_1^2*y - x_1*y^2 + x_2*y^2 - 4*x_1^2 + 2*x_1*y + 3*y^2 - x_1 - 3*x_2 + 4*y - 1]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006682872772216797
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 7.653236389160156e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0009202957153320312
Computing Macaulay matrix.
Time needed: 2.384185791015625e-06
Performing Gaussian Elimination.
Time

[x_1, x_2 + 4, x_3 - 5, x_4 + 1, y]

In [41]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y, h over Finite Field of size 11
Input polynomials:
[y^3 - x_1*h^2, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 4*x_1^2*h + 3*x_1*y*h - 4*y^2*h - 2*x_1*h^2 - x_2*h^2 - 2*y*h^2 - 4*h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2*h - 2*x_2*y*h - y^2*h + 4*x_2*h^2 - x_3*h^2 + 4*y*h^2 + 2*h^3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 4*x_3^2*h - 3*x_3*y*h + 4*y^2*h - 2*x_3*h^2 - x_4*h^2 - 2*y*h^2 + 4*h^3, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 5*x_4^2*h + x_4*y*h - 5*y^2*h + x_4*h^2 + 2*y*h^2 - 4*h^3, 4*x_1^2*y^2 - 5*x_1^2*y*h - x_1*y^2*h + x_2*y^2*h - 4*x_1^2*h^2 + 2*x_1*y*h^2 + 3*y^2*h^2 - x_1*h^3 - 3*x_2*h^3 + 4*y*h^3 - h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0005741119384765625
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 9.250640869140625e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed

[x_1*h^12,
 x_2*h^12 + 4*h^13,
 x_3*h^12 - 5*h^13,
 x_4*h^12 + h^13,
 y*h^12,
 x_3*x_4^2*h^9 - 4*x_1*h^11 + x_2*h^11 + 5*x_3*h^11 - 4*x_4*h^11 - 5*y*h^11 + 3*h^12,
 x_4^2*y*h^9 + 5*x_1*h^11 + 3*x_2*h^11 + 4*x_3*h^11 - x_4*h^11 + y*h^11 + 2*h^12,
 x_3*x_4*h^10 - 3*x_1*h^11 - x_2*h^11 + 2*x_3*h^11 - 3*x_4*h^11 - h^12,
 x_4^2*h^10 + x_1*h^11 + 5*x_3*h^11 - 3*x_4*h^11 - 3*y*h^11 + 4*h^12,
 x_1*y*h^10 - 2*x_1*h^11 - x_2*h^11 - 3*x_3*h^11 - 2*y*h^11,
 x_2*y*h^10 - 3*x_1*h^11 + 5*x_2*h^11 - 2*x_3*h^11 + 4*x_4*h^11 - 5*y*h^11 + h^12,
 x_3*y*h^10 - x_1*h^11 - 5*x_2*h^11 + 5*x_3*h^11 - 5*x_4*h^11 - 5*y*h^11 + 5*h^12,
 x_4*y*h^10 - 2*x_1*h^11 - 2*x_2*h^11 + 5*x_3*h^11 - 5*x_4*h^11 + 3*y*h^11 - 5*h^12,
 y^2*h^10 - x_2*h^11 - x_3*h^11 - 2*x_4*h^11 - y*h^11 - h^12,
 x_3^2*x_4*h^8 + 4*x_3*x_4*h^9 - 2*x_1*y*h^9 - 4*x_2*y*h^9 - 2*x_3*y*h^9 - 4*x_4*y*h^9 - y^2*h^9 + 2*x_1*h^10 + 2*x_2*h^10 - 3*x_3*h^10 - 5*x_4*h^10 - 3*y*h^10 - 3*h^11,
 x_3*x_4*y*h^8 - 2*x_3*x_4*h^9 - 5*x_1*y*h^9 + x_2*y*h^9 + 3*x_3*y*h

In [42]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-4) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-14) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16) <-- S(-15)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17) <-- S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18) <-- 0

In [43]:
cm_regularity(res)

13

## p = 11, r = 6

In [44]:
p = 11
field = GF(p, "a")

rounds = 6

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 6
Constants: [2, 4, 9, 1, 1, 3]

Plain: 2
Key: 3
Cipher: 5

y^3 + y^2 - x_1 + 4*y - 2
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 4*x_1 - x_2 + 4*y - 2
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 5*x_2^2 - x_2*y + 5*y^2 + x_2 - x_3 + y + 3
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 3*x_3^2 - 5*x_3*y + 3*y^2 + 3*x_3 - x_4 + 3*y + 1
x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 + 3*x_4^2 - 5*x_4*y + 3*y^2 + 3*x_4 - x_5 + 3*y + 1
x_5^3 + 3*x_5^2*y + 3*x_5*y^2 + y^3 - 2*x_5^2 - 4*x_5*y - 2*y^2 + 5*x_5 - 5*y


In [45]:
highest_degree_component(fe)

-5*x_1^2*y - 3*x_1*y^2 + x_2*y^2

In [46]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y over Finite Field of size 11
Input polynomials:
[y^3 + y^2 - x_1 + 4*y - 2, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 4*x_1 - x_2 + 4*y - 2, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 5*x_2^2 - x_2*y + 5*y^2 + x_2 - x_3 + y + 3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 3*x_3^2 - 5*x_3*y + 3*y^2 + 3*x_3 - x_4 + 3*y + 1, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 + 3*x_4^2 - 5*x_4*y + 3*y^2 + 3*x_4 - x_5 + 3*y + 1, x_5^3 + 3*x_5^2*y + 3*x_5*y^2 + y^3 - 2*x_5^2 - 4*x_5*y - 2*y^2 + 5*x_5 - 5*y, -5*x_1^2*y - 3*x_1*y^2 + x_2*y^2 + 2*x_1^2 - 2*x_1*y - 3*x_2*y - x_1 + 2*x_2 - y - 4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0007574558258056641
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 0.00015616416931152344
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.001965761184692383
Comput

[y^2 - 4*y + 3, x_1 + y - 5, x_2 - 3, x_3 + 5*y - 2, x_4 + y, x_5 - 1]

In [47]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y, h over Finite Field of size 11
Input polynomials:
[y^3 + y^2*h - x_1*h^2 + 4*y*h^2 - 2*h^3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + x_1^2*h + 2*x_1*y*h + y^2*h + 4*x_1*h^2 - x_2*h^2 + 4*y*h^2 - 2*h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 5*x_2^2*h - x_2*y*h + 5*y^2*h + x_2*h^2 - x_3*h^2 + y*h^2 + 3*h^3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 3*x_3^2*h - 5*x_3*y*h + 3*y^2*h + 3*x_3*h^2 - x_4*h^2 + 3*y*h^2 + h^3, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 + 3*x_4^2*h - 5*x_4*y*h + 3*y^2*h + 3*x_4*h^2 - x_5*h^2 + 3*y*h^2 + h^3, x_5^3 + 3*x_5^2*y + 3*x_5*y^2 + y^3 - 2*x_5^2*h - 4*x_5*y*h - 2*y^2*h + 5*x_5*h^2 - 5*y*h^2, -5*x_1^2*y - 3*x_1*y^2 + x_2*y^2 + 2*x_1^2*h - 2*x_1*y*h - 3*x_2*y*h - x_1*h^2 + 2*x_2*h^2 - y*h^2 - 4*h^3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0008540153503417969
Computing Macaulay matrix.
Time needed: 2.1457672119140625e-06
Performing Gaussian Elimination.
Time needed: 0.0002050

[x_1*h^13 + y*h^13 - 5*h^14,
 x_2*h^13 - 3*h^14,
 x_3*h^13 + 5*y*h^13 - 2*h^14,
 x_4*h^13 + y*h^13,
 x_5*h^13 - h^14,
 x_4*x_5^2*h^10 + 2*x_1*h^12 + 3*x_2*h^12 - 2*x_4*h^12 - 4*x_5*h^12 + y*h^12 - 4*h^13,
 x_5^2*y*h^10 - 5*x_1*h^12 - x_2*h^12 + x_3*h^12 + 3*x_4*h^12 + 5*x_5*h^12 + 2*y*h^12 - h^13,
 x_4*x_5*h^11 + 4*x_1*h^12 - 2*x_2*h^12 + 5*x_3*h^12 + 2*x_4*h^12 + 3*x_5*h^12 - y*h^12 - 5*h^13,
 x_5^2*h^11 - 5*x_1*h^12 + x_2*h^12 + 2*x_3*h^12 - 3*x_5*h^12 + 5*y*h^12 - 2*h^13,
 x_3*y*h^11 + x_1*h^12 - 5*x_2*h^12 - 4*x_3*h^12 - 3*x_4*h^12 + 5*x_5*h^12 - 4*y*h^12 - 2*h^13,
 x_4*y*h^11 + x_1*h^12 - x_2*h^12 + 3*x_3*h^12 - x_4*h^12 - 5*x_5*h^12 - 3*y*h^12 + 5*h^13,
 x_5*y*h^11 + x_1*h^12 + 5*x_2*h^12 + 2*x_3*h^12 + 2*x_4*h^12 + 5*x_5*h^12 + y*h^12 + 4*h^13,
 y^2*h^11 + x_1*h^12 - 4*x_2*h^12 + 5*x_3*h^12 + 3*x_4*h^12 - x_5*h^12 + 3*y*h^12 + h^13,
 x_1*x_5*h^10 + x_3*y*h^10 - 4*x_4*y*h^10 + 4*x_5*y*h^10 + 2*y^2*h^10 - 3*x_1*h^11 - 4*x_2*h^11 + x_3*h^11 - 4*x_4*h^11 + 2*x_5*h^11 - h^12,
 x_2*x_

In [48]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-14) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-16) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17) <-- S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(

In [49]:
cm_regularity(res)

14