# MiMC Solving Degree For Attack With One Field Equation
Empirical solving degree for increasing round numbers of MiMC together the field equation for the key variable.

Primes: $p \in \{ 5, 11 \}$.

Round numbers: $r \in \{ 3, 4, 5, 6 \}$.

In [1]:
from lazard_gb_algorithm import *
load("MiMC.sage")
load("utilities.sage")

## p = 5, r = 3

In [2]:
p = 5
field = GF(p, "a")

rounds = 3

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 3
Constants: [3, 3, 2]

Plain: 0
Key: 3
Cipher: 0

y^3 - y^2 - x_1 + 2*y + 2
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - 2*y - 2


In [3]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, y over Finite Field of size 5
Input polynomials:
[y^3 - y^2 - x_1 + 2*y + 2, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - 2*y - 2, y^5 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.11078882217407227
Computing Macaulay matrix.
Time needed: 2.384185791015625e-06
Performing Gaussian Elimination.
Time needed: 0.0006287097930908203
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.021011829376220703
Computing Macaulay matrix.
Time needed: 2.1457672119140625e-06
Performing Gaussian Elimination.
Time needed: 0.00014734268188476562
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0012011528015136719
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 0.000

[y^2 - 2*y + 2, x_1 - 2*y, x_2 - 2*y - 2]

In [4]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, y, h over Finite Field of size 5
Input polynomials:
[y^3 - y^2*h - x_1*h^2 + 2*y*h^2 + 2*h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2*h - 2*x_1*y*h - y^2*h + 2*x_1*h^2 - x_2*h^2 + 2*y*h^2 + 2*h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2*h + 2*x_2*y*h + y^2*h + 2*x_2*h^2 - 2*y*h^2 - 2*h^3, y^5 - y*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.001622915267944336
Computing Macaulay matrix.
Time needed: 1.9073486328125e-06
Performing Gaussian Elimination.
Time needed: 0.000133514404296875
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0012362003326416016
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 0.00014162063598632812
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0016133785247802734
Computing Macaulay matrix.
Time needed: 1.4305114746093

[x_2*h^9 - 2*y*h^9 - 2*h^10,
 x_2*y*h^7 + x_2*h^8 + 2*y*h^8 + 2*h^9,
 y^2*h^7 - x_2*h^8 - h^9,
 x_2^2*h^6 + 2*x_2*y*h^6 + x_2*h^7,
 x_2*y^2*h^4 + x_2*y*h^5 - 2*x_2*h^6,
 x_1*h^6 + x_2*h^6 + y*h^6 - 2*h^7,
 x_1^2*h^4 - y^2*h^4 - y*h^5 + h^6,
 x_1*y^2*h^2 + x_1*y*h^3 - x_1*h^4 - y*h^4 + 2*h^5,
 x_1^3 - 2*x_1^2*y - 2*x_1*y^2 - x_1^2*h - 2*x_1*y*h - 2*x_1*h^2 - x_2*h^2,
 x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + x_2^2*h + 2*x_2*y*h + 2*y^2*h + x_1*h^2 + 2*x_2*h^2 + y*h^2 + h^3,
 y^3 - y^2*h - x_1*h^2 + 2*y*h^2 + 2*h^3]

In [5]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-5) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-10) <-- S(-9)⊕S(-12)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11) <-- S(-13)⊕S(-13)⊕S(-12) <-- 0

In [6]:
cm_regularity(res)

10

## p = 5, r = 4

In [7]:
p = 5
field = GF(p, "a")

rounds = 4

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 4
Constants: [4, 4, 2, 2]

Plain: 0
Key: 3
Cipher: 3

y^3 + 2*y^2 - x_1 - 2*y - 1
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + 2*x_1^2 - x_1*y + 2*y^2 - 2*x_1 - x_2 - 2*y - 1
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 + x_3^2 + 2*x_3*y + y^2 + 2*x_3 - 2*y


In [8]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y over Finite Field of size 5
Input polynomials:
[y^3 + 2*y^2 - x_1 - 2*y - 1, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + 2*x_1^2 - x_1*y + 2*y^2 - 2*x_1 - x_2 - 2*y - 1, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 + x_3^2 + 2*x_3*y + y^2 + 2*x_3 - 2*y, y^5 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006251335144042969
Computing Macaulay matrix.
Time needed: 2.1457672119140625e-06
Performing Gaussian Elimination.
Time needed: 8.392333984375e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0009336471557617188
Computing Macaulay matrix.
Time needed: 1.3113021850585938e-05
Performing Gaussian Elimination.
Time needed: 7.224082946777344e-05
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0013048648834228516
Computing Macaulay matri

[x_1 + 2, x_2, x_3, y + 2]

In [9]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y, h over Finite Field of size 5
Input polynomials:
[y^3 + 2*y^2*h - x_1*h^2 - 2*y*h^2 - h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + 2*x_1^2*h - x_1*y*h + 2*y^2*h - 2*x_1*h^2 - x_2*h^2 - 2*y*h^2 - h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2*h + 2*x_2*y*h + y^2*h + 2*x_2*h^2 - x_3*h^2 + 2*y*h^2 - 2*h^3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 + x_3^2*h + 2*x_3*y*h + y^2*h + 2*x_3*h^2 - 2*y*h^2, y^5 - y*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006539821624755859
Computing Macaulay matrix.
Time needed: 3.0994415283203125e-06
Performing Gaussian Elimination.
Time needed: 0.00016927719116210938
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.003411531448364258
Computing Macaulay matrix.
Time needed: 2.1457672119140625e-06
Performing Gaussian Elimination.
Time needed: 0.00016546249389648438
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomi

[x_2*h^11,
 x_3*h^11,
 y*h^11 + 2*h^12,
 x_2*x_3^2*y*h^7 - x_2*h^10 - x_3*h^10 - 2*y*h^10 + h^11,
 x_3*y*h^9 - x_3*h^10 + y*h^10 + 2*h^11,
 x_2*x_3*h^8 - x_3*y*h^8 + 2*x_2*h^9 - y*h^9 - 2*h^10,
 x_3^2*h^8 + 2*x_2*h^9 + x_3*h^9 - 2*y*h^9 + h^10,
 x_2*y*h^8 + 2*x_3*y*h^8 - 2*x_2*h^9 + 2*y*h^9 - h^10,
 x_3*y^2*h^6 - x_2*y*h^7 - 2*x_3*y*h^7 - x_2*h^8 - x_3*h^8 - 2*y*h^8 + h^9,
 y^2*h^7 - 2*x_2*h^8 + x_3*h^8 + 2*y*h^8,
 x_2^2*h^6 + 2*x_2*y*h^6 - 2*x_2*h^7,
 x_2*y^2*h^4 - 2*x_2*y*h^5,
 x_1*h^6 + x_2*h^6 + y*h^6 - h^7,
 x_1^2*h^4 - y^2*h^4 + 2*y*h^5 - h^6,
 x_1*y^2*h^2 - 2*x_1*y*h^3 + x_1*h^4 - y*h^4 + h^5,
 x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + 2*x_1^2*h - x_1*y*h - x_1*h^2 - x_2*h^2,
 x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + x_2^2*h + 2*x_2*y*h - y^2*h + x_1*h^2 + 2*x_2*h^2 - x_3*h^2 - y*h^2 - h^3,
 x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + x_3^2*h + 2*x_3*y*h - y^2*h + x_1*h^2 + 2*x_3*h^2 + h^3,
 y^3 + 2*y^2*h - x_1*h^2 - 2*y*h^2 - h^3]

In [10]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-5) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-13) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14) <-- S(-12)⊕S(-15)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15) <-- S(-16)⊕S(-16)⊕S(-16)⊕S(-16) <-- 0

In [11]:
cm_regularity(res)

12

## p = 5, r = 5

In [12]:
p = 5
field = GF(p, "a")

rounds = 5

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 5
Constants: [4, 2, 2, 3, 4]

Plain: 0
Key: 3
Cipher: 4

y^3 + 2*y^2 - x_1 - 2*y - 1
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 2*x_1 - x_2 + 2*y - 2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - x_4 + 2*y + 2
x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2 - x_4*y + 2*y^2 - 2*x_4 - y


In [13]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y over Finite Field of size 5
Input polynomials:
[y^3 + 2*y^2 - x_1 - 2*y - 1, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 2*x_1 - x_2 + 2*y - 2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - x_4 + 2*y + 2, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2 - x_4*y + 2*y^2 - 2*x_4 - y, y^5 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0005884170532226562
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 7.367134094238281e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.00072479248046875
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 4.76837158203125e-05
Is Groebner Basis: False

--- Degree 2 ---
Computing a

[y^2 + 2*y, x_1 + 2*y + 1, x_2 - 2*y - 1, x_3 - 2*y - 2, x_4 + 2*y]

In [14]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y, h over Finite Field of size 5
Input polynomials:
[y^3 + 2*y^2*h - x_1*h^2 - 2*y*h^2 - h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + x_1^2*h + 2*x_1*y*h + y^2*h + 2*x_1*h^2 - x_2*h^2 + 2*y*h^2 - 2*h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2*h + 2*x_2*y*h + y^2*h + 2*x_2*h^2 - x_3*h^2 + 2*y*h^2 - 2*h^3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2*h - 2*x_3*y*h - y^2*h + 2*x_3*h^2 - x_4*h^2 + 2*y*h^2 + 2*h^3, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2*h - x_4*y*h + 2*y^2*h - 2*x_4*h^2 - y*h^2, y^5 - y*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0005755424499511719
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 7.343292236328125e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0010485649108886719
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian E

[x_2*h^13 - 2*y*h^13 - h^14,
 x_4*h^13 + 2*y*h^13,
 x_4^2*h^11 + x_4*h^12,
 y^2*h^11 - x_4*h^12,
 x_2*x_4*h^10 - 2*x_3*x_4*h^10 + x_2*h^11 + x_4*h^11 + 2*y*h^11 - h^12,
 x_4*y*h^10 + y*h^11,
 x_3*h^11 - x_4*h^11 + y*h^11 - 2*h^12,
 x_4*y^2*h^8 - 2*x_4*y*h^9 + y^2*h^9 - 2*y*h^10,
 x_2*x_3*h^9 + x_2*h^10 + x_3*h^10 - 2*y*h^10,
 x_3^2*h^9 - y^2*h^9 + 2*x_3*h^10 - y*h^10 + 2*h^11,
 x_1*x_3*h^8 - y^2*h^8 - x_2*h^9 + 2*x_3*h^9 - y*h^9 - h^10,
 x_3*y*h^8 + y^2*h^8 - y*h^9,
 x_1*h^9 + x_2*h^9 - 2*x_3*h^9 - y*h^9 - h^10,
 x_3*y^2*h^6 - 2*x_3*y*h^7 + x_1*h^8 - y*h^8 + h^9,
 x_2^2*h^7 - 2*x_1*h^8 + x_2*h^8 - 2*y*h^8 + h^9,
 x_1*x_2*h^6 + 2*x_1*h^7 - 2*x_2*h^7 - y*h^7,
 x_2*y*h^6 - x_1*h^7 + 2*x_2*h^7 + 2*y*h^7 + 2*h^8,
 x_2*y^2*h^4 - 2*x_2*y*h^5 - 2*y^2*h^5 - y*h^6,
 x_1*y*h^5 + y^2*h^5 + x_1*h^6 - 2*x_2*h^6 - 2*h^7,
 x_1^2*h^4 - y^2*h^4 + 2*y*h^5 - h^6,
 x_1*y^2*h^2 - 2*x_1*y*h^3 + x_1*h^4 - y*h^4 + h^5,
 x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + x_1^2*h + 2*x_1*y*h - y^2*h - 2*x_1*h^2 - x_2*h^2 - y*h^2 -

In [15]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-5) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-14) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-16)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16) <-- S(-15)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17) <-- S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-18) <-- 0

In [16]:
cm_regularity(res)

14

## p = 5, r = 6

In [17]:
p = 5
field = GF(p, "a")

rounds = 6

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 6
Constants: [2, 2, 2, 0, 3, 0]

Plain: 3
Key: 2
Cipher: 0

y^3 - x_1
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 2*x_1 - x_2 + 2*y - 2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_4
x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 - x_4^2 - 2*x_4*y - y^2 + 2*x_4 - x_5 + 2*y + 2
x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 + y


In [18]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y over Finite Field of size 5
Input polynomials:
[y^3 - x_1, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 2*x_1 - x_2 + 2*y - 2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_4, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 - x_4^2 - 2*x_4*y - y^2 + 2*x_4 - x_5 + 2*y + 2, x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 + y, y^5 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0009353160858154297
Computing Macaulay matrix.
Time needed: 2.384185791015625e-06
Performing Gaussian Elimination.
Time needed: 0.00019431114196777344
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0014443397521972656
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 8.487701416015625e-05
Is Groebner Basis: False

--- Degree 2 ---
Computing al

[x_1 + 2, x_2 + 2, x_3 + 2, x_4, x_5, y - 2]

In [19]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y, h over Finite Field of size 5
Input polynomials:
[y^3 - x_1*h^2, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + x_1^2*h + 2*x_1*y*h + y^2*h + 2*x_1*h^2 - x_2*h^2 + 2*y*h^2 - 2*h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2*h + 2*x_2*y*h + y^2*h + 2*x_2*h^2 - x_3*h^2 + 2*y*h^2 - 2*h^3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_4*h^2, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 - x_4^2*h - 2*x_4*y*h - y^2*h + 2*x_4*h^2 - x_5*h^2 + 2*y*h^2 + 2*h^3, x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 + y*h^2, y^5 - y*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0009028911590576172
Computing Macaulay matrix.
Time needed: 1.9073486328125e-06
Performing Gaussian Elimination.
Time needed: 0.00010228157043457031
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.026918888092041016
Computing Macaulay matrix.
Time needed: 1.9073486328125e-06
Performing Gaussian Elimination.
Time needed

[x_2*h^15 + 2*h^16,
 x_4*h^15,
 x_5*h^15,
 y*h^15 - 2*h^16,
 x_4*x_5^2*h^12 - x_2*h^14 - 2*x_4*h^14 - x_5*h^14 - 2*h^15,
 x_4*x_5*h^13 - 2*x_4*h^14,
 x_5^2*h^13 + x_2*h^14 - x_4*h^14 + x_5*h^14 - 2*y*h^14 + h^15,
 x_2*x_5*h^12 - 2*x_4*x_5*h^12 + 2*x_2*h^13 - 2*x_4*h^13 + 2*x_5*h^13 - h^14,
 x_5*y*h^12 - x_2*h^13 + 2*x_4*h^13 + x_5*h^13 + y*h^13 + h^14,
 y^2*h^12 + x_2*h^13 + x_4*h^13 + x_5*h^13 - y*h^13,
 x_5*y^2*h^10 + y^2*h^11 + 2*x_2*h^12 + 2*x_4*h^12 - x_5*h^12 + 2*y*h^12 + h^13,
 x_4^2*h^11 + x_4*h^12,
 x_2*x_4*h^10 - 2*x_3*x_4*h^10 + 2*x_4*h^11,
 x_4*y*h^10 - x_4*h^11,
 x_3*h^11 - x_4*h^11 + y*h^11,
 x_4*y^2*h^8 - x_4*h^10,
 x_2*x_3*h^9 - x_2*h^10 - x_3*h^10 + 2*y*h^10 - 2*h^11,
 x_3^2*h^9 - y^2*h^9 - 2*x_3*h^10 - 2*y*h^10,
 x_1*x_3*h^8 - y^2*h^8 + x_2*h^9 - 2*x_3*h^9 - 2*y*h^9 + 2*h^10,
 x_3*y*h^8 + y^2*h^8 - x_3*h^9 - y*h^9,
 x_1*h^9 + x_2*h^9 - 2*x_3*h^9 - y*h^9 + 2*h^10,
 x_3*y^2*h^6 + x_1*h^8 - x_3*h^8 - y*h^8,
 x_2^2*h^7 + 2*x_1*h^8 - x_2*h^8 + 2*y*h^8 - h^9,
 x_1*x_2*h^6 -

In [20]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-5) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-17) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19) <-- S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S

In [21]:
cm_regularity(res)

16

## p = 11, r = 3

In [22]:
p = 11
field = GF(p, "a")

rounds = 3

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 3
Constants: [7, 5, 7]

Plain: 3
Key: 8
Cipher: 5

y^3 - 3*y^2 - x_1 + 3*y - 1
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 4*x_1^2 - 3*x_1*y + 4*y^2 - 2*x_1 - x_2 - 2*y + 4
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 4*x_2 + 5*y - 3


In [23]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, y over Finite Field of size 11
Input polynomials:
[y^3 - 3*y^2 - x_1 + 3*y - 1, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 4*x_1^2 - 3*x_1*y + 4*y^2 - 2*x_1 - x_2 - 2*y + 4, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 4*x_2 + 5*y - 3, y^11 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0008227825164794922
Computing Macaulay matrix.
Time needed: 1.9073486328125e-06
Performing Gaussian Elimination.
Time needed: 0.00018596649169921875
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0013759136199951172
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 0.00019621849060058594
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0012583732604980469
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time nee

[y^2 + 4*y + 3, x_1 + 5*y + 2, x_2 - 2*y - 4]

In [24]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, y, h over Finite Field of size 11
Input polynomials:
[y^3 - 3*y^2*h - x_1*h^2 + 3*y*h^2 - h^3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 4*x_1^2*h - 3*x_1*y*h + 4*y^2*h - 2*x_1*h^2 - x_2*h^2 - 2*y*h^2 + 4*h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2*h - 2*x_2*y*h - y^2*h + 4*x_2*h^2 + 5*y*h^2 - 3*h^3, y^11 - y*h^10]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0011796951293945312
Computing Macaulay matrix.
Time needed: 3.814697265625e-06
Performing Gaussian Elimination.
Time needed: 0.00014138221740722656
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0026679039001464844
Computing Macaulay matrix.
Time needed: 3.5762786865234375e-06
Performing Gaussian Elimination.
Time needed: 0.0003256797790527344
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.003351449966430664
Computing Macaulay matrix.
Time needed: 1.90734

[x_1*h^15 + 5*y*h^15 + 2*h^16,
 x_2*h^15 - 2*y*h^15 - 4*h^16,
 x_1^2*h^13 + 2*x_2*h^14 - y*h^14 - 3*h^15,
 x_1*x_2*h^13 - 3*x_1*h^14 + x_2*h^14 + h^15,
 x_2^2*h^13 + 5*x_1*h^14 + x_2*h^14 + y*h^14 + 2*h^15,
 x_1*y*h^13 + 4*x_1*h^14 + 5*x_2*h^14 + 3*y*h^14 - 5*h^15,
 x_2*y*h^13 - 5*x_1*h^14 + x_2*h^14 - y*h^14 + 3*h^15,
 y^2*h^13 + 2*x_1*h^14 - 4*x_2*h^14 + h^15,
 x_1*x_2^2*h^11 + x_1^2*h^12 - 3*x_1*x_2*h^12 - 3*x_2^2*h^12 - 5*x_1*y*h^12 + 4*x_2*y*h^12 - 3*x_1*h^13 - x_2*h^13 - y*h^13 + h^14,
 x_2^2*y*h^11 - 5*x_1^2*h^12 - 5*x_1*x_2*h^12 - 5*x_2^2*h^12 + 2*x_1*y*h^12 + 5*x_2*y*h^12 - 2*y^2*h^12 + 5*x_1*h^13 + 5*x_2*h^13 - 3*y*h^13 + h^14,
 x_1*y^2*h^11 + 5*x_1^2*h^12 - x_1*x_2*h^12 + 4*x_2^2*h^12 - 4*x_1*y*h^12 + 2*x_2*y*h^12 + 3*y^2*h^12 + 5*x_1*h^13 - 4*y*h^13,
 x_2*y^2*h^11 - 2*x_1^2*h^12 + x_1*x_2*h^12 - x_2^2*h^12 - 5*x_1*y*h^12 - x_2*y*h^12 + 4*y^2*h^12 - 2*x_1*h^13 + 3*x_2*h^13 - y*h^13 + 3*h^14,
 x_2^2*y^2*h^9 - x_1*x_2^2*h^10 + x_2^2*y*h^10 - 4*x_2*y^2*h^10 + 3*x_1*x_2*h^11 + 2

In [25]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-11) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-16) <-- S(-9)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-18) <-- S(-18)⊕S(-19)⊕S(-19) <-- 0

In [26]:
cm_regularity(res)

16

## p = 11, r = 4

In [27]:
p = 11
field = GF(p, "a")

rounds = 4

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 4
Constants: [5, 5, 4, 8]

Plain: 10
Key: 5
Cipher: 8

y^3 + y^2 - x_1 + 4*y - 2
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 4*x_1^2 - 3*x_1*y + 4*y^2 - 2*x_1 - x_2 - 2*y + 4
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 4*x_2 - x_3 + 4*y - 2
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 2*x_3^2 + 4*x_3*y + 2*y^2 + 5*x_3 - 5*y - 2


In [28]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y over Finite Field of size 11
Input polynomials:
[y^3 + y^2 - x_1 + 4*y - 2, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 4*x_1^2 - 3*x_1*y + 4*y^2 - 2*x_1 - x_2 - 2*y + 4, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 4*x_2 - x_3 + 4*y - 2, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 2*x_3^2 + 4*x_3*y + 2*y^2 + 5*x_3 - 5*y - 2, y^11 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0009434223175048828
Computing Macaulay matrix.
Time needed: 3.0994415283203125e-06
Performing Gaussian Elimination.
Time needed: 0.00010824203491210938
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.001524209976196289
Computing Macaulay matrix.
Time needed: 3.0994415283203125e-06
Performing Gaussian Elimination.
Time needed: 0.00012254714965820312
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.003299713134765625
Computing M

[x_1 - 3, x_2 + 3, x_3 + 4, y - 5]

In [29]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y, h over Finite Field of size 11
Input polynomials:
[y^3 + y^2*h - x_1*h^2 + 4*y*h^2 - 2*h^3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 4*x_1^2*h - 3*x_1*y*h + 4*y^2*h - 2*x_1*h^2 - x_2*h^2 - 2*y*h^2 + 4*h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + x_2^2*h + 2*x_2*y*h + y^2*h + 4*x_2*h^2 - x_3*h^2 + 4*y*h^2 - 2*h^3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 2*x_3^2*h + 4*x_3*y*h + 2*y^2*h + 5*x_3*h^2 - 5*y*h^2 - 2*h^3, y^11 - y*h^10]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0009253025054931641
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 8.344650268554688e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0013196468353271484
Computing Macaulay matrix.
Time needed: 1.9073486328125e-06
Performing Gaussian Elimination.
Time needed: 0.003498554229736328
Is Groebner Basis: False

--- Degree 2 ---
Comput

[x_1*h^17 - 3*h^18,
 x_2*h^17 + 3*h^18,
 x_3*h^17 + 4*h^18,
 y*h^17 - 5*h^18,
 x_2*x_3^2*h^14 - 2*x_1*h^16 - 5*x_2*h^16 - 2*x_3*h^16 - 5*y*h^16 + h^17,
 x_3^2*y*h^14 + 3*x_1*h^16 + 3*x_2*h^16 - 3*y*h^16 + h^17,
 x_1*x_3*h^15 + x_1*h^16 + x_2*h^16 + 4*x_3*h^16 + 2*y*h^16 - 4*h^17,
 x_2*x_3*h^15 - 4*x_2*h^16 - 3*x_3*h^16 - y*h^16 + 2*h^17,
 x_3^2*h^15 + 5*x_1*h^16 + 5*x_2*h^16 + 4*x_3*h^16,
 x_1*y*h^15 - 3*x_2*h^16 + 2*x_3*h^16 + 5*y*h^16 + 3*h^17,
 x_2*y*h^15 + 5*x_1*h^16 - 2*x_2*h^16 + 2*x_3*h^16 - 3*y*h^16 - 5*h^17,
 x_3*y*h^15 - 5*x_3*h^16 + y*h^16 - 5*h^17,
 y^2*h^15 + 3*x_1*h^16 - x_2*h^16 - 5*x_3*h^16 + 2*y*h^16 - h^17,
 x_2^2*x_3^2*h^12 - 5*x_2*x_3^2*y*h^12 + 4*x_2*x_3^2*h^13 + 4*x_3^2*y*h^13 - 3*x_1*x_3*h^14 + 2*x_2*x_3*h^14 + 2*x_3^2*h^14 - 4*x_1*y*h^14 - 5*x_2*y*h^14 - x_3*y*h^14 - 5*y^2*h^14 + 5*x_1*h^15 + 3*x_2*h^15 - 3*x_3*h^15 + 3*y*h^15,
 x_2^2*x_3*h^13 - 4*x_1*x_3*h^14 + 5*x_2*x_3*h^14 + 5*x_3^2*h^14 - 5*x_2*y*h^14 - y^2*h^14 - 5*x_1*h^15 - 5*x_2*h^15 - 2*x_3*h^15 + 2*y*

In [30]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-11) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-19) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20) <-- S(-12)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21) <-- S(-22)⊕S(-22)⊕S(-22)⊕S(-22) <-- 0

In [31]:
cm_regularity(res)

18

## p = 11, r = 5

In [32]:
p = 11
field = GF(p, "a")

rounds = 5

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 5
Constants: [10, 6, 2, 2, 6]

Plain: 2
Key: 4
Cipher: 0

y^3 + 3*y^2 - x_1 + 3*y + 1
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 4*x_1^2 + 3*x_1*y - 4*y^2 - 2*x_1 - x_2 - 2*y - 4
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - 5*x_2^2 + x_2*y - 5*y^2 + x_2 - x_3 + y - 3
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 5*x_3^2 + x_3*y - 5*y^2 + x_3 - x_4 + y - 3
x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 4*x_4^2 + 3*x_4*y - 4*y^2 - 2*x_4 - y - 4


In [33]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y over Finite Field of size 11
Input polynomials:
[y^3 + 3*y^2 - x_1 + 3*y + 1, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 4*x_1^2 + 3*x_1*y - 4*y^2 - 2*x_1 - x_2 - 2*y - 4, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - 5*x_2^2 + x_2*y - 5*y^2 + x_2 - x_3 + y - 3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 5*x_3^2 + x_3*y - 5*y^2 + x_3 - x_4 + y - 3, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 4*x_4^2 + 3*x_4*y - 4*y^2 - 2*x_4 - y - 4, y^11 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0007073879241943359
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 0.00011277198791503906
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0010161399841308594
Computing Macaulay matrix.
Time needed: 1.9073486328125e-06
Performing Gaussian Elimination.
Time needed: 8.344650268554688e-05
Is Groebner Basis: False

--- Degree 2 ---
Co

[x_1 - 4, x_2 - 5, x_3, x_4 + 4, y - 4]

In [34]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y, h over Finite Field of size 11
Input polynomials:
[y^3 + 3*y^2*h - x_1*h^2 + 3*y*h^2 + h^3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 4*x_1^2*h + 3*x_1*y*h - 4*y^2*h - 2*x_1*h^2 - x_2*h^2 - 2*y*h^2 - 4*h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - 5*x_2^2*h + x_2*y*h - 5*y^2*h + x_2*h^2 - x_3*h^2 + y*h^2 - 3*h^3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 5*x_3^2*h + x_3*y*h - 5*y^2*h + x_3*h^2 - x_4*h^2 + y*h^2 - 3*h^3, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 4*x_4^2*h + 3*x_4*y*h - 4*y^2*h - 2*x_4*h^2 - y*h^2 - 4*h^3, y^11 - y*h^10]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0012848377227783203
Computing Macaulay matrix.
Time needed: 3.0994415283203125e-06
Performing Gaussian Elimination.
Time needed: 0.0002033710479736328
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0243985652923584
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing

[x_1*h^19 - 4*h^20,
 x_2*h^19 - 5*h^20,
 x_3*h^19,
 x_4*h^19 + 4*h^20,
 y*h^19 - 4*h^20,
 x_3*x_4^2*h^16 + 4*x_1*h^18 + 4*x_2*h^18 - 3*x_3*h^18 + 2*x_4*h^18 - 3*y*h^18 - 5*h^19,
 x_4^2*y*h^16 - x_1*h^18 + 4*x_2*h^18 - 4*x_3*h^18 - 3*x_4*h^18 - y*h^18,
 x_3*x_4*h^17 - 2*x_1*h^18 - 2*x_2*h^18 - 4*x_3*h^18 - 2*x_4*h^18 - h^19,
 x_4^2*h^17 - 4*x_2*h^18 - 3*x_3*h^18 - 2*x_4*h^18 + 5*y*h^18 - 2*h^19,
 x_1*y*h^17 - 5*x_1*h^18 - 3*x_2*h^18 - 5*x_3*h^18 - 4*x_4*h^18 + 5*y*h^18 + 5*h^19,
 x_2*y*h^17 - 5*x_1*h^18 - x_2*h^18 - 5*x_3*h^18 - x_4*h^18 + 2*y*h^18 + 4*h^19,
 x_3*y*h^17 + 2*x_1*h^18 + 5*x_3*h^18 - 5*x_4*h^18 - 2*y*h^18 + 2*h^19,
 x_4*y*h^17 + 2*x_1*h^18 + x_2*h^18 + 3*x_3*h^18 - 5*x_4*h^18 + 4*y*h^18,
 y^2*h^17 + 5*x_1*h^18 + 4*x_2*h^18 - 4*x_3*h^18 + 3*x_4*h^18 + 5*y*h^18 + 2*h^19,
 x_3^2*x_4*h^15 + 2*x_3*x_4*h^16 + 2*x_1*y*h^16 + 3*x_2*y*h^16 - 4*x_3*y*h^16 - x_1*h^17 - 3*x_2*h^17 - 5*x_3*h^17 - y*h^17 - 3*h^18,
 x_1*x_4^2*h^15 - 3*x_4^2*y*h^15 + 3*x_3*x_4*h^16 + x_4^2*h^16 + 5*x_1*y*

In [35]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-11) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-21) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23) <-- S(-15)⊕S(-24)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24) <-- S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25) <-- 0

In [36]:
cm_regularity(res)

20

## p = 11, r = 6

In [37]:
p = 11
field = GF(p, "a")

rounds = 6

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 6
Constants: [9, 0, 8, 7, 4, 5]

Plain: 1
Key: 6
Cipher: 0

y^3 - 3*y^2 - x_1 + 3*y - 1
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - x_2
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 2*x_2^2 + 4*x_2*y + 2*y^2 + 5*x_2 - x_3 + 5*y - 5
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 4*x_3 - x_4 + 4*y + 2
x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 + x_4^2 + 2*x_4*y + y^2 + 4*x_4 - x_5 + 4*y - 2
x_5^3 + 3*x_5^2*y + 3*x_5*y^2 + y^3 + 4*x_5^2 - 3*x_5*y + 4*y^2 - 2*x_5 - y + 4


In [38]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y over Finite Field of size 11
Input polynomials:
[y^3 - 3*y^2 - x_1 + 3*y - 1, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - x_2, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 2*x_2^2 + 4*x_2*y + 2*y^2 + 5*x_2 - x_3 + 5*y - 5, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 4*x_3 - x_4 + 4*y + 2, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 + x_4^2 + 2*x_4*y + y^2 + 4*x_4 - x_5 + 4*y - 2, x_5^3 + 3*x_5^2*y + 3*x_5*y^2 + y^3 + 4*x_5^2 - 3*x_5*y + 4*y^2 - 2*x_5 - y + 4, y^11 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0007939338684082031
Computing Macaulay matrix.
Time needed: 2.1457672119140625e-06
Performing Gaussian Elimination.
Time needed: 0.00015616416931152344
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.002012014389038086
Computing Macaulay matrix.
Time needed: 2.6226043701171875e-06
Performing Gaussian Elimination.
Time needed: 0.00012683868

[x_1 - 4, x_2 + 1, x_3 + 3, x_4 + 1, x_5 - 3, y + 5]

In [39]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-11) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-23) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25) <-- S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-26)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-26)⊕S(-26)⊕S(-26)⊕S

In [40]:
cm_regularity(res)

22