# MiMC Solving Degree For Attack With One Field Equation Remainder
Empirical solving degree for increasing round numbers of MiMC together the remainder of the field equation for the key variable.

Primes: $p \in \{ 5, 11 \}$.

Round numbers: $r \in \{ 3, 4, 5, 6 \}$.

In [1]:
from lazard_gb_algorithm import *
load("MiMC.sage")
load("utilities.sage")

## p = 5, r = 3

In [2]:
p = 5
field = GF(p, "a")

rounds = 3

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 3
Constants: [1, 0, 3]

Plain: 0
Key: 3
Cipher: 2

y^3 - 2*y^2 - x_1 - 2*y + 1
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 2*x_2 - 2*y


In [3]:
highest_degree_component(fe)

x_1*y^2

In [4]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, y over Finite Field of size 5
Input polynomials:
[y^3 - 2*y^2 - x_1 - 2*y + 1, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 2*x_2 - 2*y, x_1*y^2 + 2*x_1*y + x_1 - y - 1]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.10952138900756836
Computing Macaulay matrix.
Time needed: 2.86102294921875e-06
Performing Gaussian Elimination.
Time needed: 0.0005042552947998047
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.036556243896484375
Computing Macaulay matrix.
Time needed: 2.86102294921875e-06
Performing Gaussian Elimination.
Time needed: 0.0003864765167236328
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.002573251724243164
Computing Macaulay matrix.
Time needed: 2.1457672119140625e-06
Performing Gaussian Elimination.
Time needed: 0.00031685829162597656
Is Groe

[x_1 + 1, x_2 + 2, y + 2]

In [5]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, y, h over Finite Field of size 5
Input polynomials:
[y^3 - 2*y^2*h - x_1*h^2 - 2*y*h^2 + h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_2*h^2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_2^2*h - 2*x_2*y*h - y^2*h + 2*x_2*h^2 - 2*y*h^2, x_1*y^2 + 2*x_1*y*h + x_1*h^2 - y*h^2 - h^3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0012934207916259766
Computing Macaulay matrix.
Time needed: 5.0067901611328125e-06
Performing Gaussian Elimination.
Time needed: 0.0002346038818359375
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0018780231475830078
Computing Macaulay matrix.
Time needed: 3.5762786865234375e-06
Performing Gaussian Elimination.
Time needed: 0.0004246234893798828
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0016741752624511719
Computing Macaulay matrix.
Time needed: 1.9073486328125e-06
Performing Gaussian Elimin

[x_1*h^7 + h^8,
 x_2*h^7 + 2*h^8,
 y*h^7 + 2*h^8,
 x_2^2*h^5 - 2*x_1*h^6 + 2*x_2*h^6 - 2*y*h^6 - h^7,
 y^2*h^5 + 2*x_1*h^6 + x_2*h^6 + y*h^6 + 2*h^7,
 x_1*x_2*h^4 - 2*x_1*h^5 + 2*x_2*h^5 + 2*y*h^5 - h^6,
 x_2*y*h^4 + 2*x_1*h^5 - 2*x_2*h^5 - 2*y*h^5,
 x_2*y^2*h^2 + 2*x_2*y*h^3 + y^2*h^3 + 2*y*h^4,
 x_1*y*h^3 + y^2*h^3 - x_1*h^4 + x_2*h^4,
 x_1^2*h^2 - y^2*h^2 - 2*y*h^3 - h^4,
 x_1^3 - 2*x_1^2*y - x_1*y*h + 2*y^2*h - 2*x_1*h^2 - x_2*h^2 + 2*h^3,
 x_2^3 - 2*x_2^2*y - 2*x_2*y^2 - x_2^2*h - 2*x_2*y*h + y^2*h + x_1*h^2 + 2*x_2*h^2 - h^3,
 x_1*y^2 + 2*x_1*y*h + x_1*h^2 - y*h^2 - h^3,
 y^3 - 2*y^2*h - x_1*h^2 - 2*y*h^2 + h^3]

In [6]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-9) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-10)⊕S(-10)⊕S(-10) <-- S(-11)⊕S(-11)⊕S(-11) <-- 0

In [7]:
cm_regularity(res)

8

## p = 5, r = 4

In [8]:
p = 5
field = GF(p, "a")

rounds = 4

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 4
Constants: [1, 3, 0, 3]

Plain: 2
Key: 2
Cipher: 4

y^3 - y^2 - x_1 + 2*y + 2
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_3
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - 2*y - 2


In [9]:
highest_degree_component(fe)

x_1*y^2

In [10]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y over Finite Field of size 5
Input polynomials:
[y^3 - y^2 - x_1 + 2*y + 2, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - 2*y - 2, x_1*y^2 + x_1*y - x_1 - y + 2]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0008339881896972656
Computing Macaulay matrix.
Time needed: 2.6226043701171875e-06
Performing Gaussian Elimination.
Time needed: 0.0001327991485595703
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.002763032913208008
Computing Macaulay matrix.
Time needed: 3.337860107421875e-06
Performing Gaussian Elimination.
Time needed: 0.0001289844512939453
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.003940582275390625
Computing Macaulay matrix.
Time needed: 5.24

[x_1, x_2, x_3 + 2, y - 2]

In [11]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y, h over Finite Field of size 5
Input polynomials:
[y^3 - y^2*h - x_1*h^2 + 2*y*h^2 + 2*h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2*h - 2*x_1*y*h - y^2*h + 2*x_1*h^2 - x_2*h^2 + 2*y*h^2 + 2*h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - x_3*h^2, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2*h - 2*x_3*y*h - y^2*h + 2*x_3*h^2 - 2*y*h^2 - 2*h^3, x_1*y^2 + x_1*y*h - x_1*h^2 - y*h^2 + 2*h^3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0007371902465820312
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 0.00012826919555664062
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.003947019577026367
Computing Macaulay matrix.
Time needed: 2.384185791015625e-06
Performing Gaussian Elimination.
Time needed: 0.00023818016052246094
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
T

[x_2*h^9,
 x_3*h^9 + 2*h^10,
 y*h^9 - 2*h^10,
 x_2*x_3^2*y*h^5 - 2*x_2*h^8 - x_3*h^8 + 2*y*h^8 - h^9,
 x_3*y*h^7 + x_3*h^8 + y*h^8 - h^9,
 x_2*x_3*h^6 - x_3*y*h^6 - 2*x_2*h^7 - 2*x_3*h^7 + y*h^7,
 x_3^2*h^6 - 2*x_2*h^7 - x_3*h^7 + 2*y*h^7,
 x_2*y*h^6 + 2*x_3*y*h^6 - x_2*h^7 - x_3*h^7 - 2*y*h^7,
 x_3*y^2*h^4 + x_2*y*h^5 + x_3*y*h^5 + x_2*h^6 + 2*x_3*h^6 - 2*y*h^6,
 y^2*h^5 + 2*x_2*h^6 - x_3*h^6 + 2*y*h^6,
 x_2^2*h^4 + 2*x_2*y*h^4 + x_2*h^5,
 x_2*y^2*h^2 + x_2*y*h^3 - 2*x_2*h^4,
 x_1*h^4 + x_2*h^4 + y*h^4 - 2*h^5,
 x_1^2*h^2 - y^2*h^2 - y*h^3 + h^4,
 x_1^3 - 2*x_1^2*y - x_1^2*h + x_1*h^2 - x_2*h^2 - 2*y*h^2 - h^3,
 x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^2*h + x_1*h^2 - x_3*h^2 - 2*y*h^2 - 2*h^3,
 x_3^3 - 2*x_3^2*y - 2*x_3*y^2 - x_3^2*h - 2*x_3*y*h + x_1*h^2 + 2*x_3*h^2 + y*h^2 + h^3,
 x_1*y^2 + x_1*y*h - x_1*h^2 - y*h^2 + 2*h^3,
 y^3 - y^2*h - x_1*h^2 + 2*y*h^2 + 2*h^3]

In [12]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-11) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13) <-- S(-14)⊕S(-14)⊕S(-14)⊕S(-14) <-- 0

In [13]:
cm_regularity(res)

10

## p = 5, r = 5

In [14]:
p = 5
field = GF(p, "a")

rounds = 5

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 5
Constants: [3, 3, 2, 1, 0]

Plain: 3
Key: 2
Cipher: 4

y^3 - 2*y^2 - x_1 - 2*y + 1
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - 2*x_3^2 + x_3*y - 2*y^2 - 2*x_3 - x_4 - 2*y + 1
x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + y + 1


In [15]:
highest_degree_component(fe)

x_1*y^2

In [16]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y over Finite Field of size 5
Input polynomials:
[y^3 - 2*y^2 - x_1 - 2*y + 1, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - 2*x_3^2 + x_3*y - 2*y^2 - 2*x_3 - x_4 - 2*y + 1, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + y + 1, x_1*y^2 + 2*x_1*y + x_1 - y - 1]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.001119375228881836
Computing Macaulay matrix.
Time needed: 7.3909759521484375e-06
Performing Gaussian Elimination.
Time needed: 0.00016427040100097656
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.010006189346313477
Computing Macaulay matrix.
Time needed: 5.7220458984375e-06
Performing Gaussian Elimination.
Time needed: 0.0001919269561767578
Is Groebner Basis: False

--- Degree 2 ---
Computing all mo

Time needed: 0.019537925720214844
Computing Macaulay matrix.
Time needed: 7.152557373046875e-06
Performing Gaussian Elimination.
Time needed: 0.009075641632080078
Is Groebner Basis: False

--- Degree 7 ---
Computing all monomials up to degree: 7
Time needed: 0.02256298065185547
Computing Macaulay matrix.
Time needed: 4.291534423828125e-06
Performing Gaussian Elimination.
Time needed: 0.029946565628051758
Is Groebner Basis: False

--- Degree 8 ---
Computing all monomials up to degree: 8
Time needed: 0.02459716796875
Computing Macaulay matrix.
Time needed: 4.76837158203125e-06
Performing Gaussian Elimination.
Time needed: 0.0961294174194336
Is Groebner Basis: False

--- Degree 9 ---
Computing all monomials up to degree: 9
Time needed: 0.046665191650390625
Computing Macaulay matrix.
Time needed: 8.344650268554688e-06
Performing Gaussian Elimination.
Time needed: 0.3487088680267334
Is Groebner Basis: False

--- Degree 10 ---
Computing all monomials up to degree: 10
Time needed: 0.087687015

[x_1 - 2, x_2 + 2, x_3 + 2, x_4 - 1, y - 2]

In [17]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y, h over Finite Field of size 5
Input polynomials:
[y^3 - 2*y^2*h - x_1*h^2 - 2*y*h^2 + h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2*h - 2*x_1*y*h - y^2*h + 2*x_1*h^2 - x_2*h^2 + 2*y*h^2 + 2*h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2*h + 2*x_2*y*h + y^2*h + 2*x_2*h^2 - x_3*h^2 + 2*y*h^2 - 2*h^3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - 2*x_3^2*h + x_3*y*h - 2*y^2*h - 2*x_3*h^2 - x_4*h^2 - 2*y*h^2 + h^3, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + y*h^2 + h^3, x_1*y^2 + 2*x_1*y*h + x_1*h^2 - y*h^2 - h^3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0009281635284423828
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 0.00012230873107910156
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0020766258239746094
Computing Macaulay matrix.
Time needed: 4.0531158447265625e-06
Performing Gaussian Elimi

[x_2*h^11 + 2*h^12,
 x_3*h^11 + 2*h^12,
 x_4*h^11 - h^12,
 y*h^11 - 2*h^12,
 x_3*x_4*h^9 - x_2*h^10 + 2*x_3*h^10 - x_4*h^10 - y*h^10 + 2*h^11,
 x_4^2*h^9 - x_2*h^10 + 2*x_3*h^10 + x_4*h^10,
 x_1*x_4*h^8 - 2*x_2*h^9 + 2*x_3*h^9 - x_4*h^9 - y*h^9 + h^10,
 x_2*x_4*h^8 - 2*x_3*x_4*h^8 - x_2*h^9 + x_3*h^9 + x_4*h^9 - y*h^9 - h^10,
 x_4*y*h^8 + x_2*h^9 - 2*x_3*h^9 + 2*x_4*h^9 + y*h^9 + 2*h^10,
 x_1*h^9 - 2*x_2*h^9 - x_4*h^9,
 x_2*x_3^2*h^6 - x_2*x_4*h^7 + 2*x_3*x_4*h^7 + x_4*y*h^7 - x_1*h^8 + 2*x_2*h^8 - 2*x_3*h^8 + 2*x_4*h^8 + y*h^8 + h^9,
 x_2*x_3*h^7 - 2*x_1*h^8 - 2*x_2*h^8 + 2*x_3*h^8 - 2*y*h^8 - h^9,
 x_3^2*h^7 - x_1*h^8 + 2*x_3*h^8 + 2*y*h^8 - 2*h^9,
 x_1*x_3*h^6 + 2*x_2*h^7 + x_3*h^7,
 x_3*y*h^6 + x_1*h^7 - x_2*h^7 + y*h^7 - 2*h^8,
 y^2*h^6 - x_2*h^7 + 2*x_3*h^7 - 2*y*h^7 + 2*h^8,
 x_3*y^2*h^4 + 2*x_3*y*h^5 - x_1*h^6 - x_2*h^6 - 2*y*h^6,
 x_2^2*h^5 + 2*x_1*h^6 - x_2*h^6 + 2*y*h^6 + h^7,
 x_1*x_2*h^4 - 2*x_1*h^5 + 2*x_2*h^5 + y*h^5,
 x_2*y*h^4 + x_1*h^5 - 2*x_2*h^5 - 2*y*h^5 + 2*h^6,
 

In [18]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-13) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15) <-- S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16) <-- S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17) <-- 0

In [19]:
cm_regularity(res)

12

## p = 5, r = 6

In [20]:
p = 5
field = GF(p, "a")

rounds = 6

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 6
Constants: [0, 2, 4, 0, 0, 3]

Plain: 3
Key: 0
Cipher: 0

y^3 - y^2 - x_1 + 2*y + 2
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 2*x_1 - x_2 + 2*y - 2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + 2*x_2^2 - x_2*y + 2*y^2 - 2*x_2 - x_3 - 2*y - 1
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_4
x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 - x_5
x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 - x_5^2 - 2*x_5*y - y^2 + 2*x_5 - 2*y + 2


In [21]:
highest_degree_component(fe)

x_1*y^2

In [22]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y over Finite Field of size 5
Input polynomials:
[y^3 - y^2 - x_1 + 2*y + 2, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 2*x_1 - x_2 + 2*y - 2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + 2*x_2^2 - x_2*y + 2*y^2 - 2*x_2 - x_3 - 2*y - 1, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_4, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 - x_5, x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 - x_5^2 - 2*x_5*y - y^2 + 2*x_5 - 2*y + 2, x_1*y^2 + x_1*y - x_1 - y + 2]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0008211135864257812
Computing Macaulay matrix.
Time needed: 2.6226043701171875e-06
Performing Gaussian Elimination.
Time needed: 0.00014591217041015625
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0026319026947021484
Computing Macaulay matrix.
Time needed: 3.0994415283203125e-06
Performing Gaussian Elimination.
Time needed: 0.00010824203491210938
Is Groebner Basis

[y^2 + 2*y, x_1 + 2*y - 2, x_2 + y + 1, x_3 - 2, x_4 + y + 2, x_5 - 2]

In [23]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y, h over Finite Field of size 5
Input polynomials:
[y^3 - y^2*h - x_1*h^2 + 2*y*h^2 + 2*h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + x_1^2*h + 2*x_1*y*h + y^2*h + 2*x_1*h^2 - x_2*h^2 + 2*y*h^2 - 2*h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + 2*x_2^2*h - x_2*y*h + 2*y^2*h - 2*x_2*h^2 - x_3*h^2 - 2*y*h^2 - h^3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_4*h^2, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 - x_5*h^2, x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 - x_5^2*h - 2*x_5*y*h - y^2*h + 2*x_5*h^2 - 2*y*h^2 + 2*h^3, x_1*y^2 + x_1*y*h - x_1*h^2 - y*h^2 + 2*h^3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006115436553955078
Computing Macaulay matrix.
Time needed: 2.6226043701171875e-06
Performing Gaussian Elimination.
Time needed: 0.00012826919555664062
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0033752918243408203
Computing Macaulay matrix.
Time needed: 4.52995300

[x_1*h^13 + 2*y*h^13 - 2*h^14,
 x_5*h^13 - 2*h^14,
 x_5^2*h^11 + x_5*h^12 - h^13,
 y^2*h^11 - 2*x_1*h^12 - 2*y*h^12 - h^13,
 x_1*x_5*h^10 - y^2*h^10 - 2*x_5*h^11 + 2*y*h^11,
 x_5*y*h^10 + y^2*h^10 - 2*x_1*h^11 + y*h^11 - h^12,
 x_4*h^11 + x_5*h^11 + y*h^11,
 x_5*y^2*h^8 + x_5*y*h^9 + x_1*h^10 - 2*x_5*h^10 - y*h^10 + 2*h^11,
 x_4^2*h^9 - 2*x_1*h^10 - x_4*h^10 - 2*y*h^10 - 2*h^11,
 x_1*x_4*h^8 - x_1*h^9 + 2*x_4*h^9 + 2*y*h^9,
 x_4*y*h^8 + 2*x_1*h^9 - y*h^9 + h^10,
 x_3*h^9 + x_4*h^9 + y*h^9,
 x_4*y^2*h^6 + x_4*y*h^7 + 2*y^2*h^7 - 2*x_4*h^8 + 2*y*h^8 + h^9,
 x_3^2*h^7 - y^2*h^7 + 2*x_1*h^8 + x_3*h^8 + 2*y*h^8,
 x_1*x_3*h^6 - y^2*h^6 - 2*x_3*h^7 + 2*y*h^7,
 x_3*y*h^6 + y^2*h^6 - 2*x_1*h^7 + y*h^7 - h^8,
 x_2*h^7 + x_3*h^7 + y*h^7 - h^8,
 x_3*y^2*h^4 + x_3*y*h^5 + x_1*h^6 - 2*x_3*h^6 - y*h^6 + 2*h^7,
 x_2^2*h^5 - 2*x_1*h^6 + 2*x_2*h^6 - 2*y*h^6,
 x_1*x_2*h^4 - 2*x_1*h^5 + 2*x_2*h^5 + 2*y*h^5 - 2*h^6,
 x_2*y*h^4 + 2*x_1*h^5 - 2*y*h^5 + h^6,
 x_2*y^2*h^2 + x_2*y*h^3 + y^2*h^3 - 2*x_2*h^4 + y*

In [24]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-14) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-16) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17) <-- S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(

In [25]:
cm_regularity(res)

14

## p = 11, r = 3

In [26]:
p = 11
field = GF(p, "a")

rounds = 3

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 3
Constants: [8, 3, 2]

Plain: 1
Key: 0
Cipher: 3

y^3 + 5*y^2 - x_1 + y + 3
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 2*x_1^2 - 4*x_1*y - 2*y^2 + 5*x_1 - x_2 + 5*y + 5
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - 5*x_2^2 + x_2*y - 5*y^2 + x_2 + 2*y + 5


In [27]:
highest_degree_component(fe)

-4*x_1^2*y^2

In [28]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, y over Finite Field of size 11
Input polynomials:
[y^3 + 5*y^2 - x_1 + y + 3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 2*x_1^2 - 4*x_1*y - 2*y^2 + 5*x_1 - x_2 + 5*y + 5, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - 5*x_2^2 + x_2*y - 5*y^2 + x_2 + 2*y + 5, -4*x_1^2*y^2 - x_1*y^2 + x_2*y^2 - 2*x_1^2 + 2*x_1*y - 4*x_2*y - 3*y^2 - x_1 + x_2 + 5*y + 3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0015087127685546875
Computing Macaulay matrix.
Time needed: 5.7220458984375e-06
Performing Gaussian Elimination.
Time needed: 0.0004341602325439453
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0032329559326171875
Computing Macaulay matrix.
Time needed: 2.1457672119140625e-06
Performing Gaussian Elimination.
Time needed: 0.0004057884216308594
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.002318859100341797
Computing Macaulay matrix

[y^2 - 5*y, x_1 + 4*y - 3, x_2 + 2*y + 4]

In [29]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, y, h over Finite Field of size 11
Input polynomials:
[y^3 + 5*y^2*h - x_1*h^2 + y*h^2 + 3*h^3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 2*x_1^2*h - 4*x_1*y*h - 2*y^2*h + 5*x_1*h^2 - x_2*h^2 + 5*y*h^2 + 5*h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - 5*x_2^2*h + x_2*y*h - 5*y^2*h + x_2*h^2 + 2*y*h^2 + 5*h^3, -4*x_1^2*y^2 - x_1*y^2*h + x_2*y^2*h - 2*x_1^2*h^2 + 2*x_1*y*h^2 - 4*x_2*y*h^2 - 3*y^2*h^2 - x_1*h^3 + x_2*h^3 + 5*y*h^3 + 3*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0012044906616210938
Computing Macaulay matrix.
Time needed: 3.5762786865234375e-06
Performing Gaussian Elimination.
Time needed: 0.0002117156982421875
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.00238800048828125
Computing Macaulay matrix.
Time needed: 3.5762786865234375e-06
Performing Gaussian Elimination.
Time needed: 0.0003521442413330078
Is Groebner Basis: False

--- Degree 2 ---
Compu

[y^2*h^7 - 5*y*h^8,
 x_2*h^8 + 2*y*h^8 + 4*h^9,
 x_1^2*h^6 - 3*x_2*h^7 + 4*y*h^7 + h^8,
 x_1*x_2*h^6 + 3*y^2*h^6 - x_2*h^7 - y*h^7 - 3*h^8,
 x_2^2*h^6 + y^2*h^6 + 2*x_2*h^7 - 4*y*h^7 + 3*h^8,
 x_1*y*h^6 + 3*y^2*h^6 + 2*y*h^7,
 x_2*y*h^6 - 5*y^2*h^6 + 5*x_2*h^7 + 5*y*h^7 - 2*h^8,
 x_1*h^7 + 5*x_2*h^7 + 3*y*h^7 - 5*h^8,
 x_1*x_2^2*h^4 - 2*x_1^2*h^5 + 4*x_1*x_2*h^5 - 3*x_2^2*h^5 + 3*x_1*y*h^5 - 2*x_2*y*h^5 + 5*y^2*h^5 - 3*x_1*h^6 - 3*x_2*h^6 + 5*y*h^6 - 3*h^7,
 x_2^2*y*h^4 + x_1^2*h^5 - 2*x_1*x_2*h^5 + x_1*y*h^5 + 3*x_2*y*h^5 + 5*x_1*h^6 - 3*x_2*h^6 - 2*y*h^6 - 5*h^7,
 x_1*y^2*h^4 + 3*x_1^2*h^5 + 5*x_2^2*h^5 - 2*x_1*y*h^5 - 5*x_2*y*h^5 - 2*y^2*h^5 + 4*x_1*h^6 - x_2*h^6 - 2*y*h^6 - 2*h^7,
 x_2*y^2*h^4 - 4*x_1^2*h^5 - 3*x_1*x_2*h^5 - 3*x_2^2*h^5 + 5*x_1*y*h^5 - 2*y^2*h^5 - 2*x_1*h^6 - 5*x_2*h^6 + 2*y*h^6 + h^7,
 x_2^2*y^2*h^2 + x_1*x_2^2*h^3 + 4*x_2^2*y*h^3 + 4*x_2*y^2*h^3 + 3*x_1*x_2*h^4 + 3*x_2^2*h^4 + x_1*y*h^4 - 2*x_2*y*h^4 - 5*x_1*h^5 + 4*x_2*h^5 + 4*h^6,
 x_1^2*x_2*h^3 + 5*x_1*y^2*h^3

In [30]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-4) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-9) <-- S(-9)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-11) <-- S(-11)⊕S(-12)⊕S(-12) <-- 0

In [31]:
cm_regularity(res)

9

## p = 11, r = 4

In [32]:
p = 11
field = GF(p, "a")

rounds = 4

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 4
Constants: [1, 10, 7, 1]

Plain: 7
Key: 1
Cipher: 0

y^3 + 2*y^2 - x_1 + 5*y - 5
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 3*x_1^2 + 5*x_1*y - 3*y^2 + 3*x_1 - x_2 + 3*y - 1
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 4*x_2 - x_3 + 4*y + 2
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 3*x_3^2 - 5*x_3*y + 3*y^2 + 3*x_3 + 4*y + 1


In [33]:
highest_degree_component(fe)

5*x_1^2*y^2

In [34]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y over Finite Field of size 11
Input polynomials:
[y^3 + 2*y^2 - x_1 + 5*y - 5, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 3*x_1^2 + 5*x_1*y - 3*y^2 + 3*x_1 - x_2 + 3*y - 1, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2 - 2*x_2*y - y^2 + 4*x_2 - x_3 + 4*y + 2, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 3*x_3^2 - 5*x_3*y + 3*y^2 + 3*x_3 + 4*y + 1, 5*x_1^2*y^2 - 2*x_1^2*y - 4*x_1*y^2 + x_2*y^2 - x_1*y + 5*x_2*y - y^2 - 5*x_2 - 3*y - 2]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0010762214660644531
Computing Macaulay matrix.
Time needed: 2.86102294921875e-06
Performing Gaussian Elimination.
Time needed: 0.00015783309936523438
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0051152706146240234
Computing Macaulay matrix.
Time needed: 2.6226043701171875e-06
Performing Gaussian Elimination.
Time needed: 0.0004630088806152344
Is Groebner Basis: False

--- Degree 2 ---
Comput

[x_1 - 3, x_2 - 5, x_3 + 3, y - 1]

In [35]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y, h over Finite Field of size 11
Input polynomials:
[y^3 + 2*y^2*h - x_1*h^2 + 5*y*h^2 - 5*h^3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 3*x_1^2*h + 5*x_1*y*h - 3*y^2*h + 3*x_1*h^2 - x_2*h^2 + 3*y*h^2 - h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - x_2^2*h - 2*x_2*y*h - y^2*h + 4*x_2*h^2 - x_3*h^2 + 4*y*h^2 + 2*h^3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 3*x_3^2*h - 5*x_3*y*h + 3*y^2*h + 3*x_3*h^2 + 4*y*h^2 + h^3, 5*x_1^2*y^2 - 2*x_1^2*y*h - 4*x_1*y^2*h + x_2*y^2*h - x_1*y*h^2 + 5*x_2*y*h^2 - y^2*h^2 - 5*x_2*h^3 - 3*y*h^3 - 2*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0011453628540039062
Computing Macaulay matrix.
Time needed: 4.291534423828125e-06
Performing Gaussian Elimination.
Time needed: 0.00022220611572265625
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.002459287643432617
Computing Macaulay matrix.
Time needed: 4.76837158203125e-06
Performing Gau

[x_1*h^10 - 3*h^11,
 x_2*h^10 - 5*h^11,
 x_3*h^10 + 3*h^11,
 y*h^10 - h^11,
 x_2*x_3^2*h^7 + 4*x_1*h^9 + x_2*h^9 - 2*x_3*h^9 - 4*y*h^9 + 2*h^10,
 x_3^2*y*h^7 - 5*x_1*h^9 + 5*x_2*h^9 - 2*x_3*h^9 + 2*y*h^9 - 5*h^10,
 x_1*x_3*h^8 - 4*x_1*h^9 + 2*x_2*h^9 - x_3*h^9 + 5*y*h^9 + 3*h^10,
 x_2*x_3*h^8 + 5*x_1*h^9 + 3*x_2*h^9 - 3*x_3*h^9 + y*h^9 - 3*h^10,
 x_3^2*h^8 + x_1*h^9 + 3*x_2*h^9 + 3*x_3*h^9 + 2*y*h^9 + 2*h^10,
 x_1*y*h^8 + x_1*h^9 + 2*x_2*h^9 + 2*x_3*h^9 + h^10,
 x_2*y*h^8 - 2*x_1*h^9 - 3*x_2*h^9 + x_3*h^9 - 3*h^10,
 x_3*y*h^8 - 5*x_1*h^9 - x_3*h^9 + 4*y*h^9,
 y^2*h^8 - 2*x_1*h^9 + 4*x_3*h^9 + 4*y*h^9 + 2*h^10,
 x_2^2*x_3^2*h^5 + 4*x_2*x_3^2*y*h^5 + 3*x_2*x_3^2*h^6 + 4*x_3^2*y*h^6 - 4*x_1*x_3*h^7 + 3*x_2*x_3*h^7 - 4*x_3^2*h^7 + 2*x_1*y*h^7 - 3*x_2*y*h^7 + 4*x_3*y*h^7 - 3*y^2*h^7 - 4*x_1*h^8 + 4*x_3*h^8 - y*h^8 + 2*h^9,
 x_2^2*x_3*h^6 - 3*x_1*x_3*h^7 - 2*x_2*x_3*h^7 - 3*x_3^2*h^7 + 3*x_1*y*h^7 - 5*x_2*y*h^7 + 2*x_3*y*h^7 + 3*y^2*h^7 + 5*x_1*h^8 - x_2*h^8 + 4*x_3*h^8 + 4*y*h^8 - 4*h^9,
 x

In [36]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-4) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-12) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13) <-- S(-12)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14) <-- S(-15)⊕S(-15)⊕S(-15)⊕S(-15) <-- 0

In [37]:
cm_regularity(res)

11

## p = 11, r = 5

In [38]:
p = 11
field = GF(p, "a")

rounds = 5

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 5
Constants: [6, 1, 5, 2, 10]

Plain: 5
Key: 10
Cipher: 3

y^3 - x_1
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 3*x_1^2 - 5*x_1*y + 3*y^2 + 3*x_1 - x_2 + 3*y + 1
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 4*x_2^2 - 3*x_2*y + 4*y^2 - 2*x_2 - x_3 - 2*y + 4
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 5*x_3^2 + x_3*y - 5*y^2 + x_3 - x_4 + y - 3
x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 3*x_4^2 + 5*x_4*y - 3*y^2 + 3*x_4 + 4*y - 4


In [39]:
highest_degree_component(fe)

-3*x_1^2*y^2

In [40]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y over Finite Field of size 11
Input polynomials:
[y^3 - x_1, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 3*x_1^2 - 5*x_1*y + 3*y^2 + 3*x_1 - x_2 + 3*y + 1, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 4*x_2^2 - 3*x_2*y + 4*y^2 - 2*x_2 - x_3 - 2*y + 4, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 5*x_3^2 + x_3*y - 5*y^2 + x_3 - x_4 + y - 3, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 3*x_4^2 + 5*x_4*y - 3*y^2 + 3*x_4 + 4*y - 4, -3*x_1^2*y^2 - 5*x_1^2*y + 5*x_1*y^2 + x_2*y^2 + 3*x_1^2 + 4*x_1*y - 3*y^2 - 2*x_1 - 3*x_2 - 3*y + 3]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0011942386627197266
Computing Macaulay matrix.
Time needed: 3.814697265625e-06
Performing Gaussian Elimination.
Time needed: 0.0001690387725830078
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.002689838409423828
Computing Macaulay matrix.
Time needed: 2.6226043701171875e-06
Performing Gaussian Elimination.
T

[x_1 + 1, x_2 + 1, x_3 - 5, x_4 + 4, y + 1]

In [41]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y, h over Finite Field of size 11
Input polynomials:
[y^3 - x_1*h^2, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 3*x_1^2*h - 5*x_1*y*h + 3*y^2*h + 3*x_1*h^2 - x_2*h^2 + 3*y*h^2 + h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 4*x_2^2*h - 3*x_2*y*h + 4*y^2*h - 2*x_2*h^2 - x_3*h^2 - 2*y*h^2 + 4*h^3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 5*x_3^2*h + x_3*y*h - 5*y^2*h + x_3*h^2 - x_4*h^2 + y*h^2 - 3*h^3, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 3*x_4^2*h + 5*x_4*y*h - 3*y^2*h + 3*x_4*h^2 + 4*y*h^2 - 4*h^3, -3*x_1^2*y^2 - 5*x_1^2*y*h + 5*x_1*y^2*h + x_2*y^2*h + 3*x_1^2*h^2 + 4*x_1*y*h^2 - 3*y^2*h^2 - 2*x_1*h^3 - 3*x_2*h^3 - 3*y*h^3 + 3*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.001157522201538086
Computing Macaulay matrix.
Time needed: 4.291534423828125e-06
Performing Gaussian Elimination.
Time needed: 0.00022649765014648438
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time 

[y^2*h^11 - h^13,
 x_2*h^12 + h^13,
 x_3*h^12 - 5*h^13,
 x_4*h^12 + 4*h^13,
 y*h^12 + h^13,
 x_3*x_4^2*h^9 - 3*y^2*h^10 + x_2*h^11 - 2*x_3*h^11 - 2*x_4*h^11 + 4*y*h^11 - 4*h^12,
 x_4^2*y*h^9 + 2*y^2*h^10 - x_2*h^11 + 3*x_3*h^11 - 3*x_4*h^11 - y*h^11 - 4*h^12,
 x_3*x_4*h^10 + 4*y^2*h^10 + 2*x_2*h^11 + 4*x_3*h^11 + 4*x_4*h^11 + 4*y*h^11 - 4*h^12,
 x_4^2*h^10 + 2*y^2*h^10 + x_2*h^11 - 3*x_3*h^11 - 3*x_4*h^11 - 5*y*h^11 + 3*h^12,
 x_1*y*h^10 + 2*y^2*h^10 + x_2*h^11 - 5*x_3*h^11 + x_4*h^11 + 3*y*h^11 - 3*h^12,
 x_2*y*h^10 - 2*y^2*h^10 - 4*x_2*h^11 - x_3*h^11 + 4*x_4*h^11 - 5*y*h^11 + 2*h^12,
 x_3*y*h^10 - 2*y^2*h^10 - 2*x_2*h^11 - 5*x_4*h^11 - 4*y*h^11 + 3*h^12,
 x_4*y*h^10 + x_2*h^11 - x_3*h^11 + 3*x_4*h^11 - y*h^11 + 2*h^12,
 x_1*h^11 - x_2*h^11 - 3*x_3*h^11 + 3*x_4*h^11 - 4*y*h^11 + h^12,
 x_3^2*x_4*h^8 + x_3*x_4*h^9 - 4*x_1*y*h^9 - x_2*y*h^9 + 4*x_3*y*h^9 + 4*x_4*y*h^9 - 4*y^2*h^9 - 5*x_3*h^10 - 2*x_4*h^10 - 2*y*h^10 + 5*h^11,
 x_1*x_4^2*h^8 - 3*x_4^2*y*h^8 + 2*x_3*x_4*h^9 + 3*x_4^2*h^9

In [42]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-4) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-14) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16) <-- S(-15)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17) <-- S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18) <-- 0

In [43]:
cm_regularity(res)

13

## p = 11, r = 6

In [44]:
p = 11
field = GF(p, "a")

rounds = 6

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe = fe.reduce(polys)
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 6
Constants: [2, 4, 8, 2, 5, 4]

Plain: 3
Key: 4
Cipher: 10

y^3 + 4*y^2 - x_1 - 2*y + 4
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 4*x_1 - x_2 + 4*y - 2
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 2*x_2^2 + 4*x_2*y + 2*y^2 + 5*x_2 - x_3 + 5*y - 5
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 5*x_3^2 + x_3*y - 5*y^2 + x_3 - x_4 + y - 3
x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 + 4*x_4^2 - 3*x_4*y + 4*y^2 - 2*x_4 - x_5 - 2*y + 4
x_5^3 + 3*x_5^2*y + 3*x_5*y^2 + y^3 + x_5^2 + 2*x_5*y + y^2 + 4*x_5 + 5*y - 1


In [45]:
highest_degree_component(fe)

3*x_1^2*y^2

In [46]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y over Finite Field of size 11
Input polynomials:
[y^3 + 4*y^2 - x_1 - 2*y + 4, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 4*x_1 - x_2 + 4*y - 2, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 2*x_2^2 + 4*x_2*y + 2*y^2 + 5*x_2 - x_3 + 5*y - 5, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 5*x_3^2 + x_3*y - 5*y^2 + x_3 - x_4 + y - 3, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 + 4*x_4^2 - 3*x_4*y + 4*y^2 - 2*x_4 - x_5 - 2*y + 4, x_5^3 + 3*x_5^2*y + 3*x_5*y^2 + y^3 + x_5^2 + 2*x_5*y + y^2 + 4*x_5 + 5*y - 1, 3*x_1^2*y^2 + 3*x_1^2*y + 5*x_1*y^2 + x_2*y^2 + 3*x_1^2 + 2*x_1*y - x_2*y + 3*y^2 + 4*x_1 + 5*y + 2]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0008559226989746094
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 0.00010967254638671875
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.00287556

[y^2 - 2*y + 3,
 x_1 + 4*y + 3,
 x_2 + 4*y - 5,
 x_3 - y + 3,
 x_4 - y + 2,
 x_5 - 2*y - 3]

In [47]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y, h over Finite Field of size 11
Input polynomials:
[y^3 + 4*y^2*h - x_1*h^2 - 2*y*h^2 + 4*h^3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + x_1^2*h + 2*x_1*y*h + y^2*h + 4*x_1*h^2 - x_2*h^2 + 4*y*h^2 - 2*h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 2*x_2^2*h + 4*x_2*y*h + 2*y^2*h + 5*x_2*h^2 - x_3*h^2 + 5*y*h^2 - 5*h^3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 5*x_3^2*h + x_3*y*h - 5*y^2*h + x_3*h^2 - x_4*h^2 + y*h^2 - 3*h^3, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 + 4*x_4^2*h - 3*x_4*y*h + 4*y^2*h - 2*x_4*h^2 - x_5*h^2 - 2*y*h^2 + 4*h^3, x_5^3 + 3*x_5^2*y + 3*x_5*y^2 + y^3 + x_5^2*h + 2*x_5*y*h + y^2*h + 4*x_5*h^2 + 5*y*h^2 - h^3, 3*x_1^2*y^2 + 3*x_1^2*y*h + 5*x_1*y^2*h + x_2*y^2*h + 3*x_1^2*h^2 + 2*x_1*y*h^2 - x_2*y*h^2 + 3*y^2*h^2 + 4*x_1*h^3 + 5*y*h^3 + 2*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006959438323974609
Computing Macaulay matrix.
Time needed: 4.0531158447265625e-06
Performing Gaussian 

[x_1*h^14 + 4*y*h^14 + 3*h^15,
 x_2*h^14 + 4*y*h^14 - 5*h^15,
 x_3*h^14 - y*h^14 + 3*h^15,
 x_4*h^14 - y*h^14 + 2*h^15,
 x_5*h^14 - 2*y*h^14 - 3*h^15,
 x_4*x_5^2*h^11 - 5*x_1*h^13 + 3*x_2*h^13 - 4*x_3*h^13 - 4*x_4*h^13 + 3*x_5*h^13 - 3*y*h^13 - 5*h^14,
 x_5^2*y*h^11 - 2*x_1*h^13 - 3*x_2*h^13 - 5*x_3*h^13 + x_4*h^13 + x_5*h^13 - 2*h^14,
 x_4*x_5*h^12 + 4*x_1*h^13 - 3*x_2*h^13 - 2*x_3*h^13 + 4*x_4*h^13 - x_5*h^13 + y*h^13,
 x_5^2*h^12 + 5*x_1*h^13 + x_3*h^13 + 2*x_4*h^13 - 4*x_5*h^13 + 5*y*h^13 + 4*h^14,
 x_2*y*h^12 - x_1*h^13 + 4*x_3*h^13 + 3*x_4*h^13 + 3*y*h^13 + 3*h^14,
 x_4*y*h^12 - 4*x_1*h^13 + x_2*h^13 + 4*x_3*h^13 - x_4*h^13 + 2*x_5*h^13 + 3*y*h^13 + h^14,
 x_5*y*h^12 - x_1*h^13 + 5*x_2*h^13 + 2*x_3*h^13 + 3*x_4*h^13 + 4*x_5*h^13 - 4*y*h^13,
 y^2*h^12 + x_1*h^13 + 3*x_2*h^13 - 3*x_3*h^13 + 4*x_4*h^13 - x_5*h^13 + 4*y*h^13 + 4*h^14,
 x_1*x_5*h^11 - 3*x_4*y*h^11 - x_5*y*h^11 - y^2*h^11 - 2*x_1*h^12 - 3*x_2*h^12 - x_3*h^12 + 4*x_4*h^12 - x_5*h^12 - 5*h^13,
 x_2*x_5*h^11 - 4*x_2*y*h^1

In [48]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-4) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-7)⊕S(-15) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-10)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-17) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-13)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18) <-- S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S

In [49]:
cm_regularity(res)

15