# MiMC Solving Degree For Attack With One Field Equation
Empirical solving degree for increasing round numbers of MiMC together the field equation for the key variable.

Primes: $p \in \{ 5, 11 \}$.

Round numbers: $r \in \{ 3, 4, 5, 6 \}$.

In [1]:
from lazard_gb_algorithm import *
load("MiMC.sage")
load("utilities.sage")

## p = 5, r = 3

In [2]:
p = 5
field = GF(p, "a")

rounds = 3

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 3
Constants: [0, 1, 0]

Plain: 2
Key: 1
Cipher: 1

y^3 + y^2 - x_1 + 2*y - 2
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - 2*x_1^2 + x_1*y - 2*y^2 - 2*x_1 - x_2 - 2*y + 1
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + y - 1


In [3]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, y over Finite Field of size 5
Input polynomials:
[y^3 + y^2 - x_1 + 2*y - 2, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - 2*x_1^2 + x_1*y - 2*y^2 - 2*x_1 - x_2 - 2*y + 1, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + y - 1, y^5 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.10515904426574707
Computing Macaulay matrix.
Time needed: 1.9073486328125e-06
Performing Gaussian Elimination.
Time needed: 0.00018835067749023438
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.01604628562927246
Computing Macaulay matrix.
Time needed: 9.5367431640625e-07
Performing Gaussian Elimination.
Time needed: 0.00012063980102539062
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.000881195068359375
Computing Macaulay matrix.
Time needed: 9.5367431640625e-07
Performing Gaussian Elimination.
Time needed: 0.00010395050048828125
Is Groebner Basis: Fals

[y^2 + y - 2, x_1 + y + 2, x_2 + 1]

In [4]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, y, h over Finite Field of size 5
Input polynomials:
[y^3 + y^2*h - x_1*h^2 + 2*y*h^2 - 2*h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - 2*x_1^2*h + x_1*y*h - 2*y^2*h - 2*x_1*h^2 - x_2*h^2 - 2*y*h^2 + h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + y*h^2 - h^3, y^5 - y*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0005726814270019531
Computing Macaulay matrix.
Time needed: 1.9073486328125e-06
Performing Gaussian Elimination.
Time needed: 7.534027099609375e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0009121894836425781
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 0.00010704994201660156
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0009157657623291016
Computing Macaulay matrix.
Time needed: 7.152557373046875e-07
Performing Gaussian Elimination.
Tim

[x_1*h^9 + y*h^9 + 2*h^10,
 x_2*h^9 + h^10,
 x_2^2*h^7 - 2*x_1*h^8 + 2*x_2*h^8 - 2*y*h^8 + 2*h^9,
 y^2*h^7 - 2*x_1*h^8 - 2*x_2*h^8 - y*h^8 + 2*h^9,
 x_1*x_2*h^6 - 2*x_1*h^7 + 2*x_2*h^7 + 2*y*h^7 + h^8,
 x_2*y*h^6 + 2*x_1*h^7 - x_2*h^7 - 2*y*h^7 - 2*h^8,
 x_2*y^2*h^4 - x_2*y*h^5 + y^2*h^5 - 2*x_2*h^6 - y*h^6 - 2*h^7,
 x_1*y*h^5 + y^2*h^5 + x_2*h^6 + 2*y*h^6 + h^7,
 x_1^2*h^4 - y^2*h^4 + y*h^5 + h^6,
 x_1*y^2*h^2 - x_1*y*h^3 - x_1*h^4 - y*h^4 - 2*h^5,
 x_1^3 - 2*x_1^2*y - 2*x_1*y^2 - 2*x_1^2*h + x_1*y*h + 2*y^2*h - x_1*h^2 - x_2*h^2 + y*h^2 - 2*h^3,
 x_2^3 - 2*x_2^2*y - 2*x_2*y^2 - y^2*h + x_1*h^2 - y*h^2 + h^3,
 y^3 + y^2*h - x_1*h^2 + 2*y*h^2 - 2*h^3]

In [5]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-5) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-10) <-- S(-9)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-12) <-- S(-13)⊕S(-12)⊕S(-13) <-- 0

In [6]:
cm_regularity(res)

10

## p = 5, r = 4

In [7]:
p = 5
field = GF(p, "a")

rounds = 4

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 4
Constants: [0, 3, 1, 3]

Plain: 3
Key: 3
Cipher: 2

y^3 - y^2 - x_1 + 2*y + 2
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - 2*x_2^2 + x_2*y - 2*y^2 - 2*x_2 - x_3 - 2*y + 1
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - 2*y


In [8]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y over Finite Field of size 5
Input polynomials:
[y^3 - y^2 - x_1 + 2*y + 2, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - 2*x_2^2 + x_2*y - 2*y^2 - 2*x_2 - x_3 - 2*y + 1, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - 2*y, y^5 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0005321502685546875
Computing Macaulay matrix.
Time needed: 9.5367431640625e-07
Performing Gaussian Elimination.
Time needed: 7.224082946777344e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0006375312805175781
Computing Macaulay matrix.
Time needed: 7.152557373046875e-07
Performing Gaussian Elimination.
Time needed: 3.910064697265625e-05
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0007648468017578125
Computing Macaulay matrix.


[y^2 - 2*y + 2, x_1 - 2*y, x_2 - 2*y - 2, x_3 - 2*y - 2]

In [9]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y, h over Finite Field of size 5
Input polynomials:
[y^3 - y^2*h - x_1*h^2 + 2*y*h^2 + 2*h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2*h - 2*x_1*y*h - y^2*h + 2*x_1*h^2 - x_2*h^2 + 2*y*h^2 + 2*h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 - 2*x_2^2*h + x_2*y*h - 2*y^2*h - 2*x_2*h^2 - x_3*h^2 - 2*y*h^2 + h^3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2*h - 2*x_3*y*h - y^2*h + 2*x_3*h^2 - 2*y*h^2, y^5 - y*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0004303455352783203
Computing Macaulay matrix.
Time needed: 9.5367431640625e-07
Performing Gaussian Elimination.
Time needed: 0.0001289844512939453
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0008332729339599609
Computing Macaulay matrix.
Time needed: 9.5367431640625e-07
Performing Gaussian Elimination.
Time needed: 9.489059448242188e-05
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up 

[x_2*h^11 - 2*y*h^11 - 2*h^12,
 x_3*h^11 - 2*y*h^11 - 2*h^12,
 x_2*x_3^2*y*h^7 + 2*x_2*h^10 + x_3*h^10,
 x_3*y*h^9 - y*h^10 - h^11,
 x_2*x_3*h^8 - x_3*y*h^8 + 2*x_2*h^9 + x_3*h^9 - y*h^9 - h^10,
 x_3^2*h^8 + 2*x_2*h^9 + x_3*h^9 - 2*y*h^9 - 2*h^10,
 x_2*y*h^8 + 2*x_3*y*h^8 + 2*x_2*h^9 - 2*x_3*h^9 + 2*y*h^9 + 2*h^10,
 x_3*y^2*h^6 - x_2*y*h^7 + x_3*y*h^7 + 2*x_3*h^8 - 2*y*h^8 - 2*h^9,
 y^2*h^7 - 2*x_2*h^8 + x_3*h^8 - h^9,
 x_2^2*h^6 + 2*x_2*y*h^6 + x_2*h^7,
 x_2*y^2*h^4 + x_2*y*h^5 - 2*x_2*h^6,
 x_1*h^6 + x_2*h^6 + y*h^6 - 2*h^7,
 x_1^2*h^4 - y^2*h^4 - y*h^5 + h^6,
 x_1*y^2*h^2 + x_1*y*h^3 - x_1*h^4 - y*h^4 + 2*h^5,
 x_1^3 - 2*x_1^2*y - 2*x_1*y^2 - x_1^2*h - 2*x_1*y*h - 2*x_1*h^2 - x_2*h^2,
 x_2^3 - 2*x_2^2*y - 2*x_2*y^2 - 2*x_2^2*h + x_2*y*h - y^2*h + x_1*h^2 - 2*x_2*h^2 - x_3*h^2 + y*h^2 - h^3,
 x_3^3 - 2*x_3^2*y - 2*x_3*y^2 - x_3^2*h - 2*x_3*y*h + x_1*h^2 + 2*x_3*h^2 + y*h^2 - 2*h^3,
 y^3 - y^2*h - x_1*h^2 + 2*y*h^2 + 2*h^3]

In [10]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-5) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-12) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-14)⊕S(-13)⊕S(-13)⊕S(-13) <-- S(-12)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14) <-- S(-16)⊕S(-16)⊕S(-16)⊕S(-15) <-- 0

In [11]:
cm_regularity(res)

12

## p = 5, r = 5

In [12]:
p = 5
field = GF(p, "a")

rounds = 5

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 5
Constants: [3, 4, 2, 3, 1]

Plain: 1
Key: 1
Cipher: 3

y^3 + 2*y^2 - x_1 - 2*y - 1
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + 2*x_1^2 - x_1*y + 2*y^2 - 2*x_1 - x_2 - 2*y - 1
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - x_4 + 2*y + 2
x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 - 2*x_4^2 + x_4*y - 2*y^2 - 2*x_4 - y - 2


In [13]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y over Finite Field of size 5
Input polynomials:
[y^3 + 2*y^2 - x_1 - 2*y - 1, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + 2*x_1^2 - x_1*y + 2*y^2 - 2*x_1 - x_2 - 2*y - 1, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2 - 2*x_3*y - y^2 + 2*x_3 - x_4 + 2*y + 2, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 - 2*x_4^2 + x_4*y - 2*y^2 - 2*x_4 - y - 2, y^5 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0005474090576171875
Computing Macaulay matrix.
Time needed: 9.5367431640625e-07
Performing Gaussian Elimination.
Time needed: 6.246566772460938e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0006241798400878906
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 3.838539123535156e-05
Is Groebner Basis: False

--- Degree 2 ---
Compu

[y^2 + y - 2, x_1 + y - 1, x_2, x_3 + y + 2, x_4 - 1]

In [14]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y, h over Finite Field of size 5
Input polynomials:
[y^3 + 2*y^2*h - x_1*h^2 - 2*y*h^2 - h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 + 2*x_1^2*h - x_1*y*h + 2*y^2*h - 2*x_1*h^2 - x_2*h^2 - 2*y*h^2 - h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2*h + 2*x_2*y*h + y^2*h + 2*x_2*h^2 - x_3*h^2 + 2*y*h^2 - 2*h^3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 - x_3^2*h - 2*x_3*y*h - y^2*h + 2*x_3*h^2 - x_4*h^2 + 2*y*h^2 + 2*h^3, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 - 2*x_4^2*h + x_4*y*h - 2*y^2*h - 2*x_4*h^2 - y*h^2 - 2*h^3, y^5 - y*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.00048351287841796875
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 7.82012939453125e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0009081363677978516
Computing Macaulay matrix.
Time needed: 5.245208740234375e-06
Performing Gau

[x_2*h^13,
 x_3*h^13 + y*h^13 + 2*h^14,
 x_4*h^13 - h^14,
 x_4^2*h^11 - x_3*h^12 - x_4*h^12 - y*h^12 - 2*h^13,
 x_2*x_4*h^10 - 2*x_2*h^11 - x_3*h^11 + 2*x_4*h^11 - y*h^11 + h^12,
 x_3*x_4*h^10 + x_2*h^11 + 2*x_4*h^11 + y*h^11,
 x_4*y*h^10 - x_2*h^11 + x_4*h^11 - y*h^11 - h^12,
 x_2*x_3^2*y*h^7 - 2*x_2*x_4*h^9 + x_3*x_4*h^9 - x_4*y*h^9 - 2*x_2*h^10 + x_4*h^10 + 2*y*h^10 + h^11,
 x_3*y*h^9 - x_3*h^10 + 2*x_4*h^10 - 2*h^11,
 x_2*x_3*h^8 - x_3*y*h^8 + 2*x_2*h^9 - y*h^9 - 2*h^10,
 x_3^2*h^8 + 2*x_2*h^9 + x_3*h^9 - 2*y*h^9 + h^10,
 x_2*y*h^8 + 2*x_3*y*h^8 - 2*x_2*h^9 + 2*y*h^9 - h^10,
 x_3*y^2*h^6 - x_2*y*h^7 - 2*x_3*y*h^7 - x_2*h^8 - x_3*h^8 - 2*y*h^8 + h^9,
 y^2*h^7 - 2*x_2*h^8 + x_3*h^8 + 2*y*h^8,
 x_2^2*h^6 + 2*x_2*y*h^6 - 2*x_2*h^7,
 x_2*y^2*h^4 - 2*x_2*y*h^5,
 x_1*h^6 + x_2*h^6 + y*h^6 - h^7,
 x_1^2*h^4 - y^2*h^4 + 2*y*h^5 - h^6,
 x_1*y^2*h^2 - 2*x_1*y*h^3 + x_1*h^4 - y*h^4 + h^5,
 x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + 2*x_1^2*h - x_1*y*h - x_1*h^2 - x_2*h^2,
 x_2^3 - 2*x_2^2*y - 2*x_2*y^2 +

In [15]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-5) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-14) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-16) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-17)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-16)⊕S(-17)⊕S(-17)⊕S(-17) <-- S(-15)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-18)⊕S(-18)⊕S(-18) <-- S(-19)⊕S(-19)⊕S(-19)⊕S(-18)⊕S(-19) <-- 0

In [16]:
cm_regularity(res)

14

## p = 5, r = 6

In [17]:
p = 5
field = GF(p, "a")

rounds = 6

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 5
r: 6
Constants: [2, 3, 2, 2, 4, 1]

Plain: 0
Key: 1
Cipher: 0

y^3 + y^2 - x_1 + 2*y - 2
x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2
x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2
x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 + x_3^2 + 2*x_3*y + y^2 + 2*x_3 - x_4 + 2*y - 2
x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2 - x_4*y + 2*y^2 - 2*x_4 - x_5 - 2*y - 1
x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 - 2*x_5^2 + x_5*y - 2*y^2 - 2*x_5 - y + 1


In [18]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y over Finite Field of size 5
Input polynomials:
[y^3 + y^2 - x_1 + 2*y - 2, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2 - 2*x_1*y - y^2 + 2*x_1 - x_2 + 2*y + 2, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 2*x_2 - x_3 + 2*y - 2, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 + x_3^2 + 2*x_3*y + y^2 + 2*x_3 - x_4 + 2*y - 2, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2 - x_4*y + 2*y^2 - 2*x_4 - x_5 - 2*y - 1, x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 - 2*x_5^2 + x_5*y - 2*y^2 - 2*x_5 - y + 1, y^5 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0005314350128173828
Computing Macaulay matrix.
Time needed: 9.5367431640625e-07
Performing Gaussian Elimination.
Time needed: 0.00011682510375976562
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0006875991821289062
Computing Macaulay matrix.
Time needed: 7.152557373046875e-07
Performing Gaussian Eliminat

[x_1 - 2, x_2 - 1, x_3 + 1, x_4 + 2, x_5 - 2, y - 1]

In [19]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y, h over Finite Field of size 5
Input polynomials:
[y^3 + y^2*h - x_1*h^2 + 2*y*h^2 - 2*h^3, x_1^3 - 2*x_1^2*y - 2*x_1*y^2 + y^3 - x_1^2*h - 2*x_1*y*h - y^2*h + 2*x_1*h^2 - x_2*h^2 + 2*y*h^2 + 2*h^3, x_2^3 - 2*x_2^2*y - 2*x_2*y^2 + y^3 + x_2^2*h + 2*x_2*y*h + y^2*h + 2*x_2*h^2 - x_3*h^2 + 2*y*h^2 - 2*h^3, x_3^3 - 2*x_3^2*y - 2*x_3*y^2 + y^3 + x_3^2*h + 2*x_3*y*h + y^2*h + 2*x_3*h^2 - x_4*h^2 + 2*y*h^2 - 2*h^3, x_4^3 - 2*x_4^2*y - 2*x_4*y^2 + y^3 + 2*x_4^2*h - x_4*y*h + 2*y^2*h - 2*x_4*h^2 - x_5*h^2 - 2*y*h^2 - h^3, x_5^3 - 2*x_5^2*y - 2*x_5*y^2 + y^3 - 2*x_5^2*h + x_5*y*h - 2*y^2*h - 2*x_5*h^2 - y*h^2 + h^3, y^5 - y*h^4]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.00047278404235839844
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 8.320808410644531e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1

[x_2*h^15 - h^16,
 x_3*h^15 + h^16,
 x_5*h^15 - 2*h^16,
 y*h^15 - h^16,
 x_5^2*h^13 + 2*x_2*h^14 - x_5*h^14 + h^15,
 x_2*x_5*h^12 + x_4*x_5*h^12 + 2*x_2*h^13 + 2*y*h^13 - 2*h^14,
 x_3*x_5*h^12 - x_4*x_5*h^12 - x_2*h^13 - 2*x_3*h^13 - 2*y*h^13 - h^14,
 x_5*y*h^12 + 2*x_2*h^13 + 2*x_5*h^13 - 2*y*h^13 - h^14,
 x_4*h^13 + x_5*h^13 + y*h^13 - h^14,
 x_3*x_4*h^11 - 2*x_2*h^12 - 2*x_3*h^12 - 2*x_4*h^12 - 2*y*h^12 + h^13,
 x_4^2*h^11 + 2*x_2*h^12 - 2*x_3*h^12 - 2*x_4*h^12 - y*h^12 - h^13,
 x_1*x_4*h^10 - 2*x_2*h^11 - 2*x_3*h^11 + x_4*h^11 + y*h^11,
 x_2*x_4*h^10 + x_3*x_4*h^10 - x_2*h^11 - 2*x_3*h^11 - 2*x_4*h^11 - y*h^11 + h^12,
 x_4*y*h^10 + 2*x_2*h^11 + 2*x_3*h^11 - x_4*h^11 + 2*y*h^11 - 2*h^12,
 x_1*h^11 + x_2*h^11 + x_4*h^11 + 2*y*h^11 + 2*h^12,
 x_2*x_3^2*h^8 - x_1*x_4*h^9 + x_2*x_4*h^9 + x_3*x_4*h^9 + 2*x_4*y*h^9 - x_1*h^10 + 2*x_2*h^10 + 2*x_3*h^10 - x_4*h^10 + 2*y*h^10 + 2*h^11,
 x_2*x_3*h^9 - 2*x_2*h^10 - x_3*h^10 + 2*h^11,
 x_3^2*h^9 + 2*x_2*h^10 - 2*x_3*h^10 + 2*y*h^10 - 2*h^11,
 x

In [20]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-5) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-8)⊕S(-17) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-11)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18)⊕S(-18) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19)⊕S(-19) <-- S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S

In [21]:
cm_regularity(res)

16

## p = 11, r = 3

In [22]:
p = 11
field = GF(p, "a")

rounds = 3

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 3
Constants: [3, 4, 8]

Plain: 1
Key: 10
Cipher: 7

y^3 + y^2 - x_1 + 4*y - 2
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 4*x_1 - x_2 + 4*y - 2
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 2*x_2^2 + 4*x_2*y + 2*y^2 + 5*x_2 - 5*y - 1


In [23]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, y over Finite Field of size 11
Input polynomials:
[y^3 + y^2 - x_1 + 4*y - 2, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + x_1^2 + 2*x_1*y + y^2 + 4*x_1 - x_2 + 4*y - 2, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 2*x_2^2 + 4*x_2*y + 2*y^2 + 5*x_2 - 5*y - 1, y^11 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.00048279762268066406
Computing Macaulay matrix.
Time needed: 7.152557373046875e-07
Performing Gaussian Elimination.
Time needed: 0.00012755393981933594
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0008287429809570312
Computing Macaulay matrix.
Time needed: 9.5367431640625e-07
Performing Gaussian Elimination.
Time needed: 9.870529174804688e-05
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0014624595642089844
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed:

[x_1 - 5, x_2 + 5, y + 1]

In [24]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, y, h over Finite Field of size 11
Input polynomials:
[y^3 + y^2*h - x_1*h^2 + 4*y*h^2 - 2*h^3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + x_1^2*h + 2*x_1*y*h + y^2*h + 4*x_1*h^2 - x_2*h^2 + 4*y*h^2 - 2*h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + 2*x_2^2*h + 4*x_2*y*h + 2*y^2*h + 5*x_2*h^2 - 5*y*h^2 - h^3, y^11 - y*h^10]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0004904270172119141
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 7.510185241699219e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0008940696716308594
Computing Macaulay matrix.
Time needed: 7.152557373046875e-07
Performing Gaussian Elimination.
Time needed: 0.0001583099365234375
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.002367258071899414
Computing Macaulay matrix.
Time needed: 1.90734

[x_1*h^15 - 5*h^16,
 x_2*h^15 + 5*h^16,
 y*h^15 + h^16,
 x_2^2*y*h^12 + 5*x_1*h^14 - 4*x_2*h^14 - 3*y*h^14 - h^15,
 x_1*x_2*h^13 - x_1*h^14 - 3*x_2*h^14 - y*h^14 + 3*h^15,
 x_2^2*h^13 - 2*x_1*h^14 - 4*x_2*h^14 + 5*y*h^14 + 3*h^15,
 x_1*y*h^13 + 4*x_1*h^14 + 2*x_2*h^14 + 3*y*h^14 - 2*h^15,
 x_2*y*h^13 - 2*x_1*h^14 - 2*y*h^14 + 3*h^15,
 y^2*h^13 + 4*x_1*h^14 - 3*x_2*h^14 - y*h^14 - 4*h^15,
 x_2^2*y^2*h^10 - 3*x_2^2*y*h^11 + 4*x_1*x_2*h^12 + 4*x_2^2*h^12 - x_1*y*h^12 - 4*x_2*y*h^12 + y^2*h^12 - 4*x_1*h^13 - 5*x_2*h^13 - 3*y*h^13 + 5*h^14,
 x_1*y^2*h^11 - x_1*x_2*h^12 + 3*x_2^2*h^12 + 3*x_1*y*h^12 - x_2*y*h^12 - 3*y^2*h^12 + 5*x_1*h^13 + 5*x_2*h^13 - 3*y*h^13 + 3*h^14,
 x_2*y^2*h^11 + 3*x_1*x_2*h^12 - 4*x_2^2*h^12 + 2*x_1*y*h^12 + 3*x_2*y*h^12 - 5*y^2*h^12 + x_1*h^13 - 4*x_2*h^13 + 3*y*h^13 + 4*h^14,
 x_1^2*h^12 - 5*x_1*x_2*h^12 - 5*x_2^2*h^12 - 4*x_1*y*h^12 + 2*x_2*y*h^12 - 5*y^2*h^12 - 5*x_1*h^13 - 3*x_2*h^13 + 4*y*h^13 - 3*h^14,
 x_1^2*x_2*h^10 - 2*x_1*y^2*h^10 + 5*x_2*y^2*h^10 - 5*x_1*

In [25]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-11) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-17) <-- S(-9)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-18)⊕S(-18)⊕S(-18) <-- S(-19)⊕S(-19)⊕S(-19) <-- 0

In [26]:
cm_regularity(res)

16

## p = 11, r = 4

In [27]:
p = 11
field = GF(p, "a")

rounds = 4

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 4
Constants: [3, 1, 3, 3]

Plain: 8
Key: 8
Cipher: 2

y^3 - x_1
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 3*x_1^2 - 5*x_1*y + 3*y^2 + 3*x_1 - x_2 + 3*y + 1
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - 2*x_2^2 - 4*x_2*y - 2*y^2 + 5*x_2 - x_3 + 5*y + 5
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 2*x_3^2 - 4*x_3*y - 2*y^2 + 5*x_3 - 5*y + 3


In [28]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y over Finite Field of size 11
Input polynomials:
[y^3 - x_1, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 3*x_1^2 - 5*x_1*y + 3*y^2 + 3*x_1 - x_2 + 3*y + 1, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - 2*x_2^2 - 4*x_2*y - 2*y^2 + 5*x_2 - x_3 + 5*y + 5, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 2*x_3^2 - 4*x_3*y - 2*y^2 + 5*x_3 - 5*y + 3, y^11 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0005862712860107422
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 7.414817810058594e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0007224082946777344
Computing Macaulay matrix.
Time needed: 4.76837158203125e-07
Performing Gaussian Elimination.
Time needed: 4.792213439941406e-05
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to degree: 2
Time needed: 0.0007865428924560547
Computing Macaulay matrix

[x_1 + 5, x_2 + 2, x_3 - 3, y + 3]

In [29]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, y, h over Finite Field of size 11
Input polynomials:
[y^3 - x_1*h^2, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 + 3*x_1^2*h - 5*x_1*y*h + 3*y^2*h + 3*x_1*h^2 - x_2*h^2 + 3*y*h^2 + h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - 2*x_2^2*h - 4*x_2*y*h - 2*y^2*h + 5*x_2*h^2 - x_3*h^2 + 5*y*h^2 + 5*h^3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 - 2*x_3^2*h - 4*x_3*y*h - 2*y^2*h + 5*x_3*h^2 - 5*y*h^2 + 3*h^3, y^11 - y*h^10]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.00046539306640625
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussian Elimination.
Time needed: 6.318092346191406e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0009059906005859375
Computing Macaulay matrix.
Time needed: 1.6689300537109375e-06
Performing Gaussian Elimination.
Time needed: 0.0026102066040039062
Is Groebner Basis: False

--- Degree 2 ---
Computing all monomials up to

[x_1*h^17 + 5*h^18,
 x_2*h^17 + 2*h^18,
 x_3*h^17 - 3*h^18,
 y*h^17 + 3*h^18,
 x_2*x_3^2*h^14 - 2*x_1*h^16 - 2*x_2*h^16 - x_3*h^16 + 5*y*h^16,
 x_3^2*y*h^14 + 4*x_1*h^16 - 3*x_2*h^16 + 5*x_3*h^16 - 4*y*h^16 + 3*h^17,
 x_1*x_3*h^15 - 2*x_2*h^16 + 4*x_3*h^16 - y*h^16 - 4*h^17,
 x_2*x_3*h^15 - x_1*h^16 - 2*x_2*h^16 + x_3*h^16 + y*h^16 - 3*h^17,
 x_3^2*h^15 + 4*x_2*h^16 + 2*x_3*h^16 + 5*y*h^16 - 3*h^17,
 x_1*y*h^15 + 2*x_1*h^16 + 5*x_2*h^16 + 3*x_3*h^16 - 4*y*h^16 - 5*h^17,
 x_2*y*h^15 + x_1*h^16 + 5*x_2*h^16 + 4*x_3*h^16 - 4*y*h^16 - 4*h^17,
 x_3*y*h^15 + x_1*h^16 + x_2*h^16 - 5*x_3*h^16 - y*h^16 - 5*h^17,
 y^2*h^15 + 3*x_1*h^16 + 2*x_3*h^16 - 5*y*h^16 - 4*h^17,
 x_2^2*x_3^2*h^12 - 5*x_2*x_3^2*y*h^12 + 4*x_2*x_3^2*h^13 - 2*x_3^2*y*h^13 - 2*x_1*x_3*h^14 + x_2*x_3*h^14 + 3*x_3^2*h^14 + 4*x_1*y*h^14 + 5*x_2*y*h^14 + 3*y^2*h^14 + 3*x_1*h^15 - 2*x_2*h^15 + x_3*h^15 + y*h^15 - 4*h^16,
 x_2^2*x_3*h^13 + x_1*x_3*h^14 - 5*x_2*x_3*h^14 + 5*x_3^2*h^14 - x_2*y*h^14 + 3*x_3*y*h^14 - 4*y^2*h^14 - 3*x_1

In [30]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-11) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-19) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20) <-- S(-12)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21) <-- S(-22)⊕S(-22)⊕S(-22)⊕S(-22) <-- 0

In [31]:
cm_regularity(res)

18

## p = 11, r = 5

In [32]:
p = 11
field = GF(p, "a")

rounds = 5

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 5
Constants: [6, 10, 4, 5, 3]

Plain: 3
Key: 2
Cipher: 8

y^3 + 5*y^2 - x_1 + y + 3
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 3*x_1^2 + 5*x_1*y - 3*y^2 + 3*x_1 - x_2 + 3*y - 1
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 4*x_2 - x_3 + 4*y - 2
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 4*x_3^2 - 3*x_3*y + 4*y^2 - 2*x_3 - x_4 - 2*y + 4
x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 2*x_4^2 - 4*x_4*y - 2*y^2 + 5*x_4 - 5*y - 3


In [33]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y over Finite Field of size 11
Input polynomials:
[y^3 + 5*y^2 - x_1 + y + 3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 3*x_1^2 + 5*x_1*y - 3*y^2 + 3*x_1 - x_2 + 3*y - 1, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + x_2^2 + 2*x_2*y + y^2 + 4*x_2 - x_3 + 4*y - 2, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 4*x_3^2 - 3*x_3*y + 4*y^2 - 2*x_3 - x_4 - 2*y + 4, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 2*x_4^2 - 4*x_4*y - 2*y^2 + 5*x_4 - 5*y - 3, y^11 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0004863739013671875
Computing Macaulay matrix.
Time needed: 7.152557373046875e-07
Performing Gaussian Elimination.
Time needed: 6.413459777832031e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.0006425380706787109
Computing Macaulay matrix.
Time needed: 4.76837158203125e-07
Performing Gaussian Elimination.
Time needed: 4.410743713378906e-05
Is Groebner Basis: False

--- Degree 2

[x_4^2 - x_4 + 5,
 x_4*y - 2*x_4 + 2*y - 4,
 y^2 - 5*x_4 - 2*y + 4,
 x_1 - x_4 - y + 5,
 x_2 - x_4 - 2*y - 5,
 x_3 - x_4 + y - 1]

In [34]:
lazard_gb_algorithm(polys_h + [fe_h])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, y, h over Finite Field of size 11
Input polynomials:
[y^3 + 5*y^2*h - x_1*h^2 + y*h^2 + 3*h^3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 3*x_1^2*h + 5*x_1*y*h - 3*y^2*h + 3*x_1*h^2 - x_2*h^2 + 3*y*h^2 - h^3, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 + x_2^2*h + 2*x_2*y*h + y^2*h + 4*x_2*h^2 - x_3*h^2 + 4*y*h^2 - 2*h^3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 4*x_3^2*h - 3*x_3*y*h + 4*y^2*h - 2*x_3*h^2 - x_4*h^2 - 2*y*h^2 + 4*h^3, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 - 2*x_4^2*h - 4*x_4*y*h - 2*y^2*h + 5*x_4*h^2 - 5*y*h^2 - 3*h^3, y^11 - y*h^10]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0004756450653076172
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 0.0001766681671142578
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.019177675247192383
Computing Macaulay matrix.
Time needed: 1.9073486328125e-06
Per

[x_1*h^19 - x_4*h^19 - y*h^19 + 5*h^20,
 x_2*h^19 - x_4*h^19 - 2*y*h^19 - 5*h^20,
 x_3*h^19 - x_4*h^19 + y*h^19 - h^20,
 x_3*x_4^2*h^16 + x_1*h^18 - 5*x_2*h^18 + 5*x_3*h^18 + 4*x_4*h^18 - 4*y*h^18 - 5*h^19,
 x_4^2*y*h^16 - 5*x_1*h^18 + 5*x_2*h^18 - 2*x_4*h^18 + 2*y*h^18 + h^19,
 x_3*x_4*h^17 + x_1*h^18 + 5*x_3*h^18 + 5*x_4*h^18 + 2*y*h^18 - 2*h^19,
 x_4^2*h^17 + 3*x_3*h^18 - 4*x_4*h^18 + 3*y*h^18 + 2*h^19,
 x_1*y*h^17 + 3*x_1*h^18 + 2*x_2*h^18 - 3*x_3*h^18 + 2*x_4*h^18 - 5*y*h^18 - 3*h^19,
 x_2*y*h^17 + 5*x_1*h^18 + 5*x_2*h^18 - 4*x_3*h^18 + 4*x_4*h^18 - 4*y*h^18 - 3*h^19,
 x_3*y*h^17 + 3*x_1*h^18 + 2*x_2*h^18 - 3*x_3*h^18 + x_4*h^18 + 4*y*h^18,
 x_4*y*h^17 - x_1*h^18 + 4*x_2*h^18 + x_3*h^18 + 5*x_4*h^18 - 4*y*h^18 + 3*h^19,
 y^2*h^17 + 3*x_1*h^18 + 3*x_2*h^18 + 3*x_3*h^18 - 3*x_4*h^18 + 3*y*h^18 + h^19,
 x_3^2*x_4*h^15 - x_3*x_4*h^16 - 5*x_1*y*h^16 - 5*x_2*y*h^16 - 2*x_3*y*h^16 + 5*x_4*y*h^16 + y^2*h^16 - x_1*h^17 - x_2*h^17 + x_3*h^17 + 2*x_4*h^17 + 4*y*h^17 - 4*h^18,
 x_1*x_4^2*h^15

In [35]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-11) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-20)⊕S(-20) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21)⊕S(-21) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-22)⊕S(-23) <-- S(-15)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-24)⊕S(-24)⊕S(-24) <-- S(-25)⊕S(-25)⊕S(-25)⊕S(-24)⊕S(-24)⊕S(-24) <-- 0

In [36]:
cm_regularity(res)

20

## p = 11, r = 6

In [37]:
p = 11
field = GF(p, "a")

rounds = 6

mimc = MiMC(field=field, rounds=rounds)

print("")

plain = field.random_element()
key = field.random_element()
cipher = mimc.encryption(plain, key)
print("Plain:", plain)
print("Key:", key)
print("Cipher:", cipher)

polys = mimc.generate_polynomials(plain, cipher, info_level=0)
polys_h = [poly.homogenize() for poly in polys]
I = ideal(polys)
variables = polys[0].parent().gens()
fe = variables[-1]**field.order() - variables[-1]
fe_h = fe.homogenize()

print("")

for poly in polys:
    print(poly)

MiMC Parameters
Field: Finite Field of size 11
r: 6
Constants: [2, 6, 2, 1, 4, 10]

Plain: 0
Key: 4
Cipher: 6

y^3 - 5*y^2 - x_1 + y - 3
x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 4*x_1^2 + 3*x_1*y - 4*y^2 - 2*x_1 - x_2 - 2*y - 4
x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - 5*x_2^2 + x_2*y - 5*y^2 + x_2 - x_3 + y - 3
x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 3*x_3^2 - 5*x_3*y + 3*y^2 + 3*x_3 - x_4 + 3*y + 1
x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 + x_4^2 + 2*x_4*y + y^2 + 4*x_4 - x_5 + 4*y - 2
x_5^3 + 3*x_5^2*y + 3*x_5*y^2 + y^3 - 3*x_5^2 + 5*x_5*y - 3*y^2 + 3*x_5 + 4*y + 4


In [38]:
lazard_gb_algorithm(polys + [fe])

Ring: Multivariate Polynomial Ring in x_1, x_2, x_3, x_4, x_5, y over Finite Field of size 11
Input polynomials:
[y^3 - 5*y^2 - x_1 + y - 3, x_1^3 + 3*x_1^2*y + 3*x_1*y^2 + y^3 - 4*x_1^2 + 3*x_1*y - 4*y^2 - 2*x_1 - x_2 - 2*y - 4, x_2^3 + 3*x_2^2*y + 3*x_2*y^2 + y^3 - 5*x_2^2 + x_2*y - 5*y^2 + x_2 - x_3 + y - 3, x_3^3 + 3*x_3^2*y + 3*x_3*y^2 + y^3 + 3*x_3^2 - 5*x_3*y + 3*y^2 + 3*x_3 - x_4 + 3*y + 1, x_4^3 + 3*x_4^2*y + 3*x_4*y^2 + y^3 + x_4^2 + 2*x_4*y + y^2 + 4*x_4 - x_5 + 4*y - 2, x_5^3 + 3*x_5^2*y + 3*x_5*y^2 + y^3 - 3*x_5^2 + 5*x_5*y - 3*y^2 + 3*x_5 + 4*y + 4, y^11 - y]

--- Degree 0 ---
Computing all monomials up to degree: 0
Time needed: 0.0006015300750732422
Computing Macaulay matrix.
Time needed: 1.1920928955078125e-06
Performing Gaussian Elimination.
Time needed: 7.224082946777344e-05
Is Groebner Basis: False

--- Degree 1 ---
Computing all monomials up to degree: 1
Time needed: 0.001096487045288086
Computing Macaulay matrix.
Time needed: 1.430511474609375e-06
Performing Gaussi

[x_1 + 4, x_2 + 4, x_3 + 3, x_4 + 3, x_5 - 4, y - 4]

In [39]:
res = ideal(polys_h + [fe_h]).graded_free_resolution(algorithm="minimal")
res

S(0) <-- S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-3)⊕S(-11) <-- S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-6)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-14)⊕S(-23) <-- S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-9)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-17)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24)⊕S(-24) <-- S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-12)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-20)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25)⊕S(-25) <-- S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-15)⊕S(-26)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-23)⊕S(-26)⊕S(-26)⊕S(-26)⊕S

In [40]:
cm_regularity(res)

22