# Hades With Multivariate Key

In [1]:
load("Hades.sage")

In [2]:
field = GF(2**64 - 2**32 + 1)
n = 4
r_f = 4
r_p = 10

matrix_f = matrix(field,
                  [[5, 7, 1, 3],
                   [4, 6, 1, 1],
                   [1, 3, 5, 7],
                   [1, 1, 4, 6],
                  ])
key_schedule_matrix = matrix.circulant([2, 1, 1, 1])

hades = Hades(field=field, 
              n=n,
              r_f=r_f,
              r_p=r_p,
              matrix_f=matrix_f,
              key_schedule_matrix=key_schedule_matrix)

Hades Parameters
Field: Finite Field of size 18446744069414584321
n: 4
d: 7
r_f: 4
r_p: 10
Matrix full rounds:
[5 7 1 3]
[4 6 1 1]
[1 3 5 7]
[1 1 4 6]
Matrix partial rounds:
[5 7 1 3]
[4 6 1 1]
[1 3 5 7]
[1 1 4 6]
Key schedule matrix:
[2 1 1 1]
[1 2 1 1]
[1 1 2 1]
[1 1 1 2]
Admissible key schedule matrix: True
Constants: [(14796844732190873786, 16392007523787671341, 16671237019222515132, 7440745691306091792), (4373800869712738722, 4200824720582331540, 18355613749960245482, 3704830056838039329), (6871727373513743351, 412038095783743302, 5562714304496299144, 11810068984582571026), (2437502023187316416, 5225914610318782432, 11056031469519606507, 1705094538267129814), (2373749552868811031, 17388081132401735878, 18195937898295332785, 4283017170420660726), (12225654766617418963, 12149919537709591489, 5379123045989105267, 14858585193066854030), (1570903289000464665, 15936491151864152562, 5985721968754180113, 5466772737141520459), (5857595362640327770, 12379414474283352288, 1347249609039738243

In [3]:
plain = [hades.field.random_element() for i in range(0, hades.n)]
plain

[12223736133106663796,
 4714709538973682113,
 17387612074428670925,
 2657052540229220146]

In [4]:
key = [hades.field.random_element() for i in range(0, hades.n)]
key

[11497213742892931354,
 11966512607770448295,
 17270701513426747069,
 8108179437295978405]

In [5]:
cipher = hades.encrypt(plain, key)
cipher

(1083253326601272399, 7247554802290699663, 3346477361858652925, 1151287414143529098)

In [6]:
polys = hades.generate_polynomials(plain=plain, cipher=cipher)

print(70 * "-")

for i in range(0, 2 * hades.r_f + hades.r_p):
    for j in range(0, hades.n):
        print(polys[i * hades.n + j])
    print(70 * "-")

Plain: (12223736133106663796, 4714709538973682113, 17387612074428670925, 2657052540229220146)
Cipher: (1083253326601272399, 7247554802290699663, 3346477361858652925, 1151287414143529098)
Order: degrevlex
----------------------------------------------------------------------
5*y_1^7 + 7*y_2^7 + y_3^7 + 3*y_4^7 + 3555651062197793477*y_1^6 + 9659838576735411685*y_2^6 + 11032820104513190549*y_3^6 + 457871136569870103*y_4^6 + 18372641417770186200*y_1^5 + 2181543816348277033*y_2^5 + 541124936024603596*y_3^5 + 15181290767700647652*y_4^5 + 5537775830099914947*y_1^4 + 17267611841865896659*y_2^4 + 11024663770460912296*y_3^4 + 13017006532420105805*y_4^4 + 17911618082734375867*y_1^3 + 14589704824234473953*y_2^3 + 10288219701001719371*y_3^3 + 5473569179501573546*y_4^3 + 3551290034006587216*y_1^2 + 11347522761479141494*y_2^2 + 8077990121625329193*y_3^2 + 16850718089937093177*y_4^2 - x_1_1 + 9800776777851537398*y_1 + 4923088839092663666*y_2 + 17418282781096736134*y_3 + 193144320785976697*y_4 + 146877

The DRL Gröbner basis is constructed by inverting the matrix in every round.

In [7]:
polys = hades.transform_polynomials_erf(polys)

for i in range(0, 2 * hades.r_f + hades.r_p):
    for j in range(0, hades.n):
        print(polys[i * hades.n + j])
    print(70 * "-")

y_1^7 + 11779176654088309288*y_1^6 + 3674528283554037240*y_1^5 + 12175601607668733582*y_1^4 + 14650370058195625766*y_1^3 + 15467653262332984900*y_1^2 + 16140901060737761281*x_1_1 + 6917529026030469120*x_2_1 + 4611686017353646081*x_3_1 + 16140901060737761280*x_4_1 + 12105864593748328856*y_1 + 4611686017353646081*y_2 + 6917529026030469120*y_3 + 13835058052060938242*y_4 + 1930082123685601685
y_2^7 + 14556222703401190470*y_2^6 + 5582147422168206525*y_2^5 + 5102050844468640140*y_2^4 + 15260489310186770794*y_2^3 + 14797320444078866157*y_2^2 + 2305843008676823040*x_1_1 + 16140901060737761281*x_2_1 + 9223372034707292160*x_3_1 + 6917529026030469121*x_4_1 + 2679735270164800272*y_2 + 11529215043384115201*y_3 + 13835058052060938240*y_4 + 13904594923234894699
y_3^7 + 11032820104513190549*y_3^6 + 541124936024603596*y_3^5 + 11024663770460912296*y_3^4 + 10288219701001719371*y_3^3 + 8077990121625329193*y_3^2 + 4611686017353646081*x_1_1 + 16140901060737761280*x_2_1 + 16140901060737761281*x_3_1 + 6917529

Verification that the leading monomials are indeed pairwise coprime.

In [8]:
lms = [poly.lm() for poly in polys]
P = lms[0].parent()

pairwise_coprime = True
for pair in Combinations(lms, 2):
    if gcd(pair[0], pair[1]) != P(1):
        pairwise_coprime = False
        break

print("Pairwise coprime leading monomials:", pairwise_coprime)

Pairwise coprime leading monomials: True
