[Applied Algebra] 4 efficient baseline algorithms for solving Boolean Equations

Four efficient baseline algorithms for solving Boolean Equations

Solving Boolean Equations is one of the fundamental problems in theoretical computing; in fact, solving $\mathbb{F}_q$ on $for n$ variables $m$ nonlinear polynomial equations is a basic mathematical problem, which has attracted extensive attention from various theoretical computer research directions including the cryptography community; as we all know, computer vision and natural language processing in the field of AI have many specific tasks (such as human Face recognition, semantic segmentation) baselines (that is, baseline models/algorithms that provide reference comparisons), then natural research to solve Boolean equations also has corresponding baselines. Today we will introduce the best 4 efficient baseline algorithms currently.

insert image description here

Boolean PoSSo (polynomial system solving) Problem: Given a set of Boolean polynomials $\mathcal{F}$ :

$\{f_{1}, f_{2}, \ldots, f_{m}\} \subseteq \mathcal{R}_{2}$

The goal is to find the solution $(x_{1}, \ldots, x_{n}) \in \mathbb{F}_{2}^{n}$ 对于 $\forall f_{i} \in \mathcal{F}$ , 满足 $f_{i}(x_{1}, \ldots, x_{n})=0$ . Of which:

$\mathcal{R}_{2}=\mathbb{F}_{2}[x_{1}, \ldots, x_{n}] / \langle x_{1}^{2}+x_{1}, x_{2}^{2}+x_{2}, \cdots, x_{n}^{2}+x_{n}\rangle$

It limits the value of each variable is also $\mathbb{F}_{2}$ superior;

Algorithm classification

The problem of solving Boolean equations is related to many other NP-hard problems in computer science (such as SAT problems, MILP integer programming problems, etc.); therefore, the solution ideas are roughly divided into three types: search solution, algebraic method solution, and problem transformation solution. The basic idea, according to this division, this article will introduce the following four baseline algorithms:

BCS algorithm (Boolean Characteristic Set Algorithm)[1]: A solution algorithm based on the classic algebraic elimination method Wu elimination method ;
Groebner basis algorithm [2]: the solution algorithm based on the polynomial ideal construction algorithm Groebner Basis (implemented based on the Polybori library of SAGE V9.2);
FESLib library (Fast Exhaustive Search Algorithm)[3]: A solution algorithm based on divide and conquer + solution space search (complexity is exponential level $\mathcal{O}(d \cdot 2^n)$ );
Boolean Equations to SAT Algorithm (Boolean Equations to SAT Algorithm)[4]: An algorithm that converts the problem of Boolean equations into an equivalent SAT problem and then solves it using a SAT solver (based on Cryptominisat);

In this article, we mainly focus on implementation (all codes are compiled and implemented under Linux), and the theoretical part can be found in references (if necessary, I will write another blog to introduce the technical details of these four works);

BCS算法(Boolean Characteristic Set Algorithm)

Although the BCS algorithm [1] is based on the calculation of feature columns based on Wu's elimination method, it cleverly uses the addition characteristics of Boolean polynomials and overcomes the problem of polynomial expansion in the original method:

In $\mathcal{R}_{2}$ Do quasi-division Pesudo-division: use polynomial $P_{1}=I_{1} x_{C}+R_{1}$ Elimination element $P_{2}=I_{2} x_{c}+R_{2}$ in x_{C} $x_{C}$ . calculate:

$I_{1}(I_{2} x_{C}+R_{2})+I_{2}(I_{1} x_{c}+R_{1})=I_{1} R_{2}+I_{2} R_{1}$

Among them, $I_{1},I_{2},R_{1},R_{2}$ Both are polynomials, so such operations will lead to rapid expansion of polynomial order and number of terms (such expansion will occur every time elimination);

The method of preventing polynomial expansion of elimination in this paper mainly relies on the following two points:

Zero-point decomposition, working division:
$\operatorname{V}(\mathcal{ F}, I x_{c}+U)=\operatorname{V}(\mathcal{F}, x_{c}+U, I+1) \cup \operatorname{V}(\mathcal{F},U , I)$
$\mathbb{F}_{2}$ Overadditive vanishing: $x_{c}+U_{1})+(x_{c}+U_{2})=U_{ 1}+U_{2}$ .

For a more specific algorithm, please refer to the original text, and the code implementation is given below (source code: https://github.com/hzy-cas/BCS); the algorithm implementation depends on the CUDD package, which mainly implements binary decisions representing Boolean functions The graph data structure BDD (Binary Decision Diagram) and its corresponding algorithm will be faster when selecting the initial formula; the compilation of the CUDD package (using cudd-2.4.2):

The first is to modify the XCFLAGS in the Makefile (corresponding to the gcc version of the host):

XCFLAGS	= -mtune=native -DHAVE_IEEE_754 -DBSD -DSIZEOF_VOID_P=8 -DSIZEOF_LONG=8

Then there is make, I don't have make install, and the subsequent dependency compilation is manual path; the following is the Makefile for compiling the code of the BCS algorithm (the compiled cudd is placed in "/download/my_install/cudd-2.4.2"):

CFILES = main.cpp
INSTALL_DIR = /download/my_install/cudd-2.4.2
INCLUDING_PATH = /download/my_install/cudd-2.4.2/include
OBJFILES = main.o binary.o IO.o zddrcs.o zddrp.o zddrps.o zddrpss.o
CFLAGS = -pg
CFLAGS = -g -I$(INCLUDING_PATH) -L$(INSTALL_DIR)/cudd -L$(INSTALL_DIR)/epd -L$(INSTALL_DIR)/mtr -L$(INSTALL_DIR)/st -L$(INSTALL_DIR)/util
CC = g++
LIBS = -lcudd -lmtr -lst -lutil -lepd
DDDEBUG = -DDD_STATS

wu_char: main.o binary.o IO.o zddrcs.o zddrp.o zddrps.o zddrpss.o 
	$(CC) -o wu_char $(CFLAGS) $(OBJFILES) $(LIBS)

binary.o: binary.cpp 
	$(CC) -c $(CFLAGS) binary.cpp

IO.o: IO.cpp 
	$(CC) -c $(CFLAGS) IO.cpp

zddrcs.o: zddrcs.cpp 
	$(CC) -c $(CFLAGS) zddrcs.cpp

zddrp.o: zddrp.cpp 
	$(CC) -c $(CFLAGS) zddrp.cpp

zddrps.o: zddrps.cpp 
	$(CC) -c $(CFLAGS) zddrps.cpp

zddrpss.o: zddrpss.cpp 
	$(CC) -c $(CFLAGS) zddrpss.cpp

main.o: main.cpp 
	$(CC) -c $(CFLAGS) main.cpp

clean: 
	\rm -f $(OBJFILES)

Use the BCS algorithm to solve a variable number $n = 16$ quadratic Boolean equations:

[hanss@Mint]$ ./wu_char
--------------BCS algorithm by Zhenyu Huang, Version 1.2----------------
Please choose the RUNNING MODE:
0 for PoSSo mode(obtian all solutions );
1 for SAT mode (obtain one monic triangular set);
2 for Counting mode (Counting zero number);
0
-----------------Solving Mode: Obtain all solutions-------------------
Please input the name of the file containing the input polynomial system:
n16m32.poly
... ...
x1+1,x2+1,x3,x4+1,x5,x6+1,x7,x8,x9+1,x10+1,x11,x12+1,x13,x14,x15,x16

Where "x1+1" means $x_1 = 1$ , "x3" stands for $x_3 = 0$ , and so on;

Groebner basis algorithm (PolyBori in SageMath V9.2)

Definition (Groebner basis): polynomial group $\mathbb{G} \subset \mathcal{K}[x_1...x_n]$ is called the Groebner basis, if the normal form $\operatorname{nform}(G, \mathbb{G})$ for all $\in \mathcal{K}[x_1...x_n]$ are unique. Say $\mathbb{G}$ is the polynomial group $\mathbb{P} \subset \mathcal{K}[x_1...x_n]$ or the ideal $\langle\mathbb{P}\rangle$ , if $\mathbb{G}$ is a Groebner basis, and $\langle\mathbb{P}\rangle=\langle\mathbb{G}\rangle$ .

Every ideal has a Groebner basis consisting of finitely many polynomials. This is guaranteed by the following Hilbert basis theorem (every polynomial ideal $\mathcal{J} \subseteq \ mathcal{K}[x_1...x_n]$ are finitely generated). We will see later that an ideal reduced Groebner basis (a Groebner basis with certain conditions attached) is unique in a certain sense. Therefore, when referring to an ideal Groebner basis, usually , it is always considered to be finite. And Groebner is basically an ideal with good properties (good for reduction/elimination/ideal membership determination);

Using the Groebner base algorithm to solve polynomial equations is essentially seeking the elimination ideal of the original polynomial equations; the elimination ideal $I_{l}$ defined as:

$I_{l}=\langle f_{1}, \ldots, f_{s}\rangle \cap k[x_{l+1}, \ldots, x_{n}]$

It means $x_1...x_l$ has been eliminated from the system of polynomial equations, the equations are solved when the process proceeds to a single variable;

Based on the realization of PolyBori of SageMath V9.2, the number of solving variables $n = 16$ quadratic Boolean equations (full code):

from sage.sat.converters.polybori import CNFEncoder
from sage.sat.solvers.dimacs import DIMACS

BOOLEAN_RING.<p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28,p29,p30,p31,p32,p33,p34,p35,p36,p37,p38,p39,p40> = BooleanPolynomialRing()
ITEMS_BOOLEAN = [p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28,p29,p30,p31,p32,p33,p34,p35,p36,p37,p38,p39,p40];

EQUATIONS_MQ = mq_coeff_2_poly(SAVED_PATH + "/mq_eqs_"+str(1)+".coeff",ITEMS_MQ + [1]);

IDEAL_MAIN = ideal(EQUATIONS_MQ);
GB_MAIN = IDEAL_MAIN.groebner_basis();
print_equations(GB_MAIN);

The solution result and meaning are the same as the BCS algorithm:

GB_MAIN = [p1 + 1,p2,p3 + 1,p4,p5 + 1,p6,p7 + 1,p8,p9 + 1,p10 + 1,p11 + 1,p12,p13 + 1,p14,p15,p16];

To SAT Algorithm (Boolean Equations to SAT Algorithm)

Solve $\mathbb{F}_2$ The last quadratic multivariate equation (MQ problem) is NP-hard. Another NP-hard problem is the logical expression satisfiability problem (SAT problem). Because all NP-complete problems are polynomially reducible, Therefore, the solution of the MQ problem can be found by using an effective solution tool for the SAT problem (such as a SAT solver).

Example (conversion of Boolean equation and propositional logic expression) : Boolean equation $\oplus b \oplus c = 0$ can be translated into the following equivalent set of propositional logic conjunction normal form expressions are all true:

$\begin{array}{lll}a \vee \bar{b} \vee \bar{c} & (1) & \bar{a} \vee \bar{b} \vee c & (2)\\ a \vee b \vee c & (3) & \bar{a} \vee b \vee \bar{c} & (4 )\end{array}$

For example $a =$ true and $b =$ true, which leads to the fact that to make clause (2) true, $c =$ true to be satisfied. Similarly, if $a =$ false, $b =$ true and $c =$ true, the original Boolean equation is satisfied but the clause (1) produces conflict and is false.

Therefore, transforming Boolean equations (Algebraic Normal Form (ANF)) into propositional logic conjunctive normal form (CNF) and then solving them with a SAT solver is a conversion solution; the implementation is as follows (complete code ) :

from sage.sat.converters.polybori import CNFEncoder
from sage.sat.solvers.dimacs import DIMACS

# --- 变元声明 ---
BOOLEAN_RING.<p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28,p29,p30,p31,p32,p33,p34,p35,p36,p37,p38,p39,p40> = BooleanPolynomialRing()
ITEMS_BOOLEAN = [p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28,p29,p30,p31,p32,p33,p34,p35,p36,p37,p38,p39,p40];

# --- 读取布尔方程组 ---
EQUATIONS_MQ = mq_coeff_2_poly(SAVED_PATH + "/mq_eqs_"+str(1)+".coeff",ITEMS_MQ + [1]);

# --- ANF转换为CNF表达式并存储为.cnf文件 ---
TMP_FILE   = tmp_filename();
SAT_SOLVER = DIMACS(filename=TMP_FILE);
ANF2CNF_ENC = CNFEncoder(SAT_SOLVER, BOOLEAN_RING);
for POLYNOMIAL in EQUATIONS_MQ:
    ANF2CNF_ENC.clauses_dense(POLYNOMIAL);
WRITED_FILE = SAT_SOLVER.write();
WRITED_FILE = open("baseline_cryptominisat.cnf",'w');
print(open(TMP_FILE).read(),flush=True,file=WRITED_FILE);

# --- 调用 cryptominisat 求解 ---
os.system('cryptominisat5 --verb 0 baseline_cryptominisat.cnf');

Solve a problem $n = 8$ toy-level Boolean equations, in the process of converting to SAT, due to the need to cut polynomials, some new variables will be added with polynomial-level complexity. In the solution results, for example, "44" represents x 44 = 1 x_ $x_{44} = 1$ , "-41" means $x_{41}=0$ , and so on:

[hanss@Mint]$ /App/SageMath/SageMath/sage baseline_cryptominisat.sage
s SATISFIABLE
v 1 -2 3 4 5 -6 7 -8 -9 -10 -11 -12 -13 -14 -15 -16 -17 -18 -19 -20 -21 -22 -23 
v -24 -25 -26 -27 -28 -29 -30 -31 -32 -33 -34 -35 -36 -37 -38 -39 -40 -41 42 43 
v 44 45 -46 -47 -48 -49 -50 51 52 -53 54 55 56 -57 -58 59 -60 -61 -62 -63 64 
v -65 66 -67 68 -69 -70 -71 -72 -73 -74 -75 76 77 -78 -79 -80 81 82 -83 -84 -85 
v -86 -87 -88 -89 90 -91 -92 93 94 95 -96 97 98 -99 100 101 102 -103 104 -105 
v 106 -107 108 109 110 111 -112 113 114 -115 -116 -117 118 119 -120 -121 -122 
v 123 124 125 -126 127 -128 129 130 131 132 -133 -134 135 -136 -137 -138 -139 
v 140 141 -142 143 144 145 -146 147 148 149 -150 -151 152 153 0
[Finished in 4.0s]

FESLib library based on solution space search (Fast Exhaustive Search Algorithm)

This work first defines $\mathbb{F}_{2}$ The concept of derivation on (this can effectively reduce the number of bit operations and speed up the search during the solution iteration process):

Definition (Derivatives on $\mathbb{F}_{2}$ ) : Let $\mathbb{F}_{2}$ The above corresponds to the $The derivative of i$ variables $\frac{\partial f}{\partial i}$ for $\mathbf{x} \mapsto f(\mathbf{x}+e_{i})+f(\mathbf{x})$ . Then for any solution vector $\mathbf{x}$ , have:

$f(\mathbf{x}+e_{i})=f(\mathbf{x})+\frac{\partial f}{\partial i}(\mathbf{x})$

Among them $e_{i}$ ii $The solution vector (one-hot vector) whose i$ bit is 1; then the initialization operation INIT() and the iterative operation NEXT() of the solution space search can be formalized as:

insert image description here
The compilation of FESlib is slightly tortuous. I rewrote its CMakeLists.txt file to generate the Makefile file:

cmake_minimum_required(VERSION 3.10)

project(feslite VERSION 1.0 
	LANGUAGES C ASM)

include(CTest)

if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
  message(STATUS "Setting build type to 'Debug' as none was specified.")
  set(CMAKE_BUILD_TYPE "Debug" CACHE STRING "Choose the type of build." FORCE)
endif()

add_compile_options(-Wall -Werror -O3 -Wno-unused-function)

set(CMAKE_C_STANDARD 99)
set(CMAKE_C_STANDARD_REQUIRED True)

find_package(OpenMP)

if (DEFINED ENV{NO_SSE})
    message(STATUS "As per $NO_SSE, disabling all simd intrinsics")
else()
    include("config/sse2.cmake")
    include("config/avx2.cmake")
    include("config/avx512.cmake")
endif()
if (DEFINED ENV{NO_NEON})
    message(STATUS "As per $NO_NEON, disabling all ARM NEON intrinsics")
else()
    include("config/neon.cmake")
endif()

configure_file(src/feslite-config.h.in src/feslite-config.h)

add_subdirectory(src)
add_subdirectory(benchmark)

if(BUILD_TESTING)
  add_subdirectory(test)
endif()

During the make process, an error was reported for the file containing the command "#pragma GCC unroll 64" in the source code. This is a command to speed up the cycle. It may be related to the host system, so it can only be canceled:

[hanss@Mint]$ sed "s/#pragma GCC unroll 64/\/\/#pragma GCC unroll 64/g" -i ./src/*.c

Then make it again, let's focus on how to use it to solve a variable number $n = 36$ Boolean equations (I have commented on the key parts, see thecomplete code):

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "feslite.h"
#include "cycleclock.h"

int main()
{
    
    
    int n = 32; // num of variables;
    int k = 32; // num of quadratic boolean equations;
    int m = 16;

    /* Reading Numbers from File */
    u32 Fq[496]; // Quadratic terms num = C(2,32); Think about why not 496*m?? The fact is that any two systems in m systems have the same quadratic terms(which can be veritified by computing examples);
    u32 Fl[33 * m]; // Linear terms num = num of variables + 1;
    // === Reading The Equations from file fq_and_fl_array.dat ===
    FILE *FILE_IO_COUNT,*FILE_IO_READ;char TMP_CHAR;char NUM_CHAR[20];char READ_CHAR[20];int TMP_NUM;
    FILE_IO_COUNT = fopen("fq_and_fl_array.dat","r");FILE_IO_READ = fopen("fq_and_fl_array.dat","r");
    for (int INDEX_i = 0; INDEX_i < 496; ++INDEX_i)
    {
    
    
        int COUNT_BIT = 0;TMP_CHAR = fgetc(FILE_IO_COUNT);
        while(TMP_CHAR != ','){
    
    COUNT_BIT++;TMP_CHAR = fgetc(FILE_IO_COUNT);}
        fgets(NUM_CHAR, COUNT_BIT+1, FILE_IO_READ);
        fgets(READ_CHAR, 2, FILE_IO_READ);
        Fq[INDEX_i] = char2u32(NUM_CHAR);
    }
    for (int INDEX_i = 0; INDEX_i < 33*m; ++INDEX_i)
    {
    
    
        int COUNT_BIT = 0;TMP_CHAR = fgetc(FILE_IO_COUNT);
        while(TMP_CHAR != ','){
    
    COUNT_BIT++;TMP_CHAR = fgetc(FILE_IO_COUNT);}
        fgets(NUM_CHAR, COUNT_BIT+1, FILE_IO_READ);
        fgets(READ_CHAR, 2, FILE_IO_READ);
        Fl[INDEX_i] = char2u32(NUM_CHAR);
    }
    // === Reading End ===

    /* solve */
    u32 solutions[256 * m]; // Stored solutions;
    int size[m]; // Record how many solutions can be found of each system;
    uint64_t start = Now(); // Record the start time;
    feslite_solve(n, m, Fq, Fl, 256, solutions, size); // Solving m systems once;
    uint64_t stop = Now(); // Record the stop time;

    /* report */
    int kernel = feslite_default_kernel(); // Solver kernel;
    const char *name = feslite_kernel_name(kernel); // Which kernel used;
    printf("%s : %d lanes, %.2f cycles/candidate\n", 
        name, m, ((double) (stop - start)) / m / (1ll << n)); // Print time cost;
    for (int i = 0; i < m; i++)
    printf("Lane %d : %d solutions found\n", i, size[i]); // Print solving results;
    return EXIT_SUCCESS; // Ending;
}

Here I always have doubts when looking at the source code, this is not solving $\mathbb{F}_{2}$ For the above equations, why are the coefficient arrays Fq[] and Fl[] type unsigned 32-bit integer u32?? So I sent an email to ask the author, and the author replied:

Here is an explanation:
Fl[0] contains the constant term
Fl[i + 1] contains the coefficient of the linear monomial x_i (variables are x_0, …, x_{n-1}).
Fq[idxq(i,j)] contains the coefficient of the quadratic monomial x_i*x_j, with i < j. The function idxq() is defined in fes.h
Now, all these coefficients are indeed 0/1. The trick is that there are 32 equations, and that the code uses “bitslicing”. It uses a single array of 32-bit words to represent the 32 equations. The j-th bit of Fl[0] contains the constant term of the j-th equation ; the j-th bit of Fl[i+1] contains the coefficient of x_i in the j-th equation, etc.
So, the statement :
Fq[i] = lrand48() & ((1ll << k) - 1);
Initializes randomly the coefficient of a quadratic monomoial in k simultaneous equations.

Wonderful, that is to say, it has made a bit cut. A u32 integer actually represents all the coefficients of the same item under the determined item order in the entire equation system. Here I draw a picture to illustrate:

insert image description here
Now there is still a doubt, that is, the main solver function limits the upper limit of the equation variables that can be solved to $n = 32$ , what should we do if we need to solve a larger equation?

feslite_solve(n, m, Fq, Fl, 256, solutions, size);

Later, it was found that the paper used a simple divide and conquer strategy, such as solving $n = 36$ equations, traverse $x_{33},...,x_{36}$ , then the original equation can be branched into $m = 2^4$ 32 $n = 32$ scale equations, this is also the meaning of m in the interface function (see the complete code for branching and writing the sage code in the .dat file); then compile and run:

[hanss@Mint]$ gcc solver_n40.c -o exe -I/download/my_install/libfes-lite-10years/src -L/download/my_install/libfes-lite-10years/build/src -lfeslite
[hanss@Mint]$ ./exe
avx2_16x16 : 16 lanes, 0.06 cycles/candidate
Lane 0 : 0 solutions found
... ...
Lane 15 : 1 solutions found

references

[1] Zhenyu Huang, Yao Sun, Dongdai Lin, On the efficiency of Solving Boolean Polynomial Systems with the Characteristic Set Methods, Journal of Symbolic Computation, 2019.
[2] Michael Brickenstein and Alexander Dreyer, PolyBoRi: A framework for Gröbner-basis computations with Boolean polynomials, Journal of Symbolic Computation, 2009;
[3] Bouillaguet, Charles and Chen, Hsieh Chung and Cheng, Chen Mou and Chou, Tung and Yang, Bo Yin, Fast Exhaustive Search for Polynomial Systems in F2, Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010.
[4] Soos M., Nohl K., Castelluccia C.: Extending SAT Solvers to Cryptographic Problems. In: Kullmann O.(eds) Theory and Applications of Satisfiability Testing - SAT 2009. SAT 2009. Lecture Notes in Computer Science, vol 5584. Springer, Berlin, Heidelberg, 2009.