Deterministic Algorithms for Solving Boolean Polynomial Equations Based on Channel Coding Theory

Solving the satisﬁability problems of Boolean polynomial equations is still an open challenge in the ﬁelds of mathematics and computer science. In this paper, our goal is to propose a non-algebraic method for solving maximal Boolean polynomial equations (Max-PoSSo problem). By leveraging channel coding theory and dynamic programming, we propose three deterministic and robust algorithms for solving the satisﬁability problems of Boolean polynomial equations. Comparisons are made among the three proposed algorithms and Genetic and Gröbner algorithms. Simulation results show that the proposed algorithms exhibit better performance in terms of the largest number of Boolean polynomials equal to 0 compared to the benchmark schemes in the literature.


I. INTRODUCTION
Solving Boolean polynomial equations is one of the major elements for algebraic side-channel attacks, also known as side channel cryptanalysis, which was proposed by Kocher [1] in the late 1990s.It is an attack method based on information gained from the implementation of a computer system.The algebraic attack is to set the cryptographic information as a variable, then establish a set of polynomial equations by considering the relationship between the known information and the cryptographic information, and finally recover the cryptographic information through solving the set of polynomial equations.Algebraic side-channel attacks combine algebraic attacks with side-channel attacks [2].Algebraic side-channel attacks reduce the attack complexity via introducing side channel information, thereby improve The associate editor coordinating the review of this manuscript and approving it for publication was Ailong Wu .the attack efficiency.The challenge in algebraic side-channel attacks is that polynomial equations are difficult to solve.
Boolean polynomials were proposed by George Boer in his book The Mathematical Analysis of Logic, and further detailed in An Investigation of the Laws of Thought [3] in the nineteenth century.Solving (general) Boolean polynomial equations [4] is still one of the most difficult problems in the fields of mathematics and computer science [5], [6].Namely, a set of Boolean polynomials is selected to find variable assignments so that the values of these polynomials are all 0. The satisfiability problem of solving maximal Boolean polynomial equations (Max-PoSSo problem) is an extended problem of solving general Boolean polynomial equations [7].It falls into the category of NP-hard problems [8] and is widely used in cryptographic probabilistic algebraic attacks and side-channel algebraic attacks.In the process of establishing a polynomial equation set, noise makes certain mistakes in some terms of the set of polynomial equations (generally constant terms), resulting in partial non-zero polynomials [9].In order to restore the secret information, the attacker needs to find the largest number of Boolean polynomials equal to 0.
There are two main approaches for dealing with the Max-PoSSo problem in the literature.One is to traverse the variable and reduce the search branch as to find the optimal variable assignment.It mainly uses some algebraic transformations to transform the Max-PoSSo problem into new problems with already-existing solutions [10].Therefore, how to transform the Max-PoSSo problem into other equivalent problems to make the solution readily obtained is the key of the method.The other approach is fixing the value of each polynomial to solve the corresponding general Boolean polynomial equations.If one can find the polynomial that corresponds to the solution of the general polynomial equations and has the largest number of 0, the solution of the general polynomial equations is taken as the solution of the Max-PoSSo problem [11].To solve the general polynomial equations, effective algorithms include the method based on Gröbner basis [12], [13], the SAT method [8], random Muti-Bit flipping method [14], and the feature column method [15].However, how to effectively combine the algebraic solution algorithm with the search strategy to reduce the search branch and improve the efficiency of the single branch needs to be further studied.
In this paper, we propose new deterministic algorithms to solve the Max-PoSSo problem.The algorithms are different from the previous ones in the literature, which are nonalgebraic.By leveraging channel coding theory and dynamic programming, three deterministic and robust algorithms are proposed to solve the satisfiability problems of Boolean polynomial equations.By exploiting channel coding theory, the proposed algorithms are capable of making the initial solutions uniformly distributed over the entire space [16].Then, a better solution can be found by searching within a fixed radius.

II. PROBLEM DESCRIPTION
The satisfiability problem of maximal Boolean polynomial equations is an extended problem of general Boolean polynomial equation.The satisfiability problem of maximal Boolean polynomial equations is expressed in the sequel.Given the following m Boolean polynomial equations with n variables: the Max-PoSSo problem is to find a set of x 0 , x 1 , ..., x n−1 in GF(2) to make Boolean polynomial equations f 1 , f 2 , • • • , f m have the largest number of value 0 [17], where GF(2) is the Galois field of two elements, 0 or 1.

III. THE ALGORITHM BASED ON CHANNEL CODING THEORY IS DETERMINISTIC AND ROBUST
Forward error correction (FEC) coding is an important technique in communication.In 1948, Shannon demonstrated in the seminal paper that [18], errors induced by a noisy channel or the storage medium can be reduced to be arbitrarily small without sacrificing the information transmission rate or storage rate [19].
The fundamental principle of error-correcting codes [20] is that the sender encodes a message by adding redundant information.The redundancy allows the receiver to detect or correct a limited number of errors that may occur anywhere in the message, thus messages with errors can be recovered without requiring any retransmission.The message that is allowed to be sent is called a codeword, and the set of codewords forms an error correction code.If the received signal is not a legitimate codeword, it is certain that error(s) occurs in the transmission.It is still possible to recover the information from the error-prone message if the number of errors are within certain limit, which is determined by the minimum Hamming distance of the code [21].
Definition 1: A (n, k) linear block code has 2 k codewords forming a k-dimensional subspace of the vector space of all the n-tuples in GF (2).
The modulo-2 addition of any two codewords will be another codeword.Three algorithms based on error correction coding will be presented in the sequel for solving the Max-PoSSo problem.These algorithms are deterministic and robust.The core idea of these three algorithms is that the construction of the linear block code is progressively enhanced in terms of the largest number of Boolean polynomials equal to 0.
Algorithm 1 is described as follows: 1) Construct a k × n generator matrix (i.e., G) of a linear block code.
2) Obtain all the codewords C = {c 1 , • • • , c 2 k } according to the generator matrix, |C| = 2 k .In order to solve Boolean polynomial equations, a generator matrix needs to be constructed in a pre-specified manner.
3) Take one codeword obtained in Step 2 as an initial solution and compute the number of Boolean polynomials equal to 0. 4) Start from the initial solution and set the number of erroneous bits as r (i.e., search radius).Candidate solutions obtained from the initial solution has a Hamming distance less than or equal to r. Go through all the candidate solutions C(j, 1) = count(c j ); C is a matrix, collecting the number of polynomials being 0 5: end for 7: end for 8: m = max(C); m is a column vector containing the maximum value of each row 9: Max = max(m); 10: return Max

IV. EXPERIMENTAL RESULTS AND ANALYSIS
The concept of FEC coding is used to solve the Max-PoSSo problem in this experiment.
As an introductory example, the number of Boolean polynomial equations is set to be 8 and the number of variables is set to be 4.The Boolean polynomial equations are provided in (2).
Each row of matrix A is a binary representation of natural numbers from 0 to 7 while each row of matrix B is a binary representation of odd numbers from 0 to 7. Multiplying A with B offers an initial solution (in total 8 solutions).Then, based on each initial solution, we increase the search radius r until finding the candidate solution with the largest number of Boolean polynomials equal to 0. The experimental results are shown in Table 1, Table 2 and Table 3.Most search results with a radius of 1 in Table 1 cannot satisfy the condition that six polynomials in (2) are equal 0. When the search radius is increased to 2, the number of satisfying polynomials saturates.
Next, we extend Algorithm 1 to more complicated cases, where the number of Boolean polynomials m is set to 256 and the number of variables n in all the equations is set to 128.Table 4, and Table 5 show the results of this experiment.As shown in tables, each of the 256 initial solutions satisfies the largest number of Boolean polynomials equal to 0. In the tables, 1:181 means the largest number of Boolean polynomials equal to 0 is 181 for the first initial solution.
Table 4 shows the search results of Algorithm 1 with radius 2, and the number of Boolean polynomials that being 0 is between 173 and 200.Table 5 shows the search results of Algorithm 1 with radius 4, and the number of Boolean polynomials being 0 is between 189 and 223.Table 6 presents the statistics of the experimental results.Fig. 1    The number of Boolean polynomials in Table 4 is relatively small because the search radius is only 2. According to Table 6, it can be concluded that the largest value (i.e., the largest number of polynomials equal to 0) and expected value increase with the radius r.Meanwhile, the standard deviation is basically stable within a range when the radius changes.
In order to verify the algorithm is deterministic and robust, we further randomly generate initial solutions and provide the new results in Table 7, Table 8, Table 9, Fig. 2 and Fig. 3. 320 initial are randomly generated and the largest numbers of Boolean polynomials are calculated accordingly.Comparing to the results in Table 6, the randomly constructed initial solution results in almost the same largest value as long as the search radii are the same.In other words, Algorithm 1 converges regardless of the initial generator matrix in the first step.Therefore, Algorithm 1 is deterministic and robust to find the maximum value of Boolean polynomial equations.
When n goes large, our proposed scheme exhibits significant computational complexity gain compared to the existing benchmark scheme.
In order to verify the stability of the algorithm 1, we choose 8 out of 256 suboptimal solutions which have the largest number of Boolean polynomials equal to 0. Then, we construct a new generator matrix with the 8 suboptimal solutions as its rows and continue Step 2 until the largest number of Boolean polynomials equal to 0 is not increasing or the maximum number of iterations is 10.
Algorithm 2 is described as follows: 1) Construct a k × n generator matrix (i.e., G) of a linear block code.3) Take one codeword obtained in Step 2 as an initial solution and compute the number of Boolean polynomials equal to 0. 4) Start from the initial solution and set the number of erroneous bits as r (i.e., search radius).Candidate solutions  for j = 1 : 2 k do 3: ; C is a matrix, collecting the number of polynomials being 0 = max(C); m (i) is a column vector containing the maximum value of each row 10: = max(m (i) ); max (i) is the maximum value in m (i)   11: Choose k n-tuples corresponding to the k largest values in m (i) as rows of new generator matrix G (i+1) ; 12: max = max (i)  − Max; 13: Max = max (i) ; 14: end while 15: return Max and compute their corresponding numbers of Boolean polynomials equal to 0. Find the candidate solution with the largest number of Boolean polynomials equal to 0 and set it as a suboptimal solution associated with the codeword in Step 3.
5) Repeat Steps 3 and 4 until all the codewords are covered.Choose k out of 2 k suboptimal solutions which have the largest number of Boolean polynomials equal to 0. Construct a new generator matrix with the k suboptimal solutions as its rows and continue Step 2 until the largest number of Boolean polynomials equal to 0 is not increasing or the maximum number of iterations is reached.
6) Obtain the largest number of Boolean polynomials equal to 0 and set its corresponding n-tuples as the final solution.
The experimental results are shown in the Tables 10, 11, 12.The results of the first, fifth and tenth iterations show that the number of polynominals equal to 0 is stable.

V. COMPARISON WITH OTHER ALGORITHMS
In [22], solving the maximum Boolean polynomial equations is consistent with the problem studied in this paper.
Genetic algorithm is a computational method that simulates natural selection and biological evolution.The optimal solution is searched by simulating the natural evolutionary process.The initial individual is selected based on a fitness function while the optimal individual is obtained in the last generation after crossover and mutation operations [22].Because of the "premature phenomenon" of the Genetic algorithm, the local convergence rate is slow in the absence of effective heuristic information, and the final solution is  usually the local optimal rather than the global optimal.In order to overcome this problem, [22] made several fine tunings of parameters in their experiment, and the optimal solution has 182 Boolean polynomials equal to 0. The comparison between the proposed algorithms and genetic algorithm is shown in Table 13.Our proposed Algorithm 1 achieves better results of 223 Boolean polynomials equal to 0. Our proposed algorithm is able to find 200 Boolean equations equal to 0 when the search radius is 2, and the convergence speed is much faster than that of the genetic algorithm.In addition to the premature phenomenon of genetic algorithm, the randomness of genetic algorithm is also an important factor to affect the performance of the algorithm.When solving a large number of variables, it is difficult to find a good solution.
The complexity of the proposed Algorithm 1 is closely related to the search radius r, and k is only used to construct the generating matrix.In terms of a small search radius, our proposed Algorithm 1 is much more efficient than the algorithm in [22].Compared with the randomness of genetic algorithm, our proposed Algorithm 1 is more deterministic.
Comparison is also made with the Gröbner basis algorithm, taking the polynomial in equation (2) as an example.We enumerate all combinations of polynomials and then compute them using the Gröbner basis method.Gröbner basis is capable of obtaining up to five Boolean polynomials equal to 0. Our proposed algorithm can find six Boolean polynomials equal to 0. Regarding the complexity, our algorithm has complexity O(n r ), while Gröbner basis algorithm has complexity O(2 n ).It is clear that the complexity of the Gröbner basis algorithm is much higher than that of our proposed algorithm.The Gröbner algorithm can solve general Boolean polynomial equations.However, due to the high complexity of the algorithm, it is necessary to consider the computation efficiency when solving a large number of variable equations.Therefore, Gröbner algorithm is not suitable for solving maximal Boolean polynomial equations.

VI. EXTENSION ALGORITHM
In step 4) of Algorithm 2, some candidate solutions may be repetitively chosen.Therefore, a modified algorithm, denoted as Algorithm 3, will be introduced to address the aforementioned drawback.
We explain the potential for further improving the efficiency of solving the Max-PoSSo problem in the sequel.
= max(C); 10: Choose the k n-tuples corresponding to the k largest values in m (i) as rows of new generator matrix G (i+1) ; 12: i++; 13: max = max (i) − Max; 14: Max = max (i) ; 15: end while 16: return Max d ≤ r.In this case, the candidate solutions for c 1 and c 2 are overlapping with each other (overlapped area is filled with lines).In Algorithm 2, the candidate solutions for c 1 will be in the ball centered at c 1 with radius r.Similarly, the candidate solutions for c 2 will be in the ball centered at c 2 with radius r.Overlapped area is considered twice.Therefore, in Algorithm 3, only the candidate solutions in the gray area are considered for c 2 .The first three steps of Algorithm 3 are the same as Algorithm 2.
The remaining steps of Algorithm 3 are described as follows: 4) Start from the initial solution denoted c 1 , and set the number of erroneous bits as r (i.e., search radius).Candidate solutions obtained from the initial solution have a Hamming distance less than or equal to r. Compute the number of Boolean polynomials equal to 0 for all the candidate solutions.The candidate solution with largest number of Boolean equation equal to 0 is taken as a suboptimal solution associated with the corresponding codeword c 1 .

5)
In order to avoid repeated search for c 2 , choose u bits in the location set M and s bits in the location set N .Note that u and s must satisfy the condition r + u − d < s ≤ r − u and 0 < u ≤ d/2.The candidate solution with largest number of Boolean equation equal to 0 is taken as a suboptimal solution associated with the corresponding codeword c 2 .
6) Repeat steps 3), 4) and 5) until all the codewords are covered.Choose k out of 2 k suboptimal solutions which have the largest number of Boolean polynomials equal to 0. Construct a new generator matrix with the k suboptimal solutions as its rows and continue step 2) until the largest number of Boolean polynomials equal to 0 is not increasing or the largest number of iterations is reached.
7) Obtain the largest number of Boolean polynomials equal to 0 and set its corresponding n-tuples as the final solution.
The experiment in Section IV is repeated by using Algorithm 3. In order to evaluate the performance improvement of the algorithm, we consider the actual running time as a performance metric for comparison.It turns out that Algorithm 3 has the same performance as Algorithm 1 and Algorithm 2, while the running time of Algorithm 3 is 20% less than that of Algorithm 1 and Algorithm 2.

VII. CONCLUSION
In this paper, a non-algebraic method has been proposed to solve the maximal Boolean polynomial.Three deterministic and robust algorithms have been proposed to solve the problem of the satisfiability of Boolean polynomial equations based on coding theory.As the search radius r increases, the number of the Boolean polynomials equal to 0 increases.Algorithm 3 has the same performance as Algorithm 1 and Algorithm 2, while Algorithm 3 runs about 20% faster than Algorithm 1 and Algorithm 2. The number of Boolean polynomials equal to 0 obtained by the proposed algorithms has been significantly increased compared to the benchmark scheme in [21].Compared to the randomness of genetic algorithm, our proposed algorithms are more deterministic and robust.The complexity of the proposed algorithms is much less than Gröbner algorithm.In addition, the proposed algorithms are capable of solving non-deterministic hard problem in a more effective way.

Algorithm 1
compute their corresponding numbers of Boolean polynomials equal to 0. Find the candidate solution with the largest number of Boolean polynomials equal to 0 and set it as a suboptimal solution associated with the codeword in Step 3. In one round of search, until going through all variables within radius r the algorithm will stop.5) Obtain the largest number of Boolean polynomial equations equal to 0. Based on Coding Theory Require: k: Number of rows of the generated matrix; G: Generator matrix; r: Search radius; f 1 , f 2 , • • • , f m : Boolean polynomial equations; gen(c): Generate all the candidates which have Hamming distance less than or equal to r with c; count(•): Count the number of f 1 , f 2 , • • • , f m being 0; Ensure: Max: Maximum number of f 1 , f 2 , • • • , f m being 0; 1: for j = 1 : 2 k do 2: D j = gen(c j ); 3: performance of Algorithm 1 (the X-axis represents the initial point of search, and the Y-axis represents the largest number of Boolean polynomials equal to 0).

1 +Algorithm 2
obtained from the initial solution has a Hamming distance less than or equal to r. Go through all the candidate solutions D = {d 1 , d 2 , • • • } with |D| = n Iterative Algorithm Based on Coding Theory Require: k: Number of rows of the generated matrix; G (1) : Generator matrix; r: Search radius; f 1 , f 2 , • • • , f m ; Superscript (1) is the iteration index Iter max : Maximum number of iterations; max : Increase of the largest number of f 1 , f 2 , • • • , f m being 0, which is initialized as 0. gen(c): Generate all the candidates which have Hamming distance less than or equal to r with c; count(•): Count the number of f 1 , f 2 , • • • , f m being 0; Ensure: Max: Maximum number of f 1 , f 2 , • • • , f m being 0; 1: while i < Iter max and max > 1 do 2:

6 :
C(j, m+ 1) = count(d (i) j,m ); d (i)j,m denotes the m-th element in the set D
Let the Hamming distance between c 1 and c 2 is denoted by d.The location set of different bits between c 1 and c 2 is denoted by M, then |M| = d.The location set of the same bits between c 1 and c 2 is denoted by N , |N | = n − d.Fig. 4 shows the relationship between c 1 and c 2 with Algorithm 3 Enhanced Version of Algorithm 2 Require: k: Number of rows of the generated matrix; G (1) : Generator matrix; r: Search radius; f 1 , f 2 , • • • , f m ; Superscript (1) is the iteration index Iter max : Maximum number of iterations; max : Increase of the largest number of f 1 , f 2 , • • • , f m being 0, which is initialized as 0. gen(c j |c j−1 ): Generate all the candidates which have Hamming distance less than or equal to r with c j conditioned on c j−1 ; Aiming at removing the redundancy of candidate construction count(•): Count the number of f 1 , f 2 , • • • , f m being 0; Ensure: Max: Maximum number of f 1 , f 2 , • • • , f m being 0; 1: while i < Iter max and max > 1 do 2: for j = 1 : 2 k do

TABLE 1 .
The results of searching radius 1 in Algorithm 1.

TABLE 2 .
The results of searching radius 2 in Algorithm 1.

TABLE 3 .
The results of searching radius 3 in Algorithm 1.
shows the

TABLE 4 .
The results of searching radius 2 in Algorithm 1.
FIGURE 1. Experimental results with different search radii.

TABLE 5 .
The results of searching radius 4 in Algorithm 1.

TABLE 6 .
Experimental results with different search radius r .

TABLE 7 .
Random search results with radius 3.

TABLE 8 .
Random search results with radius 4.

TABLE 9 .
Results of the different search radius r with the same generator matrix.
FIGURE 3. Experimental results with search radius 4.

TABLE 10 .
The results of searching radius 3 in Algorithm 2 and the number of iterations is 1.

TABLE 11 .
The results of searching radius 3 in Algorithm 2 and the number of iterations is 5.

TABLE 12 .
The results of searching radius 3 in Algorithm 2 and the number of iterations is 10.

TABLE 13 .
Comparison with other algorithms.