Logical Polynomial Conversion (LPC)

In this section we let F2 be the field with two elements and f ∈ F2[x₁, . . . , x_n] a polynomial. Usually f will be a squarefree polynomial, i.e. all terms in the support of f will be squarefree, but this is not an essential hypothesis. Let X = {X₁, . . . , X_n} be a set of boolean variables (atomic formulas), and let bX be the set of all (propositional) logical formulas that can be constructed from them, i.e. all formulas involving the operations ¬, ∧, and ∨.

The conversion procedure as suggested in [18] consists of the following steps.

(1) Linearize the system by introducing a new indeterminate for each term in the support of one of the polynomials.

(2) Having written a polynomial as a sum of indeterminates, introduce new indeter-minates to cut it after a certain number of terms.

(3) Convert the reduced sums into their logical equivalents using a XOR-CNF con-version.

After applying step (1) of the conversion procedure, each polynomial is a sum of indeterminates, or equivalently a logical XOR. Long XOR’s are known to be hard problems for SAT solvers. In step (2) of the conversion procedure we introduced new indeterminates to cut a long XOR into smaller XOR’s having number of terms equal to some number ` which is called cutting number. The following definition describes the relation between the zeros of a polynomial and the evaluation of a logical formula.

Definition 5.4.1. Let f ∈ F2[x₁, . . . , x_n] be a polynomial. A logical representation of f is a logical formula F ∈ bX such that ϕ_a(F ) = f (a₁, . . . , a_n) + 1 for every a = (a₁, . . . , a_n) ∈ F2, where ϕ_a denotes the boolean value of F at the tuple of boolean values a with 1 = true and 0 = false.

This definition plays a very important role to convert the polynomial F to a set of propositional logic clauses. Actually, the boolean tuples at which F is satisfied correspond uniquely to zeros of f in Fⁿ2. The conversion proceeds by two steps. Firstly, the system of polynomials will be converted to a linear system and a set of CNF clauses that render each term (or a suitable combination of terms) equivalent to a variable in that linear system. Secondly, the linear system will be converted to an equivalent set

of clauses. For these two purposes the following two lemmas contain useful building blocks for conversion strategies.

Lemma 5.4.2. Let f ∈ F2[x₁, . . . , x_n] be a boolean polynomial, let F ∈ bX be a logical representation of f , let y be a further indeterminate, and let Y be a further boolean variable. Then the logical representation of the polynomial g = f +y is G = (¬F ⇔ Y ).

Proof. See [106], Lemma 2.

The preceding lemma provides a foundation for the conversion algorithm. The next lemma extends it in a useful way.

Lemma 5.4.3. Let f ∈ F2[x₁, . . . , x_n, y] be a boolean polynomial of the form f =

`<sub>1</sub>· · · `_s + y where 1 ≤ s ≤ n and `<sub>i</sub> ∈ {x<sub>i</sub>, x<sub>i</sub> + 1} for i = 1, . . . , s. Define logical formulas L<sub>i</sub> = X<sub>i</sub> if `_i = x_i and L_i = ¬X_i if `_i = x_i+ 1. Then the logical representation of f is

F = (¬Y ∨ L₁) ∧ · · · ∧ (¬Y ∨ L_s) ∧ (Y ∨ ¬L₁∨ · · · ∨ ¬L_s),

such that the logical formula F is in conjunctive normal form (CNF) and has s + 1 clauses.

Proof. See [106], Lemma 3.

Due to Lemmas 5.4.2 and 5.4.3, we can define three elementary strategies to perform the first step of the conversion algorithm i.e. for converting systems of polynomials over F2 into linear systems and a set of CNF clauses.

Definition 5.4.4. Let f ∈ F2[x₁, . . . , x_n] be a polynomial.

(a) Introduce a new indeterminate y and a new boolean variable Y , for each nonlinear term t in the support of f . Substitute y for t in f and append the clauses corresponding to t + y in Lemma 5.4.3 to the set of clauses. This is called the standard strategy (SS).

(b) Assume deg(f ) = 2. Introduce a new indeterminate y and a new boolean variable Y for each combination of the form x_ix_j+x_i(if exists) in the support of f . Replace x_ix_j + x_i in f by y and append the clauses corresponding to x_i(x_j + 1) + y in Lemma 5.4.3 to the set of clauses. This is called the linear partner strategy (LPS).

(c) Assume deg(f ) = 2. Introduce a new indeterminate y and a new boolean variable Y for each combination of the form x_ix_j + x_i+ x_j + 1 (if exists) in the support of f . Replace x_ix_j+ x_i+ x_j+ 1 in f by y and append the clauses corresponding to (x_i+ 1)(x_j + 1) + y in Lemma 5.4.3 to the set of clauses. This is called the double partner strategy (DPS).

Note that the standard strategy can be used to convert any system of polynomials over F2, whereas the linear partner strategy and the double partner strategy can be used if the polynomials are quadratic. If the combinations of terms required by the linear partner strategy and the double linear partner strategy do not appear in the support of polynomial f , the standard strategy is applied. The experimental results in [106] show that the linear partner and the double linear partner strategies provide substantial speed up of SAT solvers.

Remark 5.4.5. We have two more strategies for replacing purely quadratic and cubic terms as given in the following.

Quadratic Partner Substitution: Let f = x_ix_j + x_ix_k+ y ∈ F2[x₁, . . . , x_n, y] be a polynomial such that i, j, k are pairwise distinct. Then

F =(X_i∨ ¬Y ) ∧ (X_j ∨ X_k∨ ¬Y ) ∧ (¬X_j ∨ ¬X_k∨ ¬Y )∧

(¬X_i∨ ¬X_j ∨ X_k∨ Y ) ∧ (¬X_i∨ X_j∨ ¬X_k∨ Y ) is a logical representation of f .

Cubic Partner Substitution: Let f = x_ix_jx_k+ x_ix_jx_l+ y ∈ F2[x₁, . . . , x_n, y], where i, j, k, l are pairwise distinct. Then

F =(X_i∨ ¬Y ) ∧ (X_j∨ ¬Y ) ∧ (X_k∨ X_l∨ ¬Y ) ∧ (¬X_k∨ ¬X_l∨ ¬Y )∧

(¬X_i∨ ¬X_j ∨ ¬X_k∨ X_l∨ Y ) ∧ (¬X_i∨ ¬X_j∨ ¬X_k∨ ¬X_l∨ Y ) is a logical representation of f .

For proofs of the quadratic and cubic partner strategies we refer to [106], Propositions 6 and 8. It is straightforward to formulate a conversion strategy, called the quadratic partner strategy (QPS) (respectively cubic partner strategy (CPS)), for polynomials of degree two (respectively of degree three) based on this remark. For cubic terms, it is also possible to pair them if they have just one indeterminate in common. However, this strategy apparently does not result in useful speed-ups and is omitted.

Finally, we are ready to exploit the connection between propositional clauses and 0-1 inequalities to model the polynomial system over F2 (boolean polynomial system) as a MILP problem. This enables us to use the strategies above to model a MILP problem.

Lemma 5.4.6. Let C = {X₁ ∨ · · · ∨ X_r∨ ¬Y₁ ∨ · · · ∨ ¬Y_s | 1 ≤ r, s ≤ n} be a set of clauses. Then the set C is satisfiable if and only if the system of clausal inequalities I_c = {X₁+ · · · + X_r− Y₁− · · · − Y_s ≥ 1 − s | 1 ≤ r, s ≤ n} together with the bounds 0 ≤ X_i, Y_j ≤ 1 for all i, j ∈ {1, . . . , n}, has an integer solution.

Proof. Let c ∈ C be a clause. If c = X₁∨ · · · ∨ X_rthen by the definition of satisfiability at least one of the X_i is true. In other words at least one of the X_i is 1. This gives us the clausal inequality X₁ + · · · + X_r ≥ 1 together with the bounds 0 ≤ X_i ≤ 1.

If c = ¬Y₁ ∨ · · · ∨ ¬Y_s then by the definition of satisfiability at least one of the Y_j is false. In other words at least one of the 1 − Y_j is 1. This gives us the clausal inequality (1 − Y₁) + · · · + (1 − Y_s) ≥ 1 together with the bounds 0 ≤ Y_j ≤ 1. If c = X₁ ∨ · · · ∨ X_r ∨ ¬Y₁ ∨ · · · ∨ ¬Y_s then it follows from the first two cases that X₁+ · · · + X_r + (1 − Y₁) + · · · + (1 − Y_s) ≥ 1 is the corresponding clausal inequality together with the bounds 0 ≤ X_i, Y_j ≤ 1.

Therefore, the clause

c = X₁∨ · · · ∨ X_r∨ ¬Y₁∨ · · · ∨ ¬Y_s can be translated into a clausal inequality

X₁+ · · · + X_r+ (1 − Y₁) + · · · + (1 − Y_s) ≥ 1 or X₁+ · · · + X_r− Y₁− · · · − Y_s ≥ 1 − s

and the clause set C is satisfiable if and only if the corresponding system of clausal inequalities I_ctogether with the bounds 0 ≤ X_i, Y_j ≤ 1 has an integer solution. There-fore, reasoning in propositional logic can be seen as a special case of reasoning with linear inequalities in integer variables.

To end this section, we combine the choice of a substitution strategy with the other steps of the conversion algorithm and spell out the version which we implemented and used for the applications and timings.

Proposition 5.4.7. (Logical Polynomial Conversion (LPC))

Let f₁, . . . , f_m ∈ F2[x₁, . . . , x_n] be a system of polynomial which has at least one zero in Fⁿ2. Let ` ≥ 3 be the desired cutting number. Consider the following sequence of instructions.

1) Let G = ∅. Perform the following steps 2)−5) for i = 1, . . . , m.

2) Repeat the following step 3) until no polynomial g can be found anymore.

3) Find a subset of Supp(f_i) which defines a polynomial g of the type required by the chosen conversion strategy. Introduce a new indeterminate y_j, replace f_i by f_i− g + y_j, and append g + y_j to G.

4) Perform the following step 5) until #Supp(f_i) ≤ `. Then append f_i to G.

5) If #Supp(f_i) > ` then introduce a new indeterminate y<sub>j</sub>, let g be the sum of the first ` − 1 terms of f_i, replace f_i by f_i − g + y_j, and append g + y_j to G.

6) For each polynomial in G, compute a logical representation in CNF and form the set of all clauses C of all these logical representations.

7) For each clause c ∈ C form a clausal inequality I_c.

8) For all α ∈ {1, . . . , n}, let I_α : X_α ≤ 1 and for each j let I_j : Y_j ≤ 1.

9) Choose a linear polynomial L ∈ Q[Xi, Y_j] and use an IP solver to find the tuple of natural numbers (a_i, b_j) which solves the system of equations and inequalities {I_c, I_j, I_α} and minimizes C.

10) Return (a1, . . . , an) and stop.

This is an algorithm which computes a zero of the 0-dimensional radical ideal I = hf₁, . . . , f_m, x²₁+ x₁, . . . , x²_n+ x_ni.

Proof. It is clear that steps 2)−3) correspond to the linearization part (1) of the pro-cedure given in the introduction of this section, and that steps 4−5) are an explicit version of the cutting part (2) of that procedure. Moreover, step 6) is based on Lemma 5.4.2, Lemma 5.4.3, or Remark 5.4.5 for the polynomials g + yj from step 3), and on the standard XOR-CNF conversion for the linear polynomials from steps 4)−5). Finally, step 7) follows from Lemma 5.4.6. The claim follows easily from these observations.

Remark 5.4.8. Assume that we are in the setting of the algorithm in Proposition 5.4.7. A natural question could be to ask about the nature of the clausal inequalities in step 7). As claimed by Lemma 5.4.6, the variables Y_j are continuous in the interval [0, 1]. Since the initial variables are forced to be binary, the variables Y_j take on integer values automatically. The good news is the continuity of these variables because the difficulty of solving a mixed-integer program depends more on the number of integer variables than on the number of continues variables. Another nice property of these conversion strategies is the possibility to reduce the number of new variables. The standard strategies used in Sections 5.2 and 5.3 reduce the number of constraints but keep the number of newly introduced variables the same. Furthermore, if we look at the literature available on transferring 0-1 programs into 0-1 linear programs, reducing the number of newly introduced variables is a hot topic. We can also profit from these strategies there. In Section 5.4.2 we confirm our observations by experiments.

5.4.2 Experimental Results

Now we present our observations and results from experiments with the algorithm in Proposition 5.4.7. In steps 4)−5) of the algorithm we used cutting length 6. Note that cutting length may affect the running time of an IP solver. Actually, the timings seem to depend on the cutting number in a rather subtle and unpredictable way.

R1 R2

System SS LP DLP QPS SS LP DLP QPS

CTC(3,3) 49 30 26 49 29 22 17 29

CTC(3,4) 207 18 19 207 71 13 12 71

CTC(4,3) 216 36 59 216 135 47 30 135

CTC(4,4) 6421 2566 1623 6422 4920 1663 1172 4920 Table 5.18: GLPK time comparison using LPC

We choose the objective function as the sum over all the initial variables X1, . . . , Xn, maximization as optimization direction and model S-boxes using 7 equations out of 14.

Note that the inequalities Ic in step 7) of the algorithm hold if the new variables take on values in the interval [0, 1]. We try to see whether it is an advantage to have binary restrictions only for the initial variables instead of for all. Therefore, the variables Yj

can be restricted in the following two ways.

R1: Force the variables Y_j to take on binary values.

R1 R2

System SS LP DLP QPS SS LP DLP QPS

CTC(3,3) 4.7 2.4 1 4.7 3.7 3 1 3.7

CTC(3,4) 3.8 3.7 2.8 3.8 4.3 1 3 4.3

CTC(4,3) 6.4 3.5 3.8 6.2 13 3.6 3.7 13

CTC(4,4) 35 56 38 35 34 31 38 34

CTC(4,5) 121 85 74 121 62 85 74 62

CTC(5,4) 195 154 265 195 246 155 264 246 Table 5.19: CPLEX time comparison using LPC

R2: Keep the variables Y_j continuous in the interval [0, 1].

By looking at the Tables 5.18 and 5.19 we can see the SS and QPS conversions do not appear to provide improvements over the algorithms in Sections 5.2 and 5.3. But the LP and DLP conversions provide substantial improvements over the algorithms in Sections 5.2 and 5.3.