Converting of Boolean Expression to Linear Equations, Inequalities and QUBO Penalties for Cryptanalysis

Abstract

There exists a wide range of constraint programming (CP) problems defined on Boolean functions depending on binary variables. One of the approaches to solving CP problems is using specific appropriate solvers, e.g., SAT solvers. An alternative is using the generic solvers for mixed-integer linear programming problems (MILP), but they require transforming expressions with Boolean functions to linear equations or inequalities. Here, we present two methods of such a transformation which applies to any Boolean function defined by explicit rules giving values of the Boolean function for all combinations of its Boolean variables. The first method represents the Boolean function as a linear equation in the original binary variables and, possibly, binary ancillaries, which become additional variables of the MILP problem being composed. The second method represents the Boolean function as a set of linear inequalities in the original binary variables and one additional continuous variable (representing the value of the function). The choice between the first or second method is a trade-off between the number of binary variables and number of linear constraints in the emerging MP problem. The advantage of the proposed approach is that both methods reduce important cryptanalysis problems, such as the preimaging of hash functions or breaking symmetric ciphers as the MILP problems, which are solved by the generic MILP solvers. Furthermore, the first method enables to reduce the binary linear equations to quadratic unconstrained binary optimization (QUBO), by the quantum annealer, e.g., D-Wave.

1. Introduction

There exists a wide range of constraint programming problems defined on Boolean functions of binary variables. One of the common approaches to solving CP problems is using specific appropriate solvers, e.g., SAT solvers. Note that regardless of the SAT-to-MILP relationships, the transformation of the Boolean expression to linear equations or inequalities is a challenge in computing science [1,2,3]. A rich lore of publications presents the variety of the systems of linear inequalities and linear equations equivalent to basic logical bi-variant functions; see

Table 1. Systems of linear inequalities and linear equations for basic Boolean functions.

	Formula	Systems of Linear Inequalities	Linear Equation
AND	$x\wedge y=z$	$\left\{z⩽x,z⩽y,z⩾x+y-1,z⩾0\right\}$	$x+y-2z-a=0$
OR	$x\vee y=z$	$\left\{x⩽z,y⩽z,z⩽x+y,z⩽1\right\}$	$x+y-2z+a=0$
XOR	$x\oplus y=z$	$\left\{z⩽x+y,z⩾x-y,z⩾y-x,z⩽2-x-y\right\}$	$x+y-z-2a=0$
NOR	$\overline{x\vee y}=z$	$\left\{x⩽1-z,y⩽1-z,1-z⩽x+y,-z⩽0\right\}$	$x+y+2z-a=1$
NAND	$\overline{x\wedge y}=z$	$\left\{1-z⩽x,1-z⩽y,-z⩾x+y-2,1-z⩾0\right\}$	$x+y+2z-a=2$

.

Returning to the SAT problems, one recalls that it targets checking the satisfiability of “a long” Boolean expression, presented in one of two special forms: either the conjunctive normal form (CNF) or the disjunctive normal form (DNF). If the Boolean function has the DNF or CNF representation, then the generation of the corresponding linear inequalities/equations can be done directly on the base of Table 1 because the DNF and CNF are compositions of the elementary bi-variant Boolean operations. This, however, requires a lot of auxiliary variables to be used for interim values of ∧ and ∨ operands. This approach applies to all Boolean functions, because any of them can be converted into DNF or CNF. Yet, the main disadvantageous of the “SAT-based” approach to getting the MILP representation is that it is based on the elementary DNF/CNF operands corresponding to a given Boolean function. The number of these operands can be much more than the number of the function’s variables. Thus, the number of the auxiliary variables denoted by z in Table 1 (fortunately, all these z-s may be assumed continuous; they will take 0–1-values “automatically”) and inequalities/equations may turn out to be very high, even for a function with a moderate number of variables. Moreover, the resulting system will have a lot of redundant secondary inequalities/equations following from the original ones.

2. Methods

Here, we describe two methods of transforming the cryptographic problem into the MILP or QUBO. We start our presentation with the approach introduced in Section 2.1. This approach is a novel method representing the Boolean function as one linear equation in terms of the original binary variables and, possibly, ancillary binary variables that become additional variables of the obtained MILP problem. The innovative feature of the approach is its increase in the number of binary variables of the ILP problems. Ordinarily, it is believed to even rise the computational complexity of the ILP problem, at least for the generic ILP solvers. However, the emerging quantum annealers (QA) have inspired an upsurge in the interest for constraints in the “equation form” because they may be directly converted to summands of the objective function of the QUBO problems, which suit the QA [4,5]. For a given Boolean function, this method is based on solving the special CP programming problems with the quadratic objective function. On the contrary, the second method formulated in Section 2.2 provides a uniform approach to generating an irreducible system of linear inequalities for any Boolean function.

In contrast to the past study [6], based on the Grover algorithm [7] allowing for quadratic improvement, where a pre-image attack on hash functions using gate-based approach on universal quantum computers was touched upon, we propose to solve the same problem using quantum annealing devices, which offers an advantage of the possibility of utilizing more qubits.

For a Boolean function depending on the big number of binary variables, both methods may become rather time consuming. The approach enabling the speeding up both methods in the case where a given Boolean function is a composite of the set of Boolean functions defined on a smaller number of variables is described in Section 2.4. Computing the complexity of building the system of linear equations and inequalities for Boolean functions is not a crucial obstacle for the approach. The point is that every cryptography algorithm is based on a fixed set of Boolean functions and building the linear inequalities for them should be done only once. In other words, for creating the system of equations or inequalities, we use numerical approaches for every considered algorithm.

Both proposed methods may be used for representing important cryptanalysis problems, such as the pre-imaging of hash functions or breaking symmetric ciphers, as the MILP problems, which are solved by the generic MILP solvers. For the case of the first method using emerging quantum solvers, more details will be given in Section 2.5. In Section 3, the first, “equation and binary ancillas”, method is demonstrated for the MD5 and SHA-265 hash functions. Moreover, we consider the symmetric block cipher AES in Section 3.4.

2.1. Transformation to One Equation with Binary Ancillaries

Let us consider Boolean function $f\left(\overrightarrow{x}\right)=y$, where $\overrightarrow{x}\in {\{0,1\}}^{N_x}$ and denote $\overrightarrow{z}=(\overrightarrow{x},y)\in {\{0,1\}}^{N_x+1}$. Our goal is to find the linear equation with binary ancilla (let $N_a$ be the number of ancillas) and continuous coefficients:

$$\begin{array}{c}\hfill {\overrightarrow{c_z}}^T\overrightarrow{z}+{\overrightarrow{c_a}}^T\overrightarrow{a}=b,\end{array}$$

(1)

such that it satisfies two conditions:

$$\begin{array}{c}\hfill \left\{\begin{array}{c}\forall \overrightarrow{z}\in \mathrm{F}\exists \overrightarrow{a}\in {\{0,1\}}^{N_a}:{\overrightarrow{c_z}}^T\overrightarrow{z}+{\overrightarrow{c_a}}^T\overrightarrow{a}=b\hfill \\ \forall \overrightarrow{z}\notin F\forall \overrightarrow{a}\in {\{0,1\}}^{N_a}:{\overrightarrow{c_z}}^T\overrightarrow{z}+{\overrightarrow{c_a}}^T\overrightarrow{a}\ne b\hfill \end{array}\right.,\end{array}$$

(2)

where F is the feasible region ($f\left(x\right)=y$). The converting is committed using a constraint programming (CP) solver (e.g., CPLEX). The aim of the CP solver is to find $\overrightarrow{c_z},\overrightarrow{c_a},b$ coefficients; after obtaining them, we can easily build Equation (1). For the running solver, we have to reduce the problem from Equation (2) into a CP problem. For this purpose, we consider each constraint separately. In the beginning, imagine the simplest CP problem, which has no objective function or constraints. In the first property, each feasible pair $(\overrightarrow{x},y)$ adds the new constraint with a new ancilla:

$${\overrightarrow{c_z}}^T\overrightarrow{z}+{\overrightarrow{c_a}}^T\overrightarrow{a_z}=b.$$

(3)

In the second property, for each pair $(\overrightarrow{x},y)$ from unfeasible configurations, we add new $2^{N_a}$ constraints:

$$\forall \overrightarrow{a_v}\in {\{0,1\}}^{N_a}:{\overrightarrow{c_z}}^T\overrightarrow{z}+{\overrightarrow{c_a}}^T\overrightarrow{a_v}\ne b.$$

(4)

Eventually, we have $\left|F\right|+2^{N_a}\left|F^{*}\right|$ constraints $\left(\left|F\right|,\left|F^{*}\right|\right.$—number of feasible and unfeasible configurations) and $N_x+N_a+1+\left|F\right|·N_a$ variables. This “homogeneous” CP has many solutions (multiplying all the coefficients by the same number also gives a solution). We prefer integer coefficients with a small absolute value; therefore, let $\overrightarrow{c_z},\overrightarrow{c_a},b$ be integers with a range of $-100$–100 (as we will see later, it is enough for finding coefficients). For obtaining the small absolute value from the CP solver, we add into the objective function in the minimization problem the following term:

$$g+={\overrightarrow{c_z}}^2.$$

(5)

In addition, we would like obtain a positive value for the first element in $\overrightarrow{c_z}\left[0\right]$, so we add a new term as follows:

$$g-=\overrightarrow{c_z}\left[0\right].$$

(6)

Moreover, we expand the cost function with a large fine ($\lambda \gg 1$) for ancilla coefficients:

$$g+=\lambda ·{\overrightarrow{c_a}}^2.$$

(7)

This term is added because linear Equation (1) with the minimum number of ancillaries is much more preferable. Finally, we can write the full CP problem (with bi-linear equation constraints in $\overrightarrow{c_a},\overrightarrow{a_z}$) for finding the linear equation:

$$\begin{array}{cc}\hfill & {\overrightarrow{c_z}}^2-\overrightarrow{c_z}\left[0\right]+\lambda ·{\overrightarrow{c_a}}^2\to \underset{\overrightarrow{c_z},\overrightarrow{a_z}}{min}\hfill \\ \hfill & \mathrm{subject}\mathrm{to}\hfill \\ \hfill & {\overrightarrow{c_z}}^T\overrightarrow{z}+{\overrightarrow{c_a}}^T\overrightarrow{a_z}=b\left(\right|F\left|\mathrm{constraints}\right),\hfill \\ \hfill & {\overrightarrow{c_z}}^T\overrightarrow{z}+{\overrightarrow{c_a}}^T\overrightarrow{a_v}\ne b(2^{N_a}|F^{*}\left|\mathrm{constraints}\right),\hfill \end{array}$$

(8)

where $\overrightarrow{a_v}$ are the fixed values of variables $\overrightarrow{a_z}$. Problem (8) is the mixed-integer CP and CPLEX CP optimizer can handle this problem. However, the problem with the chosen number of ancillary variables may be infeasible. In this case, we add one more ancilla and try to solve the updated problem again. If the new problem is also infeasible, we add one more ancilla and so on. We continue to increase the number of ancillary variables until a feasible solution is found.

Consider, for example, AND gate ($y=x_1\mathrm{AND}{x}_2$) for which we will find the corresponding linear equation. It has the following truth table:

$$\begin{array}{|cccc|}\hline {\mathrm{x}}_1\hfill & {\mathrm{x}}_2\hfill & \mathrm{y}\hfill & \\ 0\hfill & 0\hfill & 0\hfill & \mathrm{feasible}\hfill \\ 0\hfill & 1\hfill & 0\hfill & \mathrm{feasible}\hfill \\ 1\hfill & 0\hfill & 0\hfill & \mathrm{feasible}\hfill \\ 1\hfill & 1\hfill & 1\hfill & \mathrm{feasible}\hfill \\ 0\hfill & 0\hfill & 1\hfill & \mathrm{infeasible}\hfill \\ 0\hfill & 1\hfill & 1\hfill & \mathrm{infeasible}\hfill \\ 1\hfill & 0\hfill & 1\hfill & \mathrm{infeasible}\hfill \\ 1\hfill & 1\hfill & 0\hfill & \mathrm{infeasible}\hfill \\ \hline\end{array}$$

(9)

All feasible combinations generate four constraints, whereas infeasible configurations add eight inequalities. In total, the CP problem is as follows:

$$\begin{array}{cc}\hfill & min\left({c_{x_1}}^2+{c_{x_2}}^2+{c_y}^2-c_{x_1}+\lambda ·{c_a}^2\right)\hfill \\ \hfill & \mathrm{such}\mathrm{that}\hfill \\ \hfill & \begin{array}{c}{c}_{x_1}·0+c_{x_2}·0+c_y·0+c_a{a}_0=b\hfill \\ c_{x_1}·0+c_{x_2}·1+c_y·0+c_a{a}_1=b\hfill \\ c_{x_1}·1+c_{x_2}·0+c_y·0+c_a{a}_2=b\hfill \\ c_{x_1}·1+c_{x_2}·1+c_y·1+c_a{a}_3=b\hfill \end{array}\}\mathrm{Feasible}\mathrm{part}\hfill \\ \hfill & \begin{array}{c}{c}_{x_1}·0+c_{x_2}·0+c_y·1+c_a·0\ne b\hfill \\ c_{x_1}·0+c_{x_2}·0+c_y·1+c_a·1\ne b\hfill \\ c_{x_1}·0+c_{x_2}·1+c_y·1+c_a·0\ne b\hfill \\ c_{x_1}·0+c_{x_2}·1+c_y·1+c_a·1\ne b\hfill \\ c_{x_1}·1+c_{x_2}·0+c_y·1+c_a·0\ne b\hfill \\ c_{x_1}·1+c_{x_2}·0+c_y·1+c_a·1\ne b\hfill \\ c_{x_1}·1+c_{x_2}·1+c_y·0+c_a·0\ne b\hfill \\ c_{x_1}·1+c_{x_2}·1+c_y·0+c_a·1\ne b\hfill \end{array}\}\mathrm{Infeasible}\mathrm{part}\hfill \end{array}$$

(10)

Each of the new variables, $a_0,a_1,a_2,a_3$, ensures that there exists at least one value of ancilla which satisfies the linear equation. After solving this CP problem, we obtain the following linear equation:

$$x_1+x_2-2y-a=0.$$

(11)

By this approach, we can get linear equations for basic bi-variant Boolean functions:

$$\begin{array}{c}\\ & \mathrm{Formula}& \mathrm{Linear}\mathrm{equation}\\ \mathrm{AND}& x\wedge y=z& x+y-2z-a=0\\ \mathrm{OR}& x\vee y=z& x+y-2z+a=0\\ \mathrm{XOR}& x\oplus y=z& x+y-z-2a=0\\ \mathrm{NOR}& \overline{x\vee y}=z& x+y+2z-a=1\\ \mathrm{NAND}& \overline{x\wedge y}=z& x+y+2z-a=2\\ \end{array}$$

(12)

2.2. Transformation to a System of Linear Inequalities

Let us take the Boolean function $f:{\mathbb{B}}^n\to \{0,1\}$ of n binary variables $\overrightarrow{x}=\left(x_1,x_2,\dots ,x_n\right)$. Here ${\mathbb{B}}^n\doteq \left\{\overrightarrow{x}:x_i\in \{0,1\}\right\}$, ${\mathbb{B}}^n\subset {\mathbb{R}}^n$ is a set of all $2^n$ vertices of an n-dimensional unit cube $U^n\doteq \left\{\overrightarrow{x}:0⩽x_i⩽1\right\}$, i.e., the set of all 0–1 arguments of n-variant Boolean function.

For a given Boolean function f, we consider (as in the previous section) the set F of $2^n$ vectors in ${\mathbb{R}}^{n+1}$ (a kind of graph of function f) and their convex hull:

$$\begin{array}{ccc}\hfill F& \doteq & \left\{\left(\overrightarrow{x},f\left(\overrightarrow{x}\right)\right):\overrightarrow{x}\in {\mathbb{B}}^n\right\},\hfill \\ \hfill \mathsf{U}\left[F\right]& \doteq & \mathsf{conv}\left(F\right).\hfill \end{array}$$

(13)

From the definitions, we have $F\subset {\mathbb{B}}^{n+1}$ and $\mathsf{U}\left[F\right]\subset U^{n+1}$.

Let us establish important properties of vectors from F and polyhedron $\mathsf{U}\left[F\right]$.

Theorem 1.

Let F and $\mathsf{U}\left[F\right]$ be defined by (13). Then, we have the following:

$\left(a\right)$

Every vector $(\overrightarrow{x},f\left(\overrightarrow{x}\right))\in F$ is an extreme point of convex hull $\mathsf{U}\left[F\right]$ (i.e., $(\overrightarrow{x},f\left(\overrightarrow{x}\right))$ is a vertex of polyhedron $\mathsf{U}\left[F\right]$);

$\left(b\right)$

If $(\overrightarrow{x},y)\in \mathsf{U}\left[F\right]$ and $\overrightarrow{x}\in {\mathbb{B}}^n$ then $y=f\left(\overrightarrow{x}\right)$.

Proof. 

Let us take any $({\overrightarrow{x}}_k,f\left({\overrightarrow{x}}_k\right))\in F$. If it is not an extreme point of $\mathsf{U}\left[F\right]$, then there exists a nontrivial convex combination (hereinafter ${\overrightarrow{x}}_q\in B^n(q=1:2^n)$)

$$({\overrightarrow{x}}_k,f\left({\overrightarrow{x}}_k\right))=\sum _{q=1:2^n}{\lambda }_q({\overrightarrow{x}}_q,f\left({\overrightarrow{x}}_q\right)),{\lambda }_q⩾0,{\lambda }_k=0,\sum _{q=1:2^n}{\lambda }_q=1.$$

(14)

However, (14) implies impossible equation

$${\overrightarrow{x}}_k=\sum _{q=1:2^n}{\lambda }_q{\overrightarrow{x}}_q,{\lambda }_q⩾0,{\lambda }_k=0,\sum _{q=1:2^n}{\lambda }_q=1,$$

because ${\overrightarrow{x}}_k\in B^n$ is a vertex of unit cube $U^n$ and cannot be represented as a convex combination of other vertices of $\mathsf{U}\left[F\right]$. So, item $\left(a\right)$ is proved.

The proof of item $\left(b\right)$ is quite similar. Let ${\overrightarrow{x}}_k\in {\mathbb{B}}^n$. If $({\overrightarrow{x}}_k,y)\in \mathsf{U}\left[F\right]$, then

$$({\overrightarrow{x}}_k,y)=\sum _{q=1:2^n}{\lambda }_q({\overrightarrow{x}}_q,f\left({\overrightarrow{x}}_q\right)),{\lambda }_q⩾0,\sum _{q=1:2^n}{\lambda }_i=1.$$

(15)

So, we have

$${\overrightarrow{x}}_k=\sum _{q=1:2^n}{\lambda }_q{\overrightarrow{x}}_q,{\lambda }_q⩾0,\sum _{q=1:2^n}{\lambda }_q=1,$$

which implies ${\lambda }_k=1$ and $y=f\left({\overrightarrow{x}}_k\right)$ (see (15)). Theorem 1 is proved. □

Thus, the function f may be uniquely defined by corresponding convex polyhedron $\mathsf{U}\left[F\right]$. For example, see in Figure 1 examples of polyhedrons of Boolean functions on two variables.

As it is well known in the convex analysis (e.g., see the classical book [8], Section 19) any polyhedron may be uniquely represented either by the set of its vertices, the so-called V-representation, or by the system of linear inequalities, the so-called H-representation. The sought system of the linear inequalities is the H-representation of the polyhedron $\mathsf{U}\left[F\right]$. Therefore, there exists a system of linear inequalities of $n+1$ variables $(\overrightarrow{x},x_{n+1})$:

$$\mathsf{S}(\overrightarrow{x},x_{n+1})=\{a_i+l_i\left(\overrightarrow{x}\right)+b_i{x}_{n+1}⩾0:i=1,\dots ,m\}$$

(16)

(where $a_i,b_i$, $b_i\ne 0$ are scalars, and $l_i\left(\overrightarrow{x}\right)$ are linear functions of n variables) such that

$$\mathsf{U}\left[F\right]=\left\{(\overrightarrow{x},x_{n+1}):a_i+l_i\left(\overrightarrow{x}\right)+b_i{x}_{n+1}⩾0:i=1,\dots ,m\right\}.$$

Finally, from Theorem 1 we have

$$\forall \overrightarrow{x}\in {\mathbb{B}}^n:\left\{f\left(\overrightarrow{x}\right)=x_{n+1}\right\}\iff \left\{a_i+l_i\left(\overrightarrow{x}\right)+b_i{x}_{n+1}⩾0:i=1,\dots ,m\right\},$$

(17)

i.e., for any $\overrightarrow{x}\in {\mathbb{B}}^n$, $f\left(\overrightarrow{x}\right)=x_{n+1}$ if and only if $\mathsf{S}(\overrightarrow{x},x_{n+1})$ holds. It is important that due to item (b) of Theorem 1, we do not need to assume that $x_{n+1}$ is a discrete, 0–1, variable. For any 0–1 vector $\overrightarrow{x}$, the system $\mathsf{S}(\overrightarrow{x},x_{n+1})$ has the only solution $(\overrightarrow{x},x_{n+1})$, where $x_{n+1}=f\left(\overrightarrow{x}\right)$.

In Refs. [9,10,11], one can find a description of one of the known algorithms to obtain the V-representation from an H-representation and vice versa. It is based on the pivoting method (similar to that used in the simplex method of linear programming) of polyhedron vertices/facets enumeration.

There are a number of licensed and free software to handle polyhedra. The following two (free and open source) are rather popular: the CDD [12] and the LRS [13]. Both applications have similar functionality and are compatible in data formats (input and output ones). In particular, they can calculate V- and H-representations of convex hulls of a finite set of points in Euclidean spaces. It is significant that the irreducible H-representation is produced, i.e., all the redundant linear inequalities are eliminated. It decreases the complexity of the resulting MILP representation of discrete optimization problems with Boolean functions.

The available experience of using the CDD and LRS suggests to choose the LRS application for practical usage of the approach. It is slightly newer and has parallel implementation of the reverse search algorithm (on which both above applications are based). Moreover, in the LRS, all the computations may be done without any loss of accuracy in the case of polyhedra with integral-valued vertices (as it is with $\mathsf{U}\left[F\right]$). All linear systems for basic Boolean bi-variant functions presented in Table 1 may be obtained by the approach outlined above. We take as an example the following Boolean function that is used as a round function in cryptographic algorithms

$$J\left(x_1,x_2,x_3\right)=(x_1\wedge x_2)\vee (x_1\wedge x_3)\vee (x_2\wedge x_3)=x_4$$

(18)

to compare “handmade” and “automatically generated” systems of inequalities.

As it was mentioned in the Introduction, any Boolean function given explicitly in the DNF or CNF form may be presented as a system of linear inequalities on the base of such representations for elementary bi-variant Boolean functions (see Table 1). Here, we need four ancillary continuous variables $p_j,q_j,u_j,v_j$. Let

$$p_j=(x_1\wedge x_2),q_j=(x_1\wedge x_3),u_j=(p_j\vee q_j),v_j=(x_2\wedge x_3).$$

So, we have $x_4=u_j\vee v_j$. The systems for AND and OR functions from Table 1 let us obtain the following system equivalent to (18)

$$\begin{array}{cc}\hfill & p_j⩽x_1,p_j⩽x_2,p_j⩾x_1+x_2-1,p_j⩾0,\hfill \\ \hfill & q_j⩽x_1,q_j⩽x_3,q_j⩾x_1+x_3-1,q_j⩾0,\hfill \\ \hfill & v_j⩽x_2,v_j⩽x_3,v_j⩾x_2+x_3-1,v_j⩾0,\hfill \\ \hfill & p_j⩽u_j,q_j⩽u_j,u_j⩽p_j+q_j,u_j⩽1,\hfill \\ \hfill & u_j⩽x_4,v_j⩽x_4,x_4⩽u_j+v_j,x_4⩽1,\hfill \end{array}$$

(19)

and we do not need to require that $x_4,p_j,q_j,u_j,v_j$ are binaries. Thus, the expression (18) with a 3-variant Boolean function was represented as linear system with 5 continuous ancillas and 20 inequalities.

The LRS gives a more compact system with eight inequalities and only one continuous ancilla, $x_4$. The reason is that instead of the successive construction of the final system from elementary bi-variant Boolean functions and intermediate (continuous) ancillary variables, the LRS application treats Boolean function as a whole, i.e., as the corresponding polyhedron $\mathsf{U}\left[J\right]$ in ${\mathbb{R}}^4$.

$$\left[\begin{array}{c}1\hfill \\ 1\hfill \\ 1\hfill \\ 0\hfill \\ 1\hfill \\ 0\hfill \\ 0\hfill \\ 0\hfill \end{array}\right]+\left[\begin{array}{cccc}\hfill -1& \hfill -1& \hfill 0& \hfill 1\\ \hfill -1& \hfill -1& \hfill -1& \hfill 2\\ \hfill 0& \hfill -1& \hfill -1& \hfill 1\\ \hfill 1& \hfill 0& \hfill 1& \hfill -1\\ \hfill -1& \hfill 0& \hfill -1& \hfill 1\\ \hfill 1& \hfill 1& \hfill 0& \hfill -1\\ \hfill 0& \hfill 1& \hfill 1& \hfill -1\\ \hfill 1& \hfill 1& \hfill 1& \hfill -2\end{array}\right]\left[\begin{array}{c}{x}_1\\ x_2\\ x_3\\ x_4\end{array}\right]⩾\overrightarrow{\left[\mathbf{0}\right]}$$

(20)

Let us take, for example, a more complex expression with five binary variables $x_1,x_2,x_3,x_4,$$x_5,x_6$:

$$x_1\oplus x_2\oplus x_3\oplus x_4\oplus x_5=x_6$$

(21)

is equivalent to the system (22) of linear inequalities (in vector-matrix form). Because $x_1,x_2,x_3,x_4,x_5$ are all binaries, we exclude redundant trivial inequalities ($0⩽x_1⩽1$) and those with zero coefficients for the $x_6$ variable. As a result, we have the following 34 linear inequalities, and an output value $x_6$ will be binary “automatically”:

$$\left[\begin{array}{c}1\hfill \\ 0\hfill \\ 4\hfill \\ 4\hfill \\ 4\hfill \\ 4\hfill \\ 4\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 0\hfill \\ 0\hfill \\ 0\hfill \\ 0\hfill \\ 0\hfill \\ 0\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 4\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \\ 2\hfill \end{array}\right]+\left[\begin{array}{cccccc}\hfill 0& \hfill 0& \hfill 0& \hfill 0& \hfill 0& \hfill -1\\ \hfill 0& \hfill 0& \hfill 0& \hfill 0& \hfill 0& \hfill 1\\ \hfill -1& \hfill -1& \hfill -1& \hfill -1& \hfill -1& \hfill 1\\ \hfill -1& \hfill -1& \hfill -1& \hfill -1& \hfill 1& \hfill -1\\ \hfill -1& \hfill 1& \hfill -1& \hfill -1& \hfill -1& \hfill -1\\ \hfill 1& \hfill -1& \hfill -1& \hfill -1& \hfill -1& \hfill -1\\ \hfill -1& \hfill -1& \hfill 1& \hfill -1& \hfill -1& \hfill -1\\ \hfill 1& \hfill -1& \hfill -1& \hfill 1& \hfill 1& \hfill -1\\ \hfill -1& \hfill 1& \hfill -1& \hfill 1& \hfill 1& \hfill -1\\ \hfill 1& \hfill 1& \hfill -1& \hfill -1& \hfill -1& \hfill 1\\ \hfill 1& \hfill -1& \hfill 1& \hfill 1& \hfill 1& \hfill 1\\ \hfill 1& \hfill 1& \hfill 1& \hfill 1& \hfill 1& \hfill -1\\ \hfill 1& \hfill 1& \hfill 1& \hfill 1& \hfill -1& \hfill 1\\ \hfill 1& \hfill 1& \hfill 1& \hfill -1& \hfill 1& \hfill 1\\ \hfill 1& \hfill 1& \hfill -1& \hfill 1& \hfill 1& \hfill 1\\ \hfill -1& \hfill 1& \hfill 1& \hfill 1& \hfill 1& \hfill 1\\ \hfill 1& \hfill 1& \hfill 1& \hfill -1& \hfill -1& \hfill -1\\ \hfill 1& \hfill 1& \hfill -1& \hfill -1& \hfill 1& \hfill -1\\ \hfill 1& \hfill 1& \hfill -1& \hfill 1& \hfill -1& \hfill -1\\ \hfill 1& \hfill -1& \hfill 1& \hfill 1& \hfill -1& \hfill -1\\ \hfill -1& \hfill 1& \hfill 1& \hfill 1& \hfill -1& \hfill -1\\ \hfill -1& \hfill -1& \hfill 1& \hfill 1& \hfill 1& \hfill -1\\ \hfill 1& \hfill -1& \hfill 1& \hfill -1& \hfill 1& \hfill -1\\ \hfill -1& \hfill 1& \hfill 1& \hfill -1& \hfill 1& \hfill -1\\ \hfill -1& \hfill 1& \hfill 1& \hfill -1& \hfill -1& \hfill 1\\ \hfill 1& \hfill -1& \hfill 1& \hfill -1& \hfill -1& \hfill 1\\ \hfill -1& \hfill 1& \hfill -1& \hfill -1& \hfill 1& \hfill 1\\ \hfill 1& \hfill -1& \hfill -1& \hfill -1& \hfill 1& \hfill 1\\ \hfill -1& \hfill -1& \hfill 1& \hfill -1& \hfill 1& \hfill 1\\ \hfill -1& \hfill -1& \hfill -1& \hfill 1& \hfill -1& \hfill -1\\ \hfill -1& \hfill 1& \hfill -1& \hfill 1& \hfill -1& \hfill 1\\ \hfill 1& \hfill -1& \hfill -1& \hfill 1& \hfill -1& \hfill 1\\ \hfill -1& \hfill -1& \hfill 1& \hfill 1& \hfill -1& \hfill 1\\ \hfill -1& \hfill -1& \hfill -1& \hfill 1& \hfill 1& \hfill 1\end{array}\right]\left[\begin{array}{c}{x}_1\hfill \\ x_2\hfill \\ x_3\hfill \\ x_4\hfill \\ x_5\hfill \\ x_6\hfill \end{array}\right]⩾\overrightarrow{\left[\mathbf{0}\right]}$$

(22)

There are two main disadvantageous of the demonstrated approach:

(1)

To obtain polyhedron $\mathsf{U}\left[F\right]$ for n-variant function $f:{\mathbb{B}}^n\to \left\{0.1\right\}$, we need to calculate all $2^n$ values $f\left(\overrightarrow{x}\right)$ for all $\overrightarrow{x}\in {\mathbb{B}}^n$;

(2)

The complexity of the facet enumeration algorithm grows dramatically as the value of n increases.

For example, let us take the following function of 10 variables

$$f(x_1,x_2,\cdots ,x_{10})=\left\{\begin{array}{c}1,\mathrm{if}{\displaystyle \sum _{i=1:10}}{x}_i=0\left(\mathrm{mod}3\right);\hfill \\ 0,\mathrm{otherwise}\hfill \end{array}\right.$$

The LRS application gives a desired system with 2691 inequalities (with 10 binary and one continuous variables) in 55 min of running on one half of the computing power of Intel i7 @ 3.4 GHz (4 CPU core of 8 was used).

At this point, we cannot offer analytical evaluations neither for the upper nor for the lower bounds of complexity of the reverse search algorithm implemented by the LRS application, nor for the number of inequalities (i.e., number of facets of polytope corresponding to 0–1 function of binary variables). However, numerical experiments with the number of 10 variant functions (on the Intel i7 computer mentioned above) give a wide range of run times (from an hour to 10 min) and various numbers of inequalities (from more than 2500 to 12). So, the complexity and the number of inequalities depend substantially on the specific considered Boolean function.

2.3. Comparison of Two Ways of Reducing Boolean Expressions to MILP Problem

So, we have two approaches of reducing the cryptography problem to the MILP problem:

• By equations with binary ancillaries, see Section 2.1—Boolean expressions of cryptography algorithms are reduced to equations with binary ancillaries; CPLEX-solver is used to obtain coefficients of the desired equation for a given Boolean expression;
• By inequalities without binary ancillaries, see Section 2.2—Boolean expressions are replaced with systems of linear inequalities without any extra binary variables; polyhedra-handling application LRS [13] is used to generate these inequalities in explicit form.

The first approach is suited mainly to quantum annealers (such as D-Wave) because all equations may be directly converted to summands of the QUBO criterion (just by squaring). At the same time, both MILP and QUBO problems may be (theoretically) solved by classical, generic solvers (CPLEX, Gurobi, SCIP, CBC, etc.). However, extra binary ancillaries may increase the computing complexity of the problem for classical solvers.

It is important to mention that in the context of the transformation of the equation with a Boolean function to a summand of QUBO objective function (as a penalty for violating that equation), another approach exists. For example, it is known [14] that equation $x_1\wedge x_2=y$ is equivalent to bi-linear penalty $P(x_1,x_2,y)=x_1{x}_2-2x_{1}y-2x_{2}y+3y$ (without any binary ancilla, which appears in the equation for XOR in (12)) in the following sense:

$$\begin{array}{c}\left(x_1\wedge x_2=y\right)\iff \left(P(x_1,x_2,y)=0\right),\hfill \\ \left(x_1\wedge x_2\ne y\right)\iff \left(P(x_1,x_2,y)⩾1\right).\hfill \end{array}$$

(23)

The second approach is suited to classical MILP solvers only. Theoretically, the absence of binary ancillaries may give an easier MILP problem than that obtained by the first approach. The number of binary variables of the resulting MILP problem will be equal to the number of unknown bits in the hash pre-image problems. However, it is still impossible to evaluate the number of linear inequalities. Comparison of the first and second approaches requires intensive computing experiments. For some Boolean function, there is another, hybrid, method based on the equation with binary ancillas and on a couple of inequalities. This method enables replacing one binary variable with a continuous one.

Assume that we have representation of the Boolean function $f:{\mathbb{B}}^n\to \{0,1\}$ as a linear equation defined in (1) and (2). Let us rewrite linear Equation (1) to pick out the summand with the y variable, keeping the value of the function

$$c_{y}y+{\overrightarrow{c_x}}^T\overrightarrow{x}+{\overrightarrow{c_a}}^T\overrightarrow{a}=b$$

(24)

The method is based on the following simple statement.

Theorem 2.

Let, in (24), $\left|c_y\right|=1$; all components of vectors $\overrightarrow{c_x}$, $\overrightarrow{c_a}$ and scalar b are all integers. Let the following inequalities hold also

$$0⩽y⩽1.$$

(25)

Then Equation (24) and inequalities (25) imply that y is binary “automatically”. In other words, in (2), we can drop the constraint that y must be binary variable.

Proof. 

The proof is very simple. The assumption that $\overrightarrow{c_x}$, $\overrightarrow{c_a}$ and b are all integers means that if (24) holds, then y is an integer. From inequality (25), we obtain that y can be either 0 or 1. □

Theorem 2 enables us to reduce the complexity of the corresponding MILP by replacing one binary variable with a continuous one at the extent of two additional inequalities. Unfortunately, of the elementary Boolean function, only the ⊕ satisfies this statement. Another example is the round function $\mathrm{H}(\mathrm{B},\mathrm{C},\mathrm{D})$, presented further in

Table 2. Nonlinear functions in MD5 hash function.

	Boolean Formula	Linear Equation
$\mathrm{F}(\mathrm{B},\mathrm{C},\mathrm{D})$	$(B\wedge C)\vee (\neg B\wedge D)$	$B+3C+2D-6F+2a_0-3a_1+2a_2=0$
$\mathrm{G}(\mathrm{B},\mathrm{C},\mathrm{D})$	$(B\wedge D)\vee (C\wedge \neg D)$	$3B+2C+D-6G-3a_0+2a_1+2a_2=0$
$\mathrm{H}(\mathrm{B},\mathrm{C},\mathrm{D})$	$B\oplus C\oplus D$	$B+C+D-H-2a=0$
$\mathrm{I}(\mathrm{B},\mathrm{C},\mathrm{D})$	$C\oplus (B\vee \neg D)$	$B+2C-D-2I+a_0-4a_1=0$

.

2.4. The Case of Boolean Functions with Many Binary Arguments

Both methods of representation of the Boolean function, either as one linear equation with original variables and binary ancillaries, or as a system of linear inequalities without binary ancillaries, may require a long computing time. If so, the following workaround may be used, based on the representation of Boolean function as a composition of Boolean functions with fewer arguments.

Take the Boolean function $f\left(\overrightarrow{x}\right):B^n\to \left\{0,1\right\}$, which may be represented as composition of K Boolean functions with fewer arguments:

$$\begin{array}{c}f\left(\overrightarrow{x}\right)=f(x_1,x_2,\cdots ,x_n)=\mathsf{\Phi }\left(\overrightarrow{Y}\left(\overrightarrow{x}\right)\right)=\mathsf{\Phi }\left(Y_1\left({\overrightarrow{\xi }}_1\left(\overrightarrow{x}\right)\right),Y_2\left({\overrightarrow{\xi }}_2\left(\overrightarrow{x}\right)\right),\cdots ,Y_K\left({\overrightarrow{\xi }}_K\left(\overrightarrow{x}\right)\right)\right),\mathrm{where}\hfill \\ \forall k\in \{1\dots K\}:\left(Y_k\left({\overrightarrow{\xi }}_k\right):B^{n_k}\to \left\{0,1\right\},{\overrightarrow{\xi }}_k\left(\overrightarrow{x}\right)=\left\{x_{\nu \left(k,j\right)}:\right.j\in \{1\dots n_k\}\right.,n_k\ll n.\hfill \end{array}$$

(26)

2.4.1. Linear Equations with Binary Ancillaries for Composition of Boolean Functions

Let the function $\mathsf{\Phi }\left(\overrightarrow{Y}\right)$ have the following representation as a linear equation with binary ancillaries:

$$\begin{array}{c}\left(\overrightarrow{Y}\in B^K,\mathsf{\Phi }\left(\overrightarrow{Y}\right)=z\right)\iff \left(\exists \overrightarrow{\alpha }\in B^M:E(\overrightarrow{Y},\overrightarrow{\alpha },z)=0\right),\hfill \end{array}$$

(27)

where $E(\overrightarrow{Y},\overrightarrow{a},z)$ is an affine function (there may be some nonzero constant) on original binary variables $\overrightarrow{Y}$; a set of M binary ancillaries $\overrightarrow{a}$; and binary scalar z is a value of $\mathsf{\Phi }\left(\overrightarrow{Y}\right)$.

Then, let us assume that we know the similar representation for all “sub-functions” $Y_k(k=1:K)$:

$$\begin{array}{c}\left({\overrightarrow{\xi }}_k\in B^{n_k},Y_k\left({\overrightarrow{\xi }}_k\right)=y_k\right)\iff \left(\exists {\overrightarrow{a}}_k\in B^{m_k}:e_k({\overrightarrow{\xi }}_k,{\overrightarrow{a}}_k,y_k)=0\right),\hfill \end{array}$$

(28)

where $e_k({\overrightarrow{\xi }}_k,{\overrightarrow{a}}_k,y_k)$ is an affine function on a subset of original binary variables ${\overrightarrow{\xi }}_k\left(\overrightarrow{x}\right)$; a set of $m_k$ binary ancillaries ${\overrightarrow{a}}_k$; and binary scalar $y_k$ is a value of $Y_k\left({\overrightarrow{\xi }}_k\right)$.

Now we can represent original function $f(·)$ (26) as a system of $K+1$ linear equations and $K+M+{\displaystyle \sum _{k=1}^K}{m}_k$ binary ancillaries (components of vectors $\overrightarrow{Y}\in B^K$, $\overrightarrow{\alpha }\in B^M$ and ${\overrightarrow{a}}_k\in B^{m_k},k=1:K$):

$$\begin{array}{c}\left(\overrightarrow{x}\in B^n,f\left(\overrightarrow{x}\right)=\mathsf{\Phi }\left(\overrightarrow{Y}\left(\overrightarrow{x}\right)\right)=z\right)\iff \left\{\begin{array}{c}\exists \overrightarrow{\alpha }\in B^M:E\left((y_1,y_2,\cdots ,y_K),\overrightarrow{\alpha },z\right)=0;\hfill \\ \exists {\overrightarrow{a}}_1\in B^{m_1}:e_1({\overrightarrow{\xi }}_1\left(\overrightarrow{x}\right),{\overrightarrow{a}}_1,y_1)=0;\hfill \\ \exists {\overrightarrow{a}}_2\in B^{m_2}:e_2({\overrightarrow{\xi }}_2\left(\overrightarrow{x}\right),{\overrightarrow{a}}_2,y_2)=0;\hfill \\ \cdots \hfill \\ \exists {\overrightarrow{a}}_K\in B^{m_K}:e_k({\overrightarrow{\xi }}_K\left(\overrightarrow{x}\right),{\overrightarrow{a}}_K,y_K)=0.\hfill \end{array}\right.\hfill \end{array}$$

(29)

2.4.2. Linear Inequalities without Binary Ancillaries for Composition of Boolean Functions

Let function $\mathsf{\Phi }\left(\overrightarrow{Y}\right)$ have the following representation as a system of linear inequalities without auxiliary binary variables (see (16) and (17)):

$$\left(\overrightarrow{Y}\in B^K,\mathsf{\Phi }\left(\overrightarrow{Y}\right)=z\right)\iff \left(\left\{{\alpha }_i+L_i\left(\overrightarrow{Y}\right)+{\beta }_{i}z⩾0:i=1,\dots ,M\right\}\right),$$

(30)

where $L_i(·)$ are linear functions. Let the similar representation hold for all functions $Y_k(k=1\dots K)$:

$$\begin{array}{c}\left({\overrightarrow{\xi }}_k\in B^{n_k},Y_k\left({\overrightarrow{\xi }}_k\right)=y_k\right)\iff \left(\left\{a_{k,i}+l_{k,i}\left({\overrightarrow{\xi }}_k\right)+b_{k,i}{y}_k⩾0:i=1,\dots ,m_k\right\}\right),\hfill \end{array}$$

(31)

where $l_{k,i}\left({\overrightarrow{\xi }}_k\right)$, $i=1\dots m_k,k=1\dots K$, are all linear functions.

Now we have the representation of the original function as a system of $M+{\displaystyle \sum _{k=1}^K}{m}_k$ linear inequalities and original n-vector of binary variables $\overrightarrow{x}$, and $K+1$ continues ancillaries $y_k(k=1\dots K)$ and z:

$$\begin{array}{c}\left(\overrightarrow{x}\in B^n,f\left(\overrightarrow{x}\right)=\mathsf{\Phi }\left(\overrightarrow{Y}\left(\overrightarrow{x}\right)\right)=z\right)\iff \left\{\begin{array}{c}\left\{{\alpha }_i+L_i\left(\overrightarrow{Y}\right)+{\beta }_{i}z⩾0:i=1,\dots ,M\right\};\hfill \\ \left\{a_{1,i}+l_{1,i}\left({\overrightarrow{\xi }}_1\left(\overrightarrow{x}\right)\right)+b_{1,i}{y}_1⩾0:i=1,\dots ,m_1\right\};\hfill \\ \left\{a_{2,i}+l_{2,i}\left({\overrightarrow{\xi }}_2\left(\overrightarrow{x}\right)\right)+b_{2,i}{y}_2⩾0:i=1,\dots ,m_2\right\};\hfill \\ \cdots \hfill \\ \left\{a_{K,i}+l_{K,i}\left({\overrightarrow{\xi }}_K\left(\overrightarrow{x}\right)\right)+b_{K,i}{y}_K⩾0:i=1,\dots ,m_K\right\}.\hfill \end{array}\right.\hfill \end{array}$$

(32)

2.5. Transform Subproblems from the MILP to QUBO

In this section, we consider converting our MILP problem into the QUBO. The QUBO representation provides an opportunity to run the problem at quantum annealers (e.g., at the D-Wave computer) or at other machines capable of finding the ground state of the Ising model. Let us take the following linear system:

$$\begin{array}{c}\hfill A\overrightarrow{x}=\overrightarrow{b}\iff \sum _j{a}_{ij}{x}_j=b_i(\forall i\in \{0\dots M-1\}),\end{array}$$

(33)

where $A\in {\mathbb{R}}^{M\times N},\overrightarrow{b}\in {\mathbb{R}}^M,\overrightarrow{x}\in {\{0,1\}}^N$. Move all terms from the right-hand side to the left:

$$\begin{array}{c}\hfill \sum _j{a}_{ij}{x}_j-b_i=0\end{array}$$

(34)

Square all terms in the lhs and sum up all of them:

$$\begin{array}{c}\hfill {\left(\sum _j{a}_{0j}{x}_j-b_0\right)}^2+{\left(\sum _j{a}_{1j}{x}_j-b_1\right)}^2+\cdots +{\left(\sum _j{a}_{(M-1)j}{x}_j-b_{M-1}\right)}^2\end{array}$$

(35)

One can see that minimizing the expression (35) is equivalent to finding the solution of Equation (33). Summing up, we write the equivalent form for MILP and QUBO as follows:

$$\begin{array}{c}\hfill A\overrightarrow{x}=\overrightarrow{b}\iff \underset{\overrightarrow{x}}{min}\left({\left(\sum _j{a}_{0j}{x}_j-b_0\right)}^2+{\left(\sum _j{a}_{1j}{x}_j-b_1\right)}^2+\cdots +{\left(\sum _j{a}_{(M-1)j}{x}_j-b_{M-1}\right)}^2\right)\end{array}$$

(36)

3. Results

3.1. Transform Addition Modulo into the MILP

The addition modulo can be represented in the MILP form as well. Let us take the following addition modulo with the multiply input terms:

$$\begin{array}{c}\hfill \sum _{i=0}^K{a}_i=b\left(mod{2}^N\right)\end{array}$$

(37)

where $a_i,b\in \mathbb{Z}.$ Consider each bit in the equation. Let us take $a_i={\sum }_{j=0}^K{a}_{ij}{2}^j,b={\sum }_{j=0}^K{b}_j{2}^j$ ($a_{ij}$ or $b_j$ are j-th bit of $a_i$ or b number respectively). Then, we can write the system of equations that is equivalent to the previous Equation (37):

$$\begin{array}{c}{\displaystyle \sum _{i=0}^N}{a}_{i0}=b_0+{\displaystyle \sum _{i=0}^{C_0}}{\xi }_{i,0}{2}^i\\ {\displaystyle \sum _{i=0}^{1-1}}{\xi }_{C_i-1,i}+{\displaystyle \sum _{i=0}^N}{a}_{i1}=b_1+{\displaystyle \sum _{i=0}^{C_1}}{\xi }_{i,1}{2}^i\\ {\displaystyle \sum _{i=0}^{2-1}}{\xi }_{C_i-1,i}+{\displaystyle \sum _{i=0}^N}{a}_{i2}=b_2+{\displaystyle \sum _{i=0}^{C_2}}{\xi }_{i,2}{2}^i\\ ⋮\\ {\displaystyle \sum _{i=0}^{K-1}}{\xi }_{C_i-1,i}+{\displaystyle \sum _{i=0}^N}{a}_{iK}=b_K+{\displaystyle \sum _{i=0}^{C_K}}{\xi }_{i,K}{2}^i\end{array}$$

(38)

where $C_i$ is a number of carried bits for the i-th bit of a or b. As one can see, Equation (38) is the MILP problem.

3.2. The MD5

In this subsection, we consider converting a pre-image attack on hash functions into an optimization problem. The hash functions, $H\left(x\right)$, possesses two features:

• For any x number, there is easy to compute $H\left(x\right)$.
• For any y number, there is hard to find x such that $H\left(x\right)=y$.

The pre-image attack tries to break the second feature. There is a paper in which researchers tried to commit this attack [15]. They used local collision, partial fixing and other classical cryptography techniques. The final complexity in the mentioned paper is $2^{123.4}$. Unfortunately, this is not practical at all.

Another approach based on the SAT for the MD-family hash functions was considered in Refs. [16,17]. In these papers, they used an idea similar to what we use in this work, but they converted the pre-image attack to the SAT problem as we convert it into the MILP problems. In Ref. [16], they successfully committed an attack on the MD4 with 39 rounds under Dobbertin’s conditions [18].

Here, we develop an efficient technique to obtain the solution. Namely, we divide the MD5 hash function into simple operations, which we can easily convert to the MILP or QUBO (Figure 2). Each circle depicts an operation; the white rectangle is a 32 bit number. At a first step, we note that all round functions make the same operations, except a nonlinear function. Therefore, the MILP or QUBO will appear in the similar way. Taking a closer look at the round function, we notice that it consists of the following types of operations: the nonlinear function, addition modulo and shift. Nonlinear functions are used in the MD5 to act on 32 bit numbers separately, and thus, we can find the MILP/QUBO representation for each bit separately. Table 2 gives all nonlinear functions in the MD5 and the respective linear equations for them.

The addition modulo is considered in Section 3.1. For implementing a shift operation (left or right bit rotation), one should just rename the corresponding variables. Let us consider the linear system $\overrightarrow{\mathsf{\Phi }}(\overrightarrow{x},\overrightarrow{y})=\overrightarrow{b}$, where $\overrightarrow{x}$ and $\overrightarrow{y}$ are vectors of variables, and $\overrightarrow{b}$ is a fixed vector of parameters. We need to add a shift operation to $\overrightarrow{x}$ and to leave $\overrightarrow{y}$ unchanged. We denote by ${\overrightarrow{x}}^{\prime }$ the “shifted” $\overrightarrow{x}$. By definition, $\overrightarrow{x}=\left(x_1,x_2,\dots ,x_N\right)$, then ${\overrightarrow{x}}^{\prime }=\left(x_{s+1},x_{s+2},\dots ,x_N,x_1,x_2,\dots ,x_s\right)$ in the case of right rotation $\left(x^{\prime }=x>>>s\right)$ and ${\overrightarrow{x}}^{\prime }=\left(x_{N-s},x_{N-s+1},\dots ,x_N,x_1,x_2,\dots ,x_{N-s-1}\right)$ in the case of left rotation $\left(x^{\prime }=x<<<s\right)$. So, the new linear system (after shift) is just the system of simple equations (“reindexing”) ${\overrightarrow{\mathsf{\Phi }}}^{\prime }(\overrightarrow{x},\overrightarrow{y})=\overrightarrow{b}\iff \overrightarrow{\mathsf{\Phi }}\left({\overrightarrow{x}}^{\prime },\overrightarrow{y}\right)=\overrightarrow{b}$.

After converting all types of operations in the MILP, we are ready to build it for the whole MD5. Before doing that though, let us shortly revise the definition of MD5. The hash function transforms the 512 bit input message into the hash value. The given message divides into 16 pieces of 32 bit numbers, $M_i(i\in 0\dots 15)$. In addition, the MD5 has four 32-bit constants, which we define as $A_0,B_0,C_0,D_0$, respectively. The calculating of the hash value consists of rounds. The MD5 has 64 rounds. In each round, we calculate some intermediate hash value as follows:

$$\begin{array}{cc}\hfill A_k& =D_{k-1},B_k=\left(F_k\left(B_{k-1},C_{k-1},D_{k-1}\right)+A_{k-1}+M_{\mu \left(k\right)}+K_k\right)<<<s_k+B_{k-1},\hfill \\ \hfill C_k& =B_{k-1},D_k=C_{k-1}\hfill \end{array}$$

(39)

where $k\in 1\dots 64$ is the number of rounds, $K_k$ and $s_k$ are given constant numbers, and $\mu \left(k\right)$ are as follows:

• $\mu \left(k\right)=k-1(k\in 1\dots 16)$;
• $\mu \left(k\right)=5k-4(mod16)(k\in 17\dots 32)$;
• $\mu \left(k\right)=3k+2(mod16)(k\in 33\dots 48)$;
• $\mu \left(k\right)=7k-7(mod16)(k\in 49\dots 64)$.

Here $F_k$ is one of the nonlinear round functions. Depending on the round number, we have the following:

• $F_k(B,C,D)=F(B,C,D)=(B\wedge C)\vee (!B\wedge D)(k\in 1\dots 16)$;
• $F_k(B,C,D)=G(B,C,D)=(B\wedge D)\vee (C\wedge !D)(k\in 17\dots 32)$;
• $F_k(B,C,D)=H(B,C,D)=B\oplus C\oplus D(k\in 33\dots 48)$;
• $F_k(B,C,D)=I(B,C,D)=C\oplus (B\vee !D)(k\in 49\dots 64)$.

The final hash value of the MD5 is compound of $A_{64},B_{64},C_{64},D_{64}$ blocks. Comparing with the notation from the beginning $\left(H\right(x)=y),x$ is divided into $M_k$ blocks, y is the compound of $A_{64},B_{64},C_{64},D_{64}$ blocks. More details can be found in [19].

In the Table 2, we specified all nonlinear functions used in MD5. Denote by $L_k\left(B_{k-1},C_{k-1},D_{k-1},F{F}_k,{\alpha }_k\right)=0$ the linear system of equations for nonlinear operations in the k-th round. This system consists of the linear equation for each bit of $B_{k-1},C_{k-1},D_{k-1}$ and is chosen from Table 2 in accordance with the hash function round. Here, $F{F}_k$ is the output number of $F_k(B_{k-1},C_{k-1},D_{k-1})$, and ${\alpha }_k$ is a vector variable which denotes all ancilla bits. For example, let us consider the 33-rd round and let all the numbers in the blocks be 2 bit for simplicity’s sake. In the 33-rd round, $H(B,C,D)$ is used from Table 2. Then, the linear system $L_{33}(B_{32},C_{32},D_{32},F{F}_{33},{\alpha }_{33})=0$ becomes

$$\begin{array}{c}\hfill L_{33}(B_{32},C_{32},D_{32},F{F}_{33},{\alpha }_{33})=0:=\left\{\begin{array}{c}{B}_{32,0}+C_{32,0}+D_{32,0}-F{F}_{33,0}-2{\alpha }_{33,0}=0\hfill \\ B_{32,1}+C_{32,1}+D_{32,1}-F{F}_{33,1}-2{\alpha }_{33,1}=0\hfill \end{array}\right.\end{array}$$

(40)

For the addition modulo, we use another notation, $\Sigma (A,B,\dots ,D,R,\xi )$, where $A,B,\dots ,D$ are input numbers, R is the output one and $\xi$ is a vector variable of all ancilla bits as in the nonlinear function case. Let us write an explicit formula for $\Sigma$ in the simple case. For example, consider two 2-bit summands, then $\Sigma$ is as follows:

$$\begin{array}{c}\hfill \Sigma (A,B,R,\xi )=0:=\left\{\begin{array}{c}{A}_0+B_0=R_0+2{\xi }_0\hfill \\ {\xi }_0+A_1+B_1=R_1+2{\xi }_1\hfill \end{array}\right.\end{array}$$

(41)

Using the MD5 round definition and Figure 2, we can write the linear system for one round. Consider the k-th round:

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\hfill & L_k\left(B_{k-1},C_{k-1},D_{k-1},F{F}_k,{\alpha }_k\right)=0\hfill \\ \hfill & \Sigma \left(F{F}_k,A_{k-1},M_{\mu \left(k\right)},K_k,F{M}_k,{\xi }_{k,1}\right)=0\hfill \\ \hfill & \Sigma \left(F{M}_k<<<s_k,B_{k-1},B_k,{\xi }_{k,2}\right)=0\hfill \\ \hfill & A_k=D_{k-1},C_k=B_{k-1},D_k=C_{k-1}\hfill \end{array}\right.\end{array}$$

(42)

Combining all of Equation (42), we obtain the MILP for the whole MD5:

$$\left\{\begin{array}{c}{L}_1\left(B_0,C_0,D_0,F{F}_1,{\alpha }_1\right)=0\hfill \\ \Sigma \left(F{F}_1,A_0,M_{\mu \left(1\right)},K_1,F{M}_1,{\xi }_{1,1}\right)=0\hfill \\ \Sigma \left(F{M}_1<<<s_1,B_0,B_1,{\xi }_{1,2}\right)=0\hfill \\ A_1=D_0,C_1=B_0,D_1=C_0\hfill \\ \dots \hfill \\ L_k\left(B_{k-1},C_{k-1},D_{k-1},F{F}_k,{\alpha }_k\right)=0\hfill \\ \Sigma \left(F{F}_k,A_{k-1},M_{\mu \left(k\right)},K_k,F{M}_k,{\xi }_{k,1}\right)=0\hfill \\ \Sigma \left(F{M}_k<<<s_k,B_{k-1},B_k,{\xi }_{k,2}\right)=0\hfill \\ A_k=D_{k-1},C_k=B_{k-1},D_k=C_{k-1}\hfill \\ \dots \hfill \\ L_{64}\left(B_{63},C_{63},D_{63},F{F}_{64},{\alpha }_{64}\right)=0\hfill \\ \Sigma \left(F{F}_{64},A_0,M_{\mu \left(64\right)},K_{64},F{M}_{64},{\xi }_{64,1}\right)=0\hfill \\ \Sigma \left(F{M}_{64}<<<s_{64},B_{63},B_{64},{\xi }_{64,2}\right)=0\hfill \\ A_{64}=D_{63},C_{64}=B_{63},D_{64}=C_{63}\hfill \end{array}\right.$$

(43)

with the final hash value $A_{64},B_{64},C_{64},D_{64}$.

Now, we calculate the number of binary variables in the MILP of the MD5 hash function. In the zeroth round, we have $A_0,B_0,C_0,D_0$ and all $M_i(i\in 0\cdots 16)$. They are $(4+16)·32=640$ bits. Each $L_k$ adds $F_k$ and ${\alpha }_k$ variables, and $F_k$ in each round consists of 32 bits, whereas the number of bits in ${\alpha }_k$ depends on a round. From 1 to 32 rounds, ${\alpha }_k$ has $3·32=96$ bits; from 33 to 48, ${\alpha }_k$ has 32 bits; and from 49 to 64, ${\alpha }_k$ has 64 bits. Finally, all $L_k$ have $32·64+96·32+32·16+64·16=6656$ new bits.

Each ${\xi }_{k,1}$ has only 2 bits. One can easily check that because four terms generate 2 carry bits and in the next addition, six terms (4 + 2) also produce 2 carry bits. Taking into account a new bit for $F{M}_k$ and 32 bits, we conclude that $\Sigma$ adds $3·32=96$ bits in the case of $\Sigma \left(F{F}_k,A_{k-1},M_{\mu \left(k\right)},K_k,F{M}_k,{\xi }_{k,1}\right)=0$. Even easier is with ${\xi }_{k,2}$, which always has only 1 bit. Therefore, $\Sigma \left(F{M}_k<<<s_k,B_{k-1},B_k,{\xi }_{k,2}\right)=0$ adds 64 bits. In total, all $\Sigma$ in all rounds generate 10,240 new bits. Taking into consideration $A_0,B_0,C_0,D_0$ and all $M_k$ and excluding $A_{64},B_{64},C_{64},D_{64}$, we get 17,408 bits in total.

3.3. The SHA-256

The SHA-256 hash function has a similar structure as well as the MD5 (see Section 3.2) and also has 64 rounds of the similar transformation; see Figure 3. However, there are some differences (for more details, see [20]), namely the following:

• Each intermediate hash value has 256 bits, which is divided into 8 blocks with 32 bits.
• A round has four nonlinear functions (Ch, Ma, $\Sigma 1,\Sigma 2$).
• The input message has 512 bits (16 blocks with 32 bits), and it is extended to 64 blocks using right circular shift and XOR.

Nevertheless, we can convert the SHA256 into MILP (QUBO) as well. In

Table 3. Non-linear functions in SHA-256 and relevant linear equations.

Boolean Formula	Linear Equation
$\mathrm{Ch}(\mathrm{E},\mathrm{F},\mathrm{G})=(\mathrm{E}\wedge \mathrm{F})\oplus (\neg E\wedge \mathrm{G})$	$\mathrm{E}+3\mathrm{F}+2\mathrm{G}-6\mathrm{Ch}+2a_0-3a_1+2a_2=0$
${\Sigma }_0\left(A_2,A_{13},A_{22}\right)=A_2\oplus A_{13}\oplus A_{22}$	$A_2+A_{13}-A_{22}+{\Sigma }_0-2a_0=0$
${\Sigma }_1\left(A_{-6},A_{-11},A_{-25}\right)=A_{-6}\oplus A_{-11}\oplus A_{-25}$	$A_{-6}+A_{-11}-A_{-25}+{\Sigma }_1-2a_0=0$
$\mathrm{Ma}(\mathrm{A},\mathrm{B},\mathrm{C})=(\mathrm{A}\wedge \mathrm{B})\oplus (\mathrm{A}\wedge \mathrm{C})\oplus (\mathrm{B}\wedge \mathrm{C})$	$\mathrm{A}+\mathrm{B}+\mathrm{C}-2\mathrm{Ma}-a_0=0$

, we specified all nonlinear functions used in SHA256 and the relevant linear equation. All the MILPs were built by the method from Section 2.1.

The same is with the section about the MD5 (Section 3.2), where we can write the MILP for one round as follows:

$$\begin{array}{c}\hfill \left\{\begin{array}{c}{L}_{Ch}(E_{k-1},F_{k-1},G_{k-1},C{H}_k,{\alpha }_{k,1})=0,\hfill \\ L_{{\Sigma }_1}(E_{k-1},SI{G}_{k,1},{\alpha }_{k,2})=0,\hfill \\ L_{{\Sigma }_0}(A_{k-1},SI{G}_{k,0},{\alpha }_{k,3})=0,\hfill \\ L_{Ma}(A_{k-1},B_{k-1},C_{k-1},M{A}_k,{\alpha }_{k,4})=0,\hfill \\ \Sigma (H_{k-1},SI{G}_{k,1},C{H}_k,W_k,K_k,S_{k,1},{\xi }_{k,1})=0,\hfill \\ \Sigma (D_{k-1},S_{k,1},E_k,{\xi }_{k,2})=0,\hfill \\ \Sigma (S_{k,1},M{A}_k,A_k,{\xi }_{k,3})=0,\hfill \\ B_k=A_{k-1},C_k=B_{k-1},D_k=C_{k-1},F_k=E_{k-1},G_k=F_{k-1},H_k=G_{k-1},\hfill \end{array}\right.\end{array}$$

(44)

where $L_{Ch},L_{{\Sigma }_1},L_{{\Sigma }_0},L_{Ma}$ are linear systems for nonlinear functions from Table 3, $\Sigma$ is a system for the addition modulo operation, all $\alpha$ and $\xi$ are vectors of binary ancillas for nonlinear and addition transformations, respectively, $W_k$ is a block of extended an input message, $K_k$ is a given round constant, and $A_{k-1},B_{k-1},C_{k-1},D_{k-1},E_{k-1},F_{k-1},G_{k-1}$ and $H_{k-1}$ are blocks of intermediate hash values from the previous round, whereas $A_k,B_k,C_k,D_k,E_k,F_k,G_k$ and $H_k$ are hash values of the current round.

For extending an input message SHA-256, we use the iterative process, where the first 16 blocks are the same as the input message $W_k=M_k$$(k\in 1\cdots 16)$, and the next $W_k(k\in 17\cdots 64)$ is computed as follows:

$$\begin{array}{c}\hfill {\beta }_{k,0}=(W_{k-15}>>>7)\oplus (W_{k-15}>>>18)\oplus (W_{k-15}>>3)\end{array}$$

(45)

$$\begin{array}{c}\hfill {\beta }_{k,1}=(W_{k-2}>>>17)\oplus (W_{k-2}>>>19)\oplus (W_{k-2}>>10)\end{array}$$

(46)

$$\begin{array}{c}\hfill W_k=W_{k-16}+{\beta }_{k,0}+W_{k-7}+{\beta }_{k,1}\left(mod{2}^{32}\right)\end{array}$$

(47)

Denote by $L_{{\omega }_0}$ and $L_{{\omega }_1}$ the linear system for operation in Equations (45) and (46), respectively. They are built as ${\Sigma }_0$ or ${\Sigma }_1$ in Table 3. ${\gamma }_{k,0}$ and ${\gamma }_{k,1}$ are ancilla vector bits for these linear systems. So let us write the full linear system for SHA-256:

$$\left\{\begin{array}{c}{W}_1=M_1,W_2=M_2,\cdots ,W_{16}=M_{16},\hfill \\ L_{{\omega }_0}(W_2,{\beta }_{17,0},{\gamma }_{17,0})=0,\hfill \\ L_{{\omega }_1}(W_{15},{\beta }_{17,1},{\gamma }_{17,1})=0,\hfill \\ \Sigma (W_1,{\beta }_{17,0},W_{10},{\beta }_{17,1},W_{17},{\xi }_{17,0})=0,\hfill \\ \cdots \hfill \\ L_{{\omega }_0}(W_{49},{\beta }_{64,0},{\gamma }_{64,0})=0,\hfill \\ L_{{\omega }_1}(W_{62},{\beta }_{64,1},{\gamma }_{64,1})=0,\hfill \\ \Sigma (W_{48},{\beta }_{64,0},W_{57},{\beta }_{64,1},W_{64},{\xi }_{64,0})=0,\hfill \\ \\ L_{Ch}(E_0,F_0,G_0,C{H}_1,{\alpha }_{1,1})=0,\hfill \\ L_{{\Sigma }_1}(E_0,SI{G}_{1,1},{\alpha }_{1,2})=0,\hfill \\ L_{{\Sigma }_0}(A_0,SI{G}_{1,0},{\alpha }_{1,3})=0,\hfill \\ L_{Ma}(A_0,B_0,C_0,M{A}_1,{\alpha }_{1,4})=0,\hfill \\ \Sigma (H_0,SI{G}_{1,1},C{H}_1,W_1,K_1,S_{1,1},{\xi }_{1,1})=0,\hfill \\ \Sigma (D_0,S_{1,1},E_1,{\xi }_{1,2})=0,\hfill \\ \Sigma (S_{1,1},M{A}_1,A_1,{\xi }_{1,3})=0,\hfill \\ B_1=A_0,C_1=B_0,D_1=C_0,F_1=E_0,G_1=F_0,H_1=G_0,\hfill \\ \cdots \hfill \\ L_{Ch}(E_{63},F_{63},G_{63},C{H}_{64},{\alpha }_{64,1})=0,\hfill \\ L_{{\Sigma }_1}(E_{63},SI{G}_{64,1},{\alpha }_{64,2})=0,\hfill \\ L_{{\Sigma }_0}(A_{63},SI{G}_{64,0},{\alpha }_{64,3})=0,\hfill \\ L_{Ma}(A_{63},B_{63},C_{63},M{A}_{64},{\alpha }_{64,4})=0,\hfill \\ \Sigma (H_{63},SI{G}_{64,1},C{H}_{64},W_{64},K_{64},S_{64,1},{\xi }_{64,1})=0,\hfill \\ \Sigma (D_{63},S_{64,1},E_{64},{\xi }_{64,2})=0,\hfill \\ \Sigma (S_{64,1},M{A}_{64},A_{64},{\xi }_{64,3})=0,\hfill \\ B_{64}=A_{63},C_{64}=B_{63},D_{64}=C_{63},F_{64}=E_{63},G_{64}=F_{63},H_{64}=G_{63},\hfill \end{array}\right.$$

(48)

where union of $A_{64},B_{64},C_{64},D_{64},E_{64},F_{64},G_{64},H_{64}$ is final hash value of SHA-256.

In a similar way as in the previous section (Section 3.2), we calculate the number of bits in MILP. For SHA-256, the linear system (Equation (48)) has 46,080 bits.

3.4. The AES

The AES is a symmetric-key cryptography algorithm, meaning that the same key is used for both encrypting and decrypting data [21]. The AES has three different sizes of the key (128, 192 and 256 bits) and the fixed block size of an input message (128 bits). Depending on the key size, the algorithm has a different number of rounds (10, 12 or 14). Then, the protocol decomposes into several parts:

• KeyExpansion—round keys are derived from the cipher key using the AES key schedule. AES requires a separate 128-bit round key block for each round plus one more.
• Initial round key addition:

  (a)

  AddRoundKey—each byte of the state is combined with a byte of the round key using bitwise XOR.

• 9, 11 or 13 rounds:

  (a)

  SubBytes—a non-linear substitution step where each byte is replaced with another according to a lookup table.

  (b)

  ShiftRows—a transposition step where the last three rows of the state are shifted cyclically a certain number of steps.

  (c)

  MixColumns—a linear mixing operation which operates on the columns of the state, combining the four bytes in each column.

  (d)

  AddRoundKey

• Final round (making 10, 12 or 14 rounds in total):

  (a)

  SubBytes;

  (b)

  ShiftRows;

  (c)

  AddRoundKey.

The first part prepares the key for encoding. Two to four parts are applied sequentially to an input message. An input message has 128 bits and is represented as $4\times 4$ with one byte element, termed the state. For instance, let b be the input message with 128 bits or equivalently 16 bytes, and $b_0,b_1,\dots ,b_{15}$ are represented as this two-dimensional array:

$$\left[\begin{array}{cccc}{b}_0& b_4& b_8& b_{12}\\ b_1& b_5& b_9& b_{13}\\ b_2& b_6& b_{10}& b_{14}\\ b_3& b_7& b_{11}& b_{15}\end{array}\right]$$

(49)

As we mentioned before, we divide the algorithm into smaller parts, transform to linear equations (or QUBO) and merge all parts. Note that the mentioned steps consist of XOR, shifting and operations in Rijndael’s finite field. The first two transformations are considered in Section 3.2. Therefore, let us take a closer look at the last one.

3.4.1. Rijndael’s Finite Field

The several steps are based on the arithmetic in Galois field $\mathrm{GF}\left(2^8\right)=\mathrm{GF}\left(2\right)\left[x\right]/$$\left(x^8+x^4+x^3+x+1\right)$. In AES, they use two operations in this field:

• Inverse operation in $\mathrm{GF}\left(2^8\right)$;
• Multiplication by $1,2$ and 3.

The first operation was implemented in Ref. [22]. The calculation of the inverse operation in the $\mathrm{GF}\left(2^8\right)$ is a hard problem, but it is easy in the $\mathrm{GF}\left(2\right)$, where multiplication is the AND operation; therefore, $1^{-1}=1,0^{-1}=0$. (Overall, 0 does not have the inverse element but for definiteness, we put $0^{-1}=0$. This agreement is valid for any $\mathrm{GF}\left(2^p\right),p⩾1$.) In Ref. [22], the authors reduce sequentially the inversion in $\mathrm{GF}\left(2^8\right)$ into multiplication and inversion in $\mathrm{GF}\left(2^4\right)$, then into $\mathrm{GF}\left(2^2\right)$ and, finally, into $\mathrm{GF}\left(2\right)$. For example, the G element in $\mathrm{GF}\left(2^8\right)$ can be represented as $G={\gamma }_{1}y+{\gamma }_0$ with a multiplication modulo, an irreducible polynomial $r\left(y\right)=y^2+\tau y+\nu$ and ${\gamma }_0,{\gamma }_1\in \mathrm{GF}\left(2^4\right)$. Making a similar transformation with step-by-step (more details in [22]) arithmetical operations, only $\mathrm{GF}\left(2\right)$ is left. So, the given logic gates are enough for making an inversion in $\mathrm{GF}\left(2^8\right)$: the XOR, NAND and NOR. All these operations can be transformed into linear equations (QUBO) using our approach from the previous Section 2.1 and Section 2.2. One can see the corresponding linear equation in

Table 4. Linear equation for elementary operations (linear equations were found in the previous patent; also there was the method for their generation).

	Formula	Linear Equation
AND	$x\wedge y=z$	$E_{\wedge }(x,y,a,z)\doteq \{x+y-2z-a=0\}$
OR	$x\vee y=z$	$E_{\vee }(x,y,a,z)\doteq \{x+y-2z+a=0\}$
XOR	$x\oplus y=z$	$E_{\oplus }(x,y,a,z)\doteq \{x+y-z-2a=0\}$
NOR	$\overline{x\vee y}=z$	$E_{\overline{\vee }}(x,y,a,z)\doteq \{x+y+2z-a=1\}$
NAND	$\overline{x\wedge y}=z$	$E_{\overline{\wedge }}(x,y,a,z)\doteq \{x+y+2z-a=2\}$

. For one byte, it requires 180 gates (XOR, NAND, and NOR) [22]. Each gate is decomposed into one additional equation and two additional bits (z and a).

Multiplications by 1, 2 and 3 in the $\mathrm{GF}\left(2^8\right)$ are also easy to implement. Multiplying by 1 is exactly the same number ($a\times 1=a(a\in \mathrm{GF}\left(2^8\right))$. Multiplying by 2 is equivalent to shifting the number left by one, and then XOR’ing the value 0x1B if the high bit was one; otherwise it has to do nothing. Let us build the linear system by steps. $x=[x_0,x_1,\cdots ,x_7]$ is the initial number. In the beginning, we make the shifting and XOR with 0x1B (or 00011011 as the binary number). After that, we obtain $z=[z_0,z_1,\cdots ,z_7]$. As 0x1B is constant, the XOR gate can be simplified ($a\oplus 0=a,a\oplus 1=\overline{a}$). Therefore, after shifting, we have to flip the value if the highest bit of x is equal to 1 and the corresponding bit of 0x1B is also equal to 1. Therefore, the full multiplication is the following linear system:

$$\left\{\begin{array}{c}{z}_0=x_7\hfill \\ z_1=x_7+x_0-2a_0\hfill \\ z_2=x_1\hfill \\ z_3=x_7+x_2-2a_1\hfill \\ z_4=x_7+x_3-2a_2\hfill \\ z_5=x_4\hfill \\ z_6=x_5\hfill \\ z_7=x_6\hfill \end{array}\right.$$

(50)

The equation with two variables can be eliminated because it is just the substitution. So, multiplication by 2 requires 3 additional equations and 6 additional bits. Multiplication by 3 can be considered as follows:

$$\begin{array}{c}\hfill x\times 3=x\times (2\oplus 1)=x\times 2\oplus x\end{array}$$

(51)

The XOR operation requires one additional equation and one additional bit per bit. So, multiplication by 3 requires $3+8=11$ additional equations and 22 additional bits.

3.4.2. The Full MILP for the AES

After handling the step with Rijndael’s finite field (Section 3.4.1), other operations are quite easy and consist of only simple gates from Table 4. So we can build the full MILP for AES as in the MD5 case (Section 3.2).

The AES uses a key which can be longer than the message (AES-256 has 256 bits for key and 128 bits for the message). Therefore, one raw message and its cipher are not enough for restoring the full key. However, two known messages (with their ciphers) have a sufficient total length. Therefore, we built two copies of the same linear system (QUBO) for the AES with different known messages (and known) ciphers but linked with the same key. After optimization of these problem, we obtain the key. However, there exists another approach based on the system of quadratic equations; see [23] and the references therein.

3.5. Summary about Cryptography

In

Table 5. Comparing table of problems size.

MD5	SHA-256	AES-128	AES-192	AES-256
17,280	47,808	≈90,000	≈2 · 100,000	≈2 · 125,000

, we calculate the required number of bits in the MILP and qubits in the QUBO, and they are about the same. More precisely, we show the number of variables for the system of linear equations. For inequalities, the numbers of variables differ but remain close. For the AES, the estimates are made with the order of magnitude accuracy.

Unfortunately, the current D-Wave quantum annealer has limited connectivity between the variables. Therefore, before running an experiment at the D-Wave, a user has to embed the original graph into any of the D-Wave’s types of graphs: Chimera or Pegasus. There are methods for embedding an arbitrary graph into these graphs [5,24] which are implemented in the D-Wave software package. We tried to embed our graph from the hash function for one round because the QUBO in each round is the same and connects with a small number of qubits with the QUBO from other rounds. Therefore, embedding the full QUBO based on the merged embeddings is a promising approach since it uses a specific structure of the considered problem. In

Table 6. Average number of qubits after embedding for different graphs at D-Wave for one round of hash functions. In the SHA-256 case, D-Wave did not find embedding on the Chimera graph.

	MD5	SHA-256
Original	224	415
Chimera	943.2	-
Pegasus	461.1	1205.9

, one can see the difference between the number of qubits in the original problem and their number in the problem on the specific graphs of the D-Wave. Unfortunately, we did not implement the corresponding code for the AES yet; this will be a subject of the forthcoming publication.

4. Discussion and Conclusions

We developed the methods for representing any Boolean function as a set of constraints in the mixed-integer linear programming and quadratic unconstrained binary optimization problem with the binary and continuous auxiliary variables. In particular, we investigated the possibility of applications of the developed method for the solution of the cryptographic problems known as a pre-image attack on the hash function, such as the MD5 and SHA256.

The first method represents the Boolean function as one linear equation in the original binary variables and, possibly, ancillary binary variables, which become additional variables of the obtained MILP problem. The method is based on the successive solving of a set of special integer CP problems until the coefficients of the desired linear equation are obtained. Any standard ICP solver may be used; we used the CPLEX solver.

The second method represents the Boolean function as a set of linear inequalities in the original binary variables and one additional continuous variable (representing the value of the function). The method is based on identifying the Boolean function (on n binary variables) with the kind of graphical representation, i.e., the set of $2^n$ points of the unit cube in ${\mathbb{R}}^{n+1}$. Then, these points are treated as vertices of a convex polyhedron in ${\mathbb{R}}^{n+1}$. To obtain the desired system of linear inequalities, the V-representation of this polyhedron should be converted into H-representation, a set of affine half-spaces of polyhedron facets, i.e., a set of the affine inequalities (one inequality per each affine half-space). For this conversion, we used the LRS application [13], which is a general purpose tool for polyhedron handling.

Note that the first method gives fewer constraints (only one equation per Boolean function) but more ancillary binary variables, while the second method does not require any additional binary variables but instead requires a number of additional linear inequalities. The final decision on the choice between the either first or second method is a trade-off between the number of binary variables and the number of linear constraints in the obtained MILP problem.

Both methods can be used for reformulating the important cryptanalysis problems (pre-imaging of hash functions or breaking symmetric ciphers) based on the Boolean expressions for the MILP problems. Moreover, these methods are applied for formulating the QUBO, deriving it from the given Boolean function (see also [4,5]) and can be used as alternative methods for generating the QUBO with a low number of bits.

Note that for the quantum annealers, the first method is preferable, because most promising quantum annealers proceed along the special type of optimization problems, namely the quadratic unconstrained binary optimization one. The straightforward approach to transform the MILP problem into the QUBO is to convert the linear constraints into the quadratic penalties known as summands of the QUBO problem criterion.