Imagine an SCA on AES where the attacker can retrieve the leaks from the output of all the sboxes of the first two rounds. Find the key candidates in the most efficient way possible.
Input: an input $x$, all the sbox output’s leak $( l_i )$ for the first 2 rounds.
Output: a list of key candidates $( k )_i$
The reasons behind the solver are briefly explained in this freebie and a longer explanation of the algorithm can be found here.