SAT Solving Using XOR-OR-AND Normal Forms
Abstract
This paper introduces the XOR-OR-AND normal form (XNF) for logical formulas. It is a generalization of the well-known Conjunctive Normal Form (CNF) where literals are replaced by XORs of literals. As a first theoretic result, we show that every CNF formula is equisatisfiable to a formula in 2-XNF, i.e., a formula in XNF where each clause involves at most two XORs of literals. Subsequently, we present an algorithm which converts Boolean polynomials efficiently from their Algebraic Normal Form (ANF) to formulas in 2-XNF. Experiments with the cipher ASCON-128 show that cryptographic problems, which by design are based strongly on XOR-operations, can be represented using far fewer variables and clauses in 2-XNF than in CNF. In order to take advantage of this compact representation, new SAT solvers based on input formulas in 2-XNF need to be designed. By taking inspiration from graph-based 2-CNF SAT solving, we devise a new DPLL-based SAT solver for formulas in 2-XNF. Among others, we present advanced pre- and in-processing techniques. Finally, we give timings for random 2-XNF instances and instances related to key recovery attacks on round reduced ASCON-128, where our solver outperforms state-of-the-art alternative solving approaches.
Key words and phrases:
SAT solving, XOR constraint, algebraic normal form, implication graph, cryptographic attack1991 Mathematics Subject Classification:
03B70; 13P15; 05C90; 94A601. Introduction
SAT solvers are programs which decide the Boolean Satisfiability Problem for propositional logic formulas. In the last decades there has been a substantial effort to improve their performance, and they have grown into versatile tools for tackling computational problems in various domains such as automatic theorem proving, graph theory, hardware verification, artificial intelligence, and cryptanalysis.
Especially problems from the latter domain have been shown to be hard for conventional SAT solvers that take a conjunctive normal form (CNF) as input. Although many new attacks on cryptosystems and other cryptographic protocols have been designed based on the idea of encoding the computational problem as an instance for CNF-based SAT solvers (see for instance [20, 23, 29, 31, 33, 34]), many problems are still out of range (e.g., see [14, 20]). This can be mainly attributed to the fact that cryptographic primitives are often built using exclusive disjunctions (XORs) of variables which lead to an exponential blow-up when encoded in CNF.
To speed up the performance of SAT solvers for such instances, one can either try to modify the problem encodings such that they lead to smaller instances (see [11, 28, 29]), or one can try to improve the solving strategy altogether. For example, the latter approach has been pursued by attempts to integrate support for XOR constraints on the input variables (see [24, 36, 39, 41]) or by combining logical SAT solving with algebraic reasoning (see [11, 26]). While purely algebraic solving techniques (as developed for instance in [9, 12, 13]) have had some success in cryptanalysis (e.g., see [4, 10, 14]), a very promising line of research seems to be to combine logic and algebraic solving paradigms.
One such attempt was initiated in [27] and refined in [26], where a new proof system called was introduced. Its input are products of linear Boolean polynomials, or, in the language of logic, disjunctions of XORs of literals. Thus the proof system is innately suitable for dealing with cryptanalytic instances, as these tend to be rich in XOR connectives. The core inference rule of is called -resolution. It is both a generalization of the classical resolution rule of propositional logic and of Buchberger’s S-polynomials which form the basis of Gröbner basis computations (see [30]). In [26] and [27] initial DPLL-based refutation methods utilizing -resolvents were introduced. As of today, no highly efficient implementation of these algorithms exists, and procedures to use for finding satisfying assignments are lacking as well.
In the first part of this paper we strive to develop efficient methods for converting propositional logic formulas to suitable inputs for type proof systems. After recalling some basic definitions and properties of the ring of Boolean polynomials in Section 2, we introduce and study a new XOR-based normal form in Section 3. More precisely, the new normal form is called the XOR-OR-AND normal form (XNF) for propositional logic formulas (see Definition 3.2). It generalizes the CNF by replacing the literals with XORs of literals which we simply call linerals. From an algebraic perspective, a lineral corresponds to a linear Boolean polynomial, and a disjunction of linerals corresponds to a product of linear Boolean polynomials. Using this identification, one sees that formulas in XNF occur naturally in the proof system . Since XNF generalizes CNF, it is clear that every propositional logic formula is equivalent to one in XNF.
While conversions from the algebraic normal form (ANF) of a Boolean polynomial to the CNF of the corresponding propositional logic formula and back have been studied carefully (see for instance [11, 28, 29]), conversions to systems offering some native support for XOR have been introduced only sparingly and elaborated much less systematically (see [32, 36, 39]).
It is well-known that one can introduce new variables and convert every Boolean polynomial system to one involving only polynomials of degree at most two. Here we show that, in fact, every XNF formula is equisatisfiable to one in 2-XNF, i.e., to an instance of XNF where each clause involves at most two linerals (see Proposition 3.7). Algebraically speaking, systems of quadratic Boolean polynomial equations can be transformed to systems consisting of products of at most two linear polynomials. Furthermore, we try to optimize this transformation by introducing as few additional variables as possible (see Propositions 3.15 and 3.17). To illustrate the potential of the conversion to 2-XNF, we apply it to instances related to algebraic attacks on the cipher (see [18]) which was recently selected for standardization by NIST for lightweight cryptography. We get 2-XNF representations which are substantially more compact than state-of-the-art representations in CNF (see Example 3.22).
In the second part of the paper we make use of this 2-XNF representation and take the first few steps towards translating the foundations of efficient CNF-based SAT solving to XNF-based SAT solving. In particular, using ideas based on efficient 2-CNF solvers and CNF pre-processing (see [5, 25]), we develop a graph based 2-XNF solver. To start with, we define an implication graph structure (IGS) for a given formula which consists of a set of linear Boolean polynomials known to be in the ideal , which is the algebraic representation of , and a directed graph whose edges mean that implies (see Definition 4.1 and Remark 4.2). Our solving algorithm then starts with a trivial IGS for (see Remark 4.4) and simplifies it using a suitable ordering on the IGSs (see Definition 4.6). Then we gradually improve the IGS by propagation, in-processing and guessing until we arrive at an implication graph structure with an empty graph, i.e., a case where the corresponding ideal is generated by linear polynomials. Given that the guesses were correct, a satisfying assignment for can be deduced immediately from a solution of the corresponding system of linear equations. The improvement of an IGS is measured in terms of the size of the linear part and in the size of the graph .
Propagation is achieved using a generalization of the classical Boolean constraint propagation which we call Gaußian Constraint Propagation (see Proposition 4.8). Two pre-processing methods are examined which yield new linear forms or new edges for the IGS (see Proposition 4.10). Unfortunately, they are too expensive to be executed repeatedly during the main solving procedure. For such in-processing methods, we provide two more efficient suggestions. Firstly, using the calculation of strongly connected components of , we are able to reach an acyclic graph (see Proposition 4.13). Secondly, we introduce the notion of failed linerals (see Definition 4.14) and apply them in order to learn new linear polynomials in (see Proposition 4.17).
Several heuristics for producing good decisions for an IGS, i.e., for making good guesses (see Definition 4.20) are discussed next. Moreover, we offer some suggestions how to implement these heuristics efficiently (see Remarks 4.22 and 4.23). Finally, we combine everything and present our new graph-based 2-XNF solver (see Proposition 4.24) together with suggestions how to implement it well using suitable data structures (see Remark 4.25).
The last section contains the results of some experiments and comparisons to established CNF-based SAT solvers, especially ones that offer some support for XOR constraints. Usually, they allow separate XOR constraints on variables in addition to a CNF, a type of input that is known as CNF-XOR. One of the first solvers for such formulas was described in [38, 39] and is implemented in . Another one is (see [36]) which uses stochastic local search methods for CNF-XOR inputs. The solver allows ANF and CNF inputs, but no CNF-XOR inputs (see [11]). Moreover, we compare our method with the winner of the 2023 SAT competition (see [22]) which admits CNF formulas.
In our experiments we compare the new 2-XNF solver using the three decision heuristics explained in Section 4 to the CNF-XOR solvers and , to the algebraic solver (see [9]), to a brute force XNF solver , and to the CNF solver . We created timings for two types of inputs. The first type are random 2-XNF instances. It turns out that our graph based 2-XNF solver involving merely some basic DPLL techniques outperforms state-of-the-art solving approaches on small random instances, both for satisfiable and unsatisfiable cases (see Figures 4(a) and 4(b)).
The second type of experiments was to try the solvers on key recovery attacks for round reduced versions of the cryptosystem. This lightweight cipher was recently selected for standardization by NIST. Again it turns out that, even with our very simple decision heuristics, the graph based 2-XNF solver performs surprisingly well (see Figure 5). Here it may be worthwhile to note that some of these round reduced key recovery attacks can be solved already in the pre-processing phase. Altogether, one main advantage of XNF solving is that the more compact problem representations require fewer decisions, and this leads to meaningful speed-ups. Finally, let us point out that the desirable extension of XNF solving to include CDCL techniques is not straightforward and will require non-trivial new tools.
Due to its simpler description, we chiefly use the algebraic point of view when we work with formulas in XNF, i.e., we regard them as products of linear Boolean polynomials. Unless explicitly noted otherwise, we use the definitions and notation introduced in [28] and [30]. The algorithms of Section 3 were implemented by B. Andraschko and the solving methods of Section 4 by J. Danner. All source code is available at https://github.com/j-danner/2xnf_sat_solving.
2. The Ring of Boolean Polynomials
Throughout this paper we let be the field with two elements, , and the polynomial ring over in the indeterminates . Recall that the ring of Boolean polynomials is
where is also called the field ideal in . Whenever additional indeterminates are required, we write
where . For and , we denote the residue class of in and by and the residue class of in by . These residue classes will be called the indeterminates of and , respectively, and the elements of these rings are called Boolean polynomials.
Every Boolean polynomial can be uniquely written as a sum of distinct square-free terms, where a term is a product of distinct residue classes . This is known as the algebraic normal form (ANF) of . (See for instance [26, Sec. 2.1] or [8] for an in-depth study of ANFs.) Altogether, we have as an -algebra and .
Given in ANF, replacing each by yields its canonical representative . Then the support of is and the degree of is given by
The -linear span of all Boolean polynomials of degree plays a major role subsequently. It is denoted by
and called the vector space of linear Boolean polynomials. (Note that includes the element 1.)
In Section 4 we also need division with remainders for Boolean polynomial rings. Let be a term ordering on , and let be Boolean polynomials in ANF. Let be the canonical representatives of , respectively. Then the normal remainder of under the division by is defined by
Moreover, we denote the ordering induced by on the terms in by again and call the leading term of with respect to . For the definitions and an explanation of these concepts in see [30], Chapter I, and for more details about orderings on Boolean polynomial rings see [8].
3. Logical Representations of Boolean Polynomials
In the following we let be the ring of Boolean polynomials. Our goal is to connect Boolean polynomials to propositional logic formulas. We assume that the readers are familiar with the syntax of propositional logic and identify as well as .
Definition 3.1.
Let be a subset of , and let be a propositional logic formula in the logical variables .
-
(a)
The set for all is called the zero set of .
-
(b)
The set is called the set of satisfying assignments of .
-
(c)
Given an ideal in , a propositional logic formula is called a logical representation of if .
-
(d)
Given a propositional logic formula , the uniquely determined ideal in such that is called the algebraic representation of .
Recall that is a principal ideal ring in which every ideal has a unique generator and that every propositional logic formula is equivalent to a formula in conjunctive normal form (CNF). Effective transformations between these representations have been studied extensively (see for instance [11] and [29]).
One disadvantage of converting Boolean polynomials to CNF is that sums correspond to XOR connectives and a long chain of XOR connectives yields an exponentially large set of CNF clauses. To address this problem, we introduce a new type of normal form next. Afterwards, we examine algorithms for converting Boolean polynomials to this normal form and back.
Definition 3.2 (XOR-OR-AND Normal Form).
Let be a propositional logic formula.
-
(a)
A formula of the form with literals is called a lineral.
-
(b)
A disjunction of linerals is called an XNF clause.
-
(c)
The formula is said to be in XOR-OR-AND normal form (XNF) if is a conjunction of XNF clauses.
-
(d)
Let . If is in XNF and every XNF clause of involves at most linerals then we say that is in -XNF.
Notice that every literal is also a lineral. Hence every formula in CNF is already in XNF. The negation of a lineral is a lineral because of
Moreover, every lineral is equivalent to a lineral of the form or .
Observe that [36] introduces a normal form with the same name, but for formulas that consist of CNF clauses and XOR constraints on the variables. In the terminology defined here, these are XNF unit clauses. We also refer to a formula of this type as a CNF-XOR, consistent with related research (see [19, 29, 32, 38, 39, 41]).
The motivation for introducing the XNF is its algebraic representation which can be described as follows.
Remark 3.3.
Let be propositional logic variables.
-
(a)
Let be a lineral with . Then the algebraic representation of is the ideal in . Thus linerals correspond to linear polynomials in .
-
(b)
Let be linerals, and let be an XNF clause. For , let be the algebraic representation of . Then is the algebraic representation of . Thus XNF clauses correspond to products of linear Boolean polynomials.
-
(c)
Let be XNF clauses, and let be a logical formula in XNF. For , let be the product of linear Boolean polynomials representing . Then the algebraic representation of is the ideal in .
For the converse transformation, we could use the logical representation of a Boolean polynomial which is in CNF, and hence in XNF. However, as we are striving for logical formulas in XNF which have few and short clauses, i.e., correspond to few low-degree Boolean polynomials, we proceed along a different path in the following two subsections.
Moreover, the XNF is the natural input to the proof system (see [26]), and therefore builds the basis for any -based solving algorithms.
3.1. Reduction of Formulas in XNF to 2-XNF
It is a well-known property of propositional logic formulas that they can be transformed to equisatisfiable formulas in 3-CNF by introducing additional variables. In the following we focus on an analogous transformation of formulas in XNF.
Definition 3.4.
Let , and let for some . Then we write if the projection map defined by induces a bijection .
The relation has the following useful properties.
Remark 3.5.
Let be a logical formula involving the variables , and let be a formula involving the variables .
-
(a)
If we have then the formulas and are clearly equisatisfiable. More precisely, the satisfying assignments of are in one-to-one correspondence with the satisfying assignments of via the projection to the first coordinates.
-
(b)
In general, the relation is not symmetric, but it is transitive in the following sense. Let , let , let , and let . If we have and then .
The following lemma provides the key step for the reduction of formulas in XNF to 2-XNF. It can be easily verified using a truth table.
Lemma 3.6.
Let be two linerals, and let be an additional logical variable. Then we have
Notice that the left side of the equivalence in this lemma is symmetric in and . Thus, swapping and on the right-hand side of the equivalence also yields an equivalent formula. The following Algorithm 1 converts logical formulas in XNF to 2-XNF.
Proposition 3.7.
Let be a propositional logic formula in XNF involving logical variables. Then is an algorithm which returns a logical formula in 2-XNF such that .
Proof.
As the number of linerals in is decreased with every execution of Line , the loop in Lines - stops after finitely many iterations. Thus the algorithm terminates after finitely many steps.
To prove correctness, we first observe that every XNF clause which is added to contains at most two linerals, so the output formula is indeed in 2-XNF. Moreover, by Lemma 3.6, we have
in Line of the algorithm. Hence we obtain in Line , where and denote the values of and , respectively, after their modification inside the loop (Lines -). By Remark 3.5.b, this implies after every iteration of the outer loop (Lines -), and consequently after its termination. ∎
Example 3.8.
Consider the formula in 3-CNF. Applying to yields the logical formula
where is a new variable, and we have .
Remark 3.9.
Suppose a formula is in -XNF for some and contains XNF clauses. Then introduces at most new variables and new clauses, since at most new variables are added for each clause. This shows that every formula in CNF can be converted to a formula in 2-XNF in polynomial time. Consequently, the decision problem for 2-XNF instances is NP-complete.
In spite of this seemingly negative worst-case complexity, it is well-known that 2-CNF formulas can be solved in linear time (e.g., see [5]). In Section 4, we will further address how some of the core ideas of 2-CNF solving can be translated to solving formulas in 2-XNF. Finally, note that one can not only reduce the size of the XNF clauses, but also the length of its linerals, i.e., the number of variables it contains, by using additional variables.
Remark 3.10.
Let be linerals with . If is an additional logical variable, then we have . Repeated application and addition of new variables shows that every XNF formula can be reduced to a 2-XNF formula in which each lineral is a XOR of at most variables.
3.2. 2-XNF Representations of Boolean Polynomials
In order to apply 2-XNF solving algorithms to practical instances, we first need to create tools to convert problems given via Boolean polynomials in ANF to logical formulas in 2-XNF.
A straightforward approach is to search for XORs of variables in a CNF representation of the problem which correspond to XNF clauses of size as for instance done in [36]. While this produces XNF instances, in many situations it does not capture the XOR-rich information well. In fact we should find non-trivial XNF clauses when they exist to harness the full potential of XNF-SAT solvers. This is why we suggest to start with an ANF representation of the problem under investigation, as it is more compact and uses fewer variables. So, in this section we show how Boolean polynomials can be converted to 2-XNF. To illustrate the algorithm, we apply it to problems with a cryptographic background.
To ease the notation we switch completely to the algebraic point of view. Not only the input of our conversion algorithm is denoted algebraically, but also the output 2-XNF. In view of Remark 3.3, the following definition captures this approach.
Definition 3.11 (2-XNF Representation).
Let be an ideal in . A set of Boolean polynomials of the form with is called a 2-XNF representation of if .
Similarly, a set as above is called a 2-XNF representation of a Boolean polynomial if is a 2-XNF representation of .
Now Proposition 3.7 immediately implies the following result.
Corollary 3.12.
Let be an ideal in . Then there exists a 2-XNF representation of .
The next proposition shows a direct way to compute 2-XNF representations of certain polynomials. It is an algebraic formulation of Lemma 3.6.
Proposition 3.13.
Let , where , and let
Then we have . In particular, the set is a 2-XNF representation of .
Proof.
From , we obtain and hence . Moreover, we have and , which implies and hence . ∎
Remark 3.14.
To see the connection with Lemma 3.6, let , and be linerals and be an additional variable. Let such that is the algebraic representation of for and is the algebraic representation of . Then is the algebraic representation of , is the algebraic representation of , and is the algebraic representation of .
Proposition 3.13 immediately yields the following Algorithm 2 for computing a 2-XNF representation of a given Boolean polynomial.
Proposition 3.15.
Let . Then is an algorithm which returns a 2-XNF representation of .
Proof.
First we see that in each iteration of the inner loop (Lines -), the degree of decreases by one, so it eventually reaches 1. Moreover, the polynomial is updated in Line in such a way that the term in the support of is replaced by a term of smaller degree. Thus the outer loop (Lines -) terminates eventually and the procedure stops in Line . In particular, at this point is linear and all elements of are linear or products of two linear polynomials. Hence the output is in 2-XNF.
For the correctness, assume that we are in the -th iteration of the inner loop (Lines -). Denote the values of and after the -th iteration by and , respectively. Here we let and denote the initial input value of . Consider the ideals and . For , we see that if and only if and . Hence .
Now observe that , and hence . Thus Proposition 3.13 shows . Therefore we have after every iteration of the inner loop, i.e., the output in Line is indeed a 2-XNF representation of the input . ∎
Example 3.16.
Consider the polynomial . The ideal is the algebraic representation of the clause . We introduce a new indeterminate and construct the ideal
Then we have , which shows that the set is a 2-XNF representation of . Notice that corresponds to the 2-XNF formula
in the variables .
Notice that employs Proposition 3.13 only for replacing products of two indeterminates. For quadratic polynomials, this uses one additional variable for every non-linear term. With the following optimised Algorithm 3, one may replace more than one term at a time.
Proposition 3.17.
Let with . Then is an algorithm which returns a 2-XNF representation of .
Proof.
After each iteration of the loop (Lines -), the support of contains fewer non-linear terms. Therefore eventually becomes linear and the loop terminates.
For proving correctness, consider the iterations of the loop. As in Proposition 3.15, we see that , where and denote the values of and after the -th iteration, and is the initial value of . In particular, this shows that we have after every iteration. Thus the output is a 2-XNF representation of the input . ∎
To implement Line of efficiently, we may use different approaches. The following remark collects some of them.
Remark 3.18.
Let be of degree . In order to find such that contains fewer quadratic terms than , we may use one of the following methods.
-
(a)
Write with and such that no term in the support of is divisible by . Then the support of is a proper subset of . In particular, it contains fewer quadratic terms. Repeating this step requires at most substitutions until all non-linear terms in have been replaced. Hence any quadratic polynomial has a 2-XNF representation that uses fewer than additional indeterminates, even though the support of may contain up to quadratic terms.
-
(b)
Let be new indeterminates, and let
be a product of two generic linear Boolean polynomials. By multiplying out, we obtain a representation
with .
Write with . If we find a tuple such that as many of the equations as possible are satisfied, then the linear Boolean polynomials and satisfy the property that contains as few quadratic terms in its support as possible. Such a tuple can be found using an OMT solver, e.g., using (see [37]), or by rephrasing the optimization problem as a MaxSAT problem and using an adequate solver, e.g., using (see [16]).
The strategy of part (b) works well on small inputs, say polynomials having fewer than 20 indeterminates. For cases involving larger numbers of indeterminates, it is better to combine part (a) with the next observation.
Lemma 3.19.
Let and with and . Then we have for
Proof.
Let where and . Then or , and . This shows or . Both imply . ∎
Using the method of Remark 3.18.a, we can now find many distinct pairs with . Applying the Lemma randomly to two such pairs of linear polynomials, we find more pairs with . Repeating this procedure for some time can generate many non-trivial such pairs, and we can simply choose the one which eliminates the most non-linear terms. This has proven to produce very good results, even for polynomials with a high number of indeterminates.
Example 3.20.
Let us apply Algorithm to the Boolean polynomial . In Line 4 we try to cancel out as many non-linear terms as possible, following the above approach. Using Remark 3.18.a, we see that and . By applying Lemma 3.19 with and , we get . Let be a new indeterminate and write . Now we replace by and set
Notice that the loop now ends, as is linear, and the 2-XNF representation of is returned. This corresponds to the 2-XNF formula
in the variables .
After discussing the effective computation of 2-XNF representations of individual polynomials, we now turn our attention to Boolean polynomial ideals given by several generators. In this case we can avail ourselves of the following approaches.
Remark 3.21.
Let , and let . The following methods can be applied to find a 2-XNF representation of .
-
(a)
The most basic approach is to apply (or ) to for and to combine the individual 2-XNF representations to get one for . Unfortunately, this tends to introduce more additional variables than necessary, since the same terms in different polynomials will be replaced with distinct additional indeterminates.
-
(b)
If are quadratic, the problem in (a) can be counteracted as follows. During the computation of the 2-XNF representations of the , we remember how the additional indeterminates were used to substitute products in the execution of Lines - of . After those individual conversions, we compute an -basis of the set of relations
Then we return the union of all the individual 2-XNF representations and . Each of these linear Boolean polynomials eliminates one variable in the process of computing .
In particular, instances coming from cryptographic attacks can be converted efficiently using those approaches. In many ciphers the only non-linearity appears in the so-called S-Boxes. Usually, these involve only a small number of indeterminates, i.e., they can be represented by relatively few non-linear polynomials in a small number of indeterminates. To illustrate this approach, let us examine the encryption map of the cryptosystem (see [18]) which has been selected for the standardization of lightweight ciphers by NIST.
Example 3.22.
As specified in [18], the cryptosystem is a 128-bit lightweight cipher.
-
(a)
Let be the 5-bit S-box used in the cipher. Consider the Boolean polynomial ring and let be the vanishing ideal of the set of points . Using [6], we know that is generated by five quadratic polynomials in . Applying together with the method from Remark 3.18.b and Remark 3.21.b, we obtain a 2-XNF representation of consisting of products of two linear polynomials and not a single additional indeterminate.
-
(b)
Altogether, these methods construct a 2-XNF representation of the entire cipher (processing bytes of plaintext) involving as little as variables and clauses.
This shows that encoding XOR-rich formulas in 2-XNF yields far more compact representations than state-of-the-art conversions to sets of CNF clauses.
Remark 3.23.
To efficiently store instances in XNF, we suggest a derivation of the established DIMACS standard for CNFs: in the place of literals (encoded as -L or L) we encode linerals as literals connected (without whitespace) with the symbol +. Then the S-Box has the following XNF-representation:
p xnf 10 10
-2 4+5+6 0
2+3 -1+2+4+5+7 0
-1 2+3+9 0
-2+3 1+5+7 0
-2 1+4+10 0
-4 2+3+8 0
1 -2+3+4+5+9 0
2 -1+3+4+6 0
2 -4+5+10 0
4 2+3+5+8 0
Note that solvers supporting this encoding can also process usual DIMACS CNF files correctly.
4. Graph-based 2-XNF SAT Solving
It is well-known that a satisfiable assignment of a 2-CNF instance , i.e., a propositional logic formula in CNF where every clause has at most two literals, can be found with linear time and space complexity (see [5]). The key idea is to express the formula by a (directed) implication graph whose set of vertices is the set of literals occurring in and their respective negations, and for which every clause of corresponds to the pair of edges and . Then a greedy algorithm working along a topological ordering of the strongly connected components of this graph constructs a satisfying assignment. In this section we present a graph-based 2-XNF solver that follows a DPLL approach where the above ideas form the basis of the in-processing step.
4.1. Implication Graph Structures
Recall that, for a propositional logic formula in 2-XNF, the algebraic representation is of the form
for some . Based on the central idea of implication graph based linear time 2-CNF solving, we introduce the following notion.
Definition 4.1 (Implication Graph Structures).
Let be a formula in 2-XNF.
-
(a)
A tuple , where and , is called an implication graph structure (IGS) for if the following conditions are satisfied:
-
(1)
.
-
(2)
(Skew-Symmetry) For all , we have .
-
(3)
For all , we have .
-
(1)
-
(b)
Let be a term ordering. An IGS for is called -reduced if the polynomials in have pairwise distinct leading terms and
For an IGS , the pair is clearly a graph. Such graphs are called implication graphs in view of the following observation.
Remark 4.2.
Let be an IGS for a formula , and let . By definition, we then have , and therefore
In other words, if the source node of an edge in the graph is contained in the ideal , then its target node is in , too. The set simply collects all known linear information of .
Given an IGS for a formula , a sequence with for is called a path in . In this case we also write .
Lemma 4.3.
Let be an IGS for a formula , and let be a path in . Then we have .
Proof.
This lemma implies that the transitive closure of yields an implication graph structure for . It is easy to find an implication graph structure for a formula in 2-XNF, as the next remark indicates.
Remark 4.4 (Trivial Implication Graph Structures).
Let be a formula in 2-XNF with an algebraic representation of the form
where are pairwise distinct.
-
(a)
Then the implication graph structure given by ,
is called the trivial implication graph structure for .
-
(b)
The implication graph structure given by ,
is called the extended trivial implication graph structure for .
In both cases the size of the graph is linear in the input size of the formula , because we have and .
Example 4.5.
Let be a formula in 2-XNF with algebraic representation
Then the trivial IGS of is where and is the graph given in Figure 1.
Our solving algorithm starts with such a trivial IGS for and improves it gradually by propagation, in-processing and guessing until we arrive at an IGS with an empty graph, i.e., a case where the corresponding ideal is generated just by linear polynomials. Given that the guesses were correct, a satisfying assignment of can then be deduced immediately from a solution to the corresponding system of linear equations. This improvement is measured in terms of the size of the linear part and in the size of the graph . The following relation specifies this in detail.
Definition 4.6.
Let be a formula in 2-XNF, and let as well as be two implication graph structures for . Then we write if and only if and . Moreover, if one of the two conditions is strict, we write .
The relation defines a partial quasi-ordering on the set of all implication graph structures, i.e., it is reflexive, transitive, and by the following lemma it satisfies the descending chain condition. The latter property is the key ingredient for proving finiteness of the upcoming algorithms.
Lemma 4.7 (Descending Chain Condition for Implication Graph Structures).
Let be a formula in 2-XNF. Then there is no infinite, strictly descending chain of implication graph structures for .
Proof.
For a contradiction, assume there is an infinite strictly descending chain of implication graph structures for . By definition, it follows that there is an ascending chain of subspaces in . Since is a finite-dimensional -vector space, this chain becomes eventually stationary, i.e., there exists a number such that for all . By Definition 4.6, this implies for all . In this way, the form a decreasing sequence in which eventually becomes stationary. Consequently, at some point in the sequence, we have and , i.e. the chain is not strictly decreasing. ∎
To conclude this section, we present the updating Algorithm 4 of our solver which computes the -reduction of any given IGS. The method is an adaption of Gaußian Constraint Propagation (see [26, Algorithm 5.7]) to implication graph structures. Note that Gaußian Constraint Propagation itself is a generalization of Boolean Constraint Propagation, also known as Unit Propagation, in traditional CNF-based SAT solvers.
Proposition 4.8.
Let be a term ordering, let be a formula in 2-XNF, and let be an IGS for . Then is an algorithm which returns a -reduced implication graph structure for such that .
Proof.
Since is an IGS for , we have and for every pair . Thus we see that holds in Line .
For , this yields , and for , we get . For all other cases, where , , or , we have , and the corresponding edge can be ignored. This shows that after Lines - have been executed, the tuple is indeed an IGS for . Moreover, is -reduced, because for all we have by construction.
Finally, note that we always have and . This implies for every iteration of Lines -, and this relation is strict if . By Line , these steps are repeated as long as this is the case, and the implication graph structures resulting from these iterations form a strictly descending chain. By Lemma 4.7, this chain must be finite, i.e., there can only be finitely many iterations, and the procedure has to terminate in Line . ∎
4.2. Pre-Processing Techniques
In this subsection we present two results which allow us to deduce new information from a given implication graph structure. The first one derives new linerals, and the second one finds new edges between the vertices of a given implication graph. These techniques are computationally rather expensive and should be seen as pre-processing techniques which are only applied once before the main solving procedure.
Definition 4.9.
Let be a formula in 2-XNF, and let be an IGS for .
-
(a)
The set of descendants of a vertex is defined by
Note that we consider as a descendant of itself, since we have .
-
(b)
The vector space will be called the space of descendants of .
Note that, for a vector subspace of , we let be the affine subspace of representing the negation of . The space of descendants of has the following useful properties.
Proposition 4.10.
Let be a formula in -XNF, let be an implication graph structure for .
-
(a)
For all and , we have .
-
(b)
Let . If then .
-
(c)
For all , we have .
Proof.
To show (a), let . We write with . By Lemma 4.3, we have for . Hence we obtain .
To prove (b), let and . Then (a) implies and . This shows
For the proof of (c), let . From (a) we get and , and therefore . ∎
Example 4.11.
Using this proposition, we construct the following straightforward pre-processing Algorithm 5. It runs in polynomial time in the size of and can find new linear information as well as new edges. Notice that numerous intersections of affine -subspaces of have to be computed.
It is clear that there is room for optimization of this algorithm if does not contain any cycles. In this case it suffices to check whether (see Line ) initially only for sources of , i.e., for vertices with no incoming edges. Only if those spaces have a non-empty intersection, we need to consider their corresponding descendants. (This follows immediately from the fact that if there is a path .) Even with this optimization, finding new edges is still computationally quite expensive. Hence Lines and are skipped in our implementation by default.
4.3. In-Processing Techniques
Next we introduce two algorithms which deduce new linear polynomials from a given implication graph structure more efficiently. Therefore they are suited as default in-processing techniques during the main solving procedure. In particular, the methods we look at here are (partial) generalizations of the notions of equivalent and failed literals, as discussed in [25].
As usual for directed graphs , a subset is called a strongly connected component (SCC) of if, for all , there is a path in and if is maximal with this property. It is well-known that for any directed graph, the set of all SCCs can be computed in space and time (see [40]). The following proposition indicates how these components can be used to deduce new linear information.
Proposition 4.12.
Let be a formula in 2-XNF, and let be an IGS for . Denote the set of SCCs of by .
-
(a)
Let . Then for .
-
(b)
If is odd, then is unsatisfiable, i.e., we have .
Proof.
Due to the skew-symmetry of implication graph structures, for every strongly connected component also is an SCC of .
To show (a), we let and note that implies that there are paths and in . By the skew-symmetry, we get . This shows and , and hence as well as . By Proposition 4.10.c, we thus have .
For the proof of (b), notice that we can write for some , where we have and for . If is odd, there exists an index with . For , we then have and thus by (a). ∎
By repeatedly computing all linear polynomials resulting from the strongly connected components and propagating them using , one can update a given implication graph structure such that it contains no cycles, i.e., such that becomes a directed acyclic graph (DAG). This is important, as for many graph-theoretic problems there are linear time algorithms if the underlying graph is a DAG. Algorithm 6 performs these updates.
Proposition 4.13.
Let be a term ordering, let be a formula in 2-XNF, and let be an IGS for . Then is an algorithm which returns a tuple with the following properties.
-
(a)
The tuple is a -reduced implication graph structure for .
-
(b)
We have .
-
(c)
The graph is acyclic.
Proof.
First note that if the procedure terminates in Line , the output is correct by Proposition 4.12.b. Thus we may assume that the procedure does not terminate in Line 3.
The tuples and in Lines 1 and 6 are implication graph structures for with by Propositions 4.8 and 4.12. Moreover, if then it contains at least one linear polynomial with , as is a -reduced IGS. This shows .
Next we observe that the repeated iterations of Lines - yield a strictly descending chain of IGSs which has to become stationary after finitely many steps by Lemma 4.7. Therefore we eventually have , and the procedure terminates in Line . In that case, the graph cannot contain any cycles, as otherwise there would be a strongly connected component, and hence Line 5 would create elements in .
Finally, note that is -reduced by Proposition 4.8 and the fact that this tuple is not changed in the last iteration of Lines 2-6. ∎
As a second in-processing technique, we adapt the concept of failed literals, as discussed in [25], to our more general setting.
Definition 4.14.
Let be a formula in 2-XNF, and let be an implication graph structure for .
-
(a)
A vertex is called a failed lineral of if .
-
(b)
A failed lineral of is called trivial if there is an element with , and with or .
These literals are of interest for in-processing, if they can be found efficiently, since for every failed lineral we learn a new linear polynomial in in the following way.
Lemma 4.15.
Let be a formula in 2-XNF, and let be an IGS for . If is a failed lineral of , then .
Proof.
Let be a failed lineral of . Then yields . Using Proposition 4.10.c and , we get . ∎
To find a failed lineral, it is sufficient to check whether the vector subspace contains the constant polynomial . This can be done for instance by computing the row-echelon form of a matrix in . Thus we obtain an in-processing algorithm which runs in polynomial time and space. However, trivial failed linerals can be found in near-linear time, as the next remark indicates.
For an implication graph structure for a formula in 2-XNF, we denote the set of ancestors of a vertex by
Remark 4.16.
Let be a formula in 2-XNF, and let be an acyclic implication graph structure for .
-
(a)
For every , all common ancestors of and , i.e., the elements of , are trivial failed linerals by definition. Conversely, every trivial failed lineral is contained in for some . Thus the set consists exactly of the trivial failed linerals of .
-
(b)
If is a failed lineral then every is a failed lineral as well, since . Thus, instead of searching for all common ancestors of and , it suffices to find the so-called lowest common ancestors, i.e., the vertices such that no out-neighbour of is a common ancestor of both and .
-
(c)
For sparse graphs, one of the lowest common ancestors of two vertices can be found in constant time after a near-linear time pre-processing phase, see [15]. This produces many, but in general not all, trivial failed linerals rather quickly under the assumption that the graph is sparse (see Remark 4.4).
Our implementation does not feature this advanced method for finding trivial failed linerals, as the corresponding algorithms seem hard to implement. Instead we resort to the following simple Algorithm 7 which can be implemented using only breadth-first-searches (BFS). Moreover, unlike the method of the previous remark, it computes all trivial failed linerals.
Proposition 4.17.
Let be a formula in -XNF, and let be an acyclic implication graph structure for . Then is an algorithm which returns a set containing all trivial failed linerals of satisfying .
In particular, the algorithm can be implemented to run in time and space, where is the set of sources in .
Proof.
The finiteness of the procedure is clear, since the graph is finite. The correctness follows from Remark 4.16 and the fact that in Line the elements of are exactly the common ancestors of vertices and for all . Now follows immediately from Proposition 4.15. The claimed run-time complexity is a consequence of the observation and the facts that Lines - can be implemented by a single BFS starting at , and that Line amounts to two BFSs starting at and on the graph with reversed edges. ∎
To end this section we remark that our pre-processing algorithm is superior to our in-processing methods in that it learns at least the same linear information, but might also increase the number of edges of the implication graph.
Remark 4.18.
Let be a term ordering, let be a formula in -XNF, let be an IGS for , and let . Then we have and .
This follows immediately from the fact that is based on Lemma 4.15 whose proof already shows that all failed linerals are contained in for some . Thus these linerals are also found by .
Similarly, Algorithm is based on Proposition 4.12 whose proof shows that all linear polynomials which can be learnt here are already contained in for some . Once again, these linerals are found and propagated by . Altogether, we see that essentially emulates both and . As a consequence, Algorithm also ensures that its output implication graph structure is acyclic.
While this shows that pre-processing with is more powerful than in-processing with and , keep in mind that it is also rather expensive due to its polynomial runtime.
Example 4.19.
Let be the IGS from Example 4.11, then we have , since there is a path (see Figure 2). This shows that is a failed lineral and we get . An application of to yields the IGS where and is given in Figure 3.
Notice that has two strongly connected components. Thus we can use Proposition 4.12.a with the SCC to get . Another application of to yields the IGS for with . By definition we now have , i.e., a solution of can be found by solving a system of linear equations.
Note that this is exactly the IGS that is also derived by applying to from Example 4.5.
4.4. Decision Heuristics
Before we introduce our main DPLL-Solving Algorithm in the final subsection, we discuss decision heuristics, i.e., methods to make good guesses. First of all, let us define what we precisely mean when we talk about decisions.
Definition 4.20.
Let be a formula in -XNF, and let be an IGS for . A decision for is a tuple with such that the following conditions are satisfied.
-
(a)
and .
-
(b)
.
These conditions ensure that guessing either or will lead to a solution of – if there exists one at all. Moreover, it means that a decision for implies that and satisfy and , i.e., both parts of the decisions improve our implication graph structure.
Traditionally, CNF-based SAT solvers use decisions of the form or . Our more general point of view on decisions allows us to guess multiple linerals at once. Before we explicitly suggest three decision heuristics, let us consider the following general constructions.
Proposition 4.21.
Let be a term ordering, let be a formula in -XNF, and let be a -reduced IGS for .
-
(a)
For every , the tuple is a decision for .
-
(b)
If is a path in then is a decision for .
Proof.
Let . Then the fact that is -reduced yields . For every , we have or . This shows that is a decision for . Now it suffices to note that by Proposition 4.10 and Remark 4.2.
Next we let be a path as in (b). Then we have , since is -reduced. Consider a point . If then and , i.e., we have . Otherwise, we have . In this case is a zero of . Using Proposition 4.10, we deduce from that is a zero of for all with , as there is a path in .
It follows that vanishes at for all . This shows that the point is a zero of for all . Finally, we get that , and the claim follows. ∎
This proposition allows us to introduce several simple decision heuristics. In the next section, we will see that they prove quite effective on certain types of inputs.
Remark 4.22 (Decision Heuristics).
Let be a term ordering, let be a 2-XNF formula, and let be a -reduced acyclic IGS.
MaxReach. Find a source such that the number of paths starting at is maximal. Then we consider the decision . Since is a source, the vertex has no in-going edges. Thus the skew-symmetry of implies that has no out-going edges. This yields .
MaxBottleneck. Instead of focusing on the first part of the decisions, another approach is to find such that the sum of the number of paths ending in and the number of paths starting at is maximal. Then we consider the decision .
MaxPath. Let be a maximal path in . Then we consider the decision . Conceptually speaking, this means that instead of guessing vertices in the graph, we guess the edge , i.e., the polynomial . In view of the proof of Proposition 4.21 and of Remark 4.2, this yields a strongly connected component of .
While the first two of these heuristics are close to the classical approach to decisions, the MaxPath heuristic is a rather new one. Note, however, that these heuristics are just some initial suggestions and should be combined with well-studied heuristics of established CDCL SAT solvers. Unfortunately, the adaptions of those heuristics to linerals are not straightforward.
The heuristics suggested in the previous remark are designed such that we can compute them efficiently, i.e., in linear time and space. Let us give some more information on how this can be done.
Remark 4.23 (Efficient Implementation of Decision Heuristics).
Recall that a topological ordering of a directed acyclic graph is a linear ordering of such that implies , and that such an ordering can be computed in linear time and space (see [5]).
MaxReach. For , denote the number of paths starting at by . Then we have for every . This means that traversing the graph in a reverse topological order once allows us to find for all . In particular, the vertex which maximizes can be found in linear time.
MaxBottleneck. Similarly, we can find the number of paths ending in each vertex by a single traversal of the graph in topological order. Thus the vertex which has the most paths starting and ending in can be found by a total of two graph traversals.
MaxPath. For , denote the length of the longest path starting at by . Then we have . The value for all can now be computed by a single traversal of the graph in a reverse topological order. By storing the vertex for which is largest at every with , the path of length starting at can be recovered in linear time. Altogether, the MaxPath heuristic can be implemented in linear time and space.
4.5. Graph-based 2-XNF DPLL-Solving
Finally, we have all the tools at our disposal to present our graph-based 2-XNF solver which is based on the well-known DPLL-technique (see [17]).
Proposition 4.24.
Let be a formula in 2-XNF with an implication graph structure , and let be a term ordering. Then is an algorithm which returns if and only if . Otherwise, it returns an element .
Proof.
First notice that Line 1 ensures that the IGS is always -reduced and acyclic. Hence Line 6 can be performed efficiently, as explained in Remark 4.23.
Next we show the finiteness of the procedure. In every iteration of Lines - where the IGS decreases strictly w.r.t. . By Lemma 4.7, we eventually reach in Line , and the loop stops after finitely many steps. For the finiteness of the recursive calls observe that if is a decision for as in Line 6, then and . This means that the dimension of increases strictly with every recursive call. Now it suffices to note that this dimension is bounded from above by , and in case we have , i.e., the procedure terminates in Line 4.
To prove correctness, note that if the algorithm terminates in Line 4, then cannot have any solution since . Similarly, if it terminates in Line 5, the implication graph must be empty and we get , i.e., . Next we show by induction on that the output in all lines is correct if for . Note that implies , i.e., the algorithm terminates already in Line 4 and is correct by the above. Now suppose that the algorithm terminates correctly if for some and let . It suffices to consider the case where the algorithm terminates in Lines 7 or 8. Note that by definition of the decision from Line 6 we have , and as above the dimension of is strictly smaller than the dimensions of and , respectively. Thus the recursive call in Line 7 terminates correctly, i.e., returns if and only if , otherwise it returns . If the algorithm does not terminate here, then we must have and the algorithm terminates with the recursive call in Line 8. Analogous to the call in Line 7, we get if and only if , which occurs if and only if . Otherwise it returns a satisfying assignment of . ∎
To obtain an efficient implementation we need appropriate data structures which support fast backtracking. The following method allows us to avoid creating a copy of the entire implication graph structures in the recursive calls of Lines and .
Remark 4.25 (Data Structures for Implication Graph Structures).
In order to store an implication graph structure internally, it is beneficial to actually store a graph based on integer vertices and a map such that and such that .
Let us suggest two data structures, one for the labeling map , and one for the graph which are tailored towards efficient backtracking.
-
(a)
To efficiently represent , we use a prefix tree, i.e., a tree whose non-root vertices are elements of , where the children of every node are bigger than their parent w.r.t. a term ordering , and where the root is . Then every vertex is associated to a vertex of the tree such that the unique path starting at the root satisfies .
Note that insertion can be performed in amortized linear time in the size of if the children are accessed by hash maps, and deletion can be performed in constant time. If needs to be copied, it suffices to copy for every . The actual linear polynomials are not copied. For the backtracking, we simply replace internally, and the previous is restored immediately.
-
(b)
For the graph itself, we suggest to use a modified lean hybrid graph representation, as devised in [1, 2, 3]. This data structure was proposed only for undirected graphs, but an extension to directed skew-symmetric graphs is possible. The data structure is rather advanced and allows backtracking of edge deletions and vertex contractions in constant time. In particular, it allows us to store any state of the graph with a space complexity of . Backtracking to such a previous state has complexity .
Altogether, it is possible to implement the algorithm with a space complexity of , where is part of the initial trivial IGS.
Notice that is based on the well-known DPLL framework. An extension to a conflict-driven clause learning (CDCL) directive encounters the following obstacles.
Remark 4.26 (Conflict-Driven XNF Clause Learning).
Although the 2-XNF theory originates from the proof system which in turn is a generalization of classical resolution, it is not easy to extend conflict-driven clause learning to 2-XNF instances. This is mainly due to two problems:
-
(1)
The resolvent of two clauses may be the zero clause, i.e., resolving the conflict clause may lead to a clause that is trivially satisfied (see [26]).
-
(2)
In general, the resolvent is not in 2-XNF, i.e., it cannot be added to the implication graph structure in a straightforward way.
Overcoming these obstacles is an important objective of future research, because CDCL techniques promise significant speed-ups of XNF solvers.
5. Experiments and Timings
In this section we evaluate the methods of Section 4 on random 2-XNF instances and on instances coming from round-reduced key-recovery attacks. For comparison, we ran our implementation of Algorithm , which we named , against SAT solvers with XOR support, i.e., CNF-based SAT solvers that can read and process XOR constraints on the variables natively. We say that formulas of the type processed by these solvers are in CNF-XOR.
State-of-the-art SAT solvers that support CNF-XOR input are (see [39]), an established CDCL-based solver, and (see [36]), which is based on a stochastic local search approach, i.e., it can only be used on satisfiable instances. (Note that , despite its name, cannot work with XNFs as introduced in this article. It only supports CNF-XOR instances.) To use these solvers on XNF instances, we use the following reduction.
Remark 5.1.
Let be a 2-XNF formula involving variables. Then we can write the XNF clauses of as , , where with linerals , and where are already linerals. Now we introduce additional variables and consider the CNF-XOR formula consisting of the clauses , the XOR constraints for and , and the original XOR constraints . Then we have .
Furthermore, a 2-XNF instance can also be seen as a system of quadratic Boolean polynomial equations that can be solved by an algebraic solver such as (see [9]). This package offers an implementation of the Buchberger algorithm adapted to Boolean polynomial rings and employs highly optimized data structures. Additionally, we consider the solver (see [11]), which employs both algebraic and logical reasoning, and processes ANF (and CNF) input. For instances with fewer than variables, we also compare the solvers to , our implementation of a brute-force XNF solver. Finally, we also consider the winner of the 2023 SAT competition (see [22]) which processes CNF inputs. The CNF files were generated from the CNF-XOR representation by converting the additional XOR constraints on the variables to a set of CNF clauses. Since a direct encoding of long XORs results in exponentially many CNF clauses, they are split using new variables such that we only consider direct encodings of XOR constraints involving at most variables. This corresponds to a linear encoding with cutting number (see [36]).
All experiments were run on an Intel Xeon E5-2623 v3 processor with 128GB of RAM under Debian 10. We used version , version , version , and with 2.0 (see [7]).
Random 2-XNF Clauses
First we consider random 2-XNF instances involving variables and clauses. Every clause in the formula is generated by picking two linerals uniformly at random in . With and , experiments showed that such an instance is with a probability of at least . If a solution is desired, we simply choose at random and for every clause that is not satisfied by , we randomly flip the constant of one of the two linerals. This ensures that indeed forms a satisfying assignment of the generated 2-XNF instance. Two random benchmark suites are considered, each containing random instances with variables in clauses, where we have instances for every . One set contains only satisfiable instances, the other only unsatisfiable ones.
The cactus plots in Figure 4 show that such small random instances are hard for state-of-the-art CNF and CNF-XOR solvers. In particular, we see that and are even out-performed by a simple brute-force implementation. Algebraic solving with performs not significantly worse than . While the plot clearly shows that performs best on this benchmark, one should note that this is not due to some clever data structures that allow very fast propagation. The main reason for its better overall performance is that the required number of decisions of (with any heuristic) is smaller by a factor of - compared to the number of decisions taken by .
Round-Reduced Ascon Key Recovery Attacks
Our second benchmark set consists of instances related to key-recovery attacks on round-reduced versions of the cipher (see [18]). In particular, we consider attacks where the -bit nonce and the -bit internal state are known and the goal is to undo the initialization step consisting of rounds in order to obtain the -bit secret key. If this problem can be solved efficiently, the cipher is broken in a nonce-misuse scenario, see [6]. Here we consider round-reduced variants: instances with rounds, instances with rounds and knowledge of the first key bits for each , and instances with rounds and knowledge of the first key bits for each . The instances were generated by applying to a polynomial representation of the cryptosystem, see Example 3.22, augmented with some additional XNF clauses, which speed up propagation in .
Figure 5 contains a cactus plot for these cryptographic instances. Here was not included due to its bad performance on the random set. It turns out that for the 2-round version can already solve all instances (starting with the trivial IGS) during pre-processing in less than seconds on average. On these instances, requires more than decisions and several seconds; and about decisions and one second. Our solver with the MaxBottleneck or the MaxReach heuristic and in-processing with also performs very well on the remaining benchmark and comes out as the average best solver. The bad performance with the MaxPath heuristic may be attributed to the fact that the corresponding decision linerals contain more variables and therefore execution requires more time, increases the average length of linerals of the implication graph vertices, i.e., increases its memory footprint, and thereby makes backtracking more expensive. It should be noted that on the 4-round instances the CNF-XOR solver had a better performance with fewer timeouts. So its advanced decision heuristics, the highly optimized data structures, and the conflict-learning methods do pay off on larger instances. Nonetheless still requires fewer decisions by a factor of -. The CNF-SAT solver , however, with data structures and conflict-learning methods similar to could only solve of these instances. This highlights the effectiveness of the encodings of these innately XOR-rich problems in CNF-XOR and XNF. Also note that could not solve a single instance when given in its ANF format, however when feeding it with the system of quadratic equations corresponding to the 2-XNF, some instances could be solved. The situation for is similar, with better performance on the input that comes from our XNF encoding.
Conclusions
A generalization of the well-known CNF that allows compact representations of XOR-rich problems, like those originating from cryptographic attacks, has been introduced. On top of that we generalized pre- and in-processing techniques and introduced a DPLL-based solving algorithm with a simplistic decision heuristic that outperforms other state-of-the-art solving approaches on random instances and on problems originating from cryptographic attacks on . An extension to CDCL-based solving is in preparation and better decision heuristics will be investigated.
Acknowledgements. During part of this research, the second author was supported by the DFG project Algebraische Fehlerangriffe KR 1907/6-2. The first author gratefully acknowledges Cusanuswerk e.V. for financial support.
References
- [1] F. N. Abu-Khzam, K. A. Jahed, and A. E. Mouawad, A hybrid graph representation for exact graph algorithms, preprint 2014, available at arxiv.org/pdf/1404.6399.pdf (accessed on 23 February 2023).
- [2] F. N. Abu-Khzam, D. Kim, M. Perry, K. Wang, and P. Shaw, Accelerating vertex cover optimization on a GPU architecture, in: Int. Symposium on Cluster, Cloud and Grid Computing (CCGRID), Washington 2018, IEEE Xplore, pp.616–625.
- [3] F. N. Abu-Khzam, M. A. Langston, and C. P. Nolan, A hybrid graph representation for recursive backtracking algorithms, in: Frontiers in Algorithmics (FAW 2010), LNCS 6213, Springer-Verlag, Berlin 2010, pp. 136–147.
- [4] M. Albrecht, C. Cid, L. Grassi, D. Khovratovich, R. Lüftenegger, C. Rechberger, and M. Schofnegger, Algebraic cryptanalysis of STARK-friendly designs: Application to MARVELlous and MiMC, in: Proc. Advances in Cryptology (ASIACRYPT 2019), Kobe 2019, LNCS 11923, Springer Int. Publ., Cham 2019, pp. 371–397.
- [5] B. Aspvall, M. F. Plass, and R. E. Tarjan, A linear-time algorithm for testing the truth of certain quantified boolean formulas, Inform. Process. Lett. 8 (1979), 121–123.
- [6] J. Baudrin, A. Canteaut, and L. Perrin, Practical cube attack against nonce-misused Ascon, IACR Transactions on Symmetric Cryptology 4 (2022), 120–144.
- [7] A. Biere, T. Faller, K. Fazekas, M. Fleury, N. Froleyks, and F. Pollitt, CaDiCaL 2.0, in: Proc. Computer Aided Verification (CAV 2024), Montreal 2024, LNCS 14681, Springer Nature Switzerland, Cham 2024, pp. 133-152.
- [8] M. Brickenstein, Boolean Gröbner Bases: Theory, Algorithms and Applications, Springer-Verlag, Berlin 2010.
- [9] M. Brickenstein and A. Dreyer, PolyBoRi: A framework for Gröbner-basis computations with Boolean polynomials, J. Symbolic Comput. 44 (2009), 1326–1345.
- [10] W. Castryck and T. Decru, An efficient key recovery attack on SIDH, in: Proc. Advances in Cryptology (EUROCRYPT 2023); Lyon 2023, LNCS 14008, Springer Int. Publ., Cham 2023, pp. 423–447.
- [11] D. Choo, M. Soos, K. M. A. Chai, and K. S. Meel, Bosphorus: Bridging ANF and CNF solvers, in: Proc. Design, Automation, and Test in Europe (DATE), Florence 2019, IEEE Xplore, pp. 468-473.
- [12] N. Courtois, A. Klimov, J. Patarin, and A. Shamir, Efficient algorithms for solving overdefined systems of multivariate polynomial equations, in: Proc. Advances in Cryptology (EUROCRYPT 2000), Brugge 2000, LNCS 1807, Springer-Verlag, Berlin 2000, pp. 392–407.
- [13] N. Courtois, P. Sepehrdad, P. Sušil, and S. Vaudenay, The ElimLin algorithm revisited, in: Proc. Fast Software Encryption (FSE 2012), Washington 2012, LNCS 7549, Springer-Verlag, Berlin 2012, pp. 306–325.
- [14] J. Danner and M. Kreuzer, A fault attack on KCipher-2, Int. J. Comput. Math. Comput. Syst. Theory 6 (2021), 281–312.
- [15] S. K. Dash, S.-B. Scholz, S. Herhut, and B. Christianson, A scalable approach to computing representative lowest common ancestor in directed acyclic graphs, Theoret. Comput. Sci. 513 (2013), 25–37.
- [16] J. Davies, Solving MAXSAT by decoupling optimization and satisfaction, dissertation, University of Toronto, Toronto 2013.
- [17] M. Davis, G. Logemann, and D. Loveland, A machine program for theorem proving, Commun. ACM 5 (1962), 394–397.
- [18] C. Dobraunig, M. Eichlseder, F. Mendel, and M. Schläffer, Ascon v1.2: Technical report, National Institute of Standards and Technology, 2019.
- [19] J. M. Dudek, K. S. Meel, and M. Y. Vardi, The hard problems are almost everywhere for random CNF-XOR formulas. in: Proc. Int. Joint Conference on Artificial Intelligence (IJCAI’17), Melbourne, 2017; pp. 600–606.
- [20] A. D. Dwivedi, M. Klouček, P. Morawiecki, I. Nikolić, J. Pieprzyk, and S. Wójtowicz, SAT-based cryptanalysis of authenticated ciphers from the CAESAR competition, in: Proc. Int. Joint Conference on e-Business and Telecommunications (ICETE 2017), SECRYPT, Madrid, 2017; pp. 237–246.
- [21] G. Emdin, A. S. Kulikov, I. Mihajlin, and N. Slezkin, CNF Encodings of Symmetric Functions, Theory Comput. Sys. (2024).
- [22] A. Haberlandt, H. Green, and M. J. H. Heule, Effective Auxiliary Variables via Structured Reencoding, in: Proc. Theory and Applications of Satisfiability Testing (SAT 2023), Alghero 2023, LIPIcs 271, Leibniz-Zentrum für Informatik, Dagstuhl 2023, pp. 11:1-11:19.
- [23] H. Hadipour and M. Eichlseder, Autoguess: a tool for finding guess-and-determine attacks and key bridges, in: Proc. Applied Cryptography and Network Security (ACNS 2022), Rome 2022, LNCS 13269, Springer Nature Switzerland, Cham 2022, pp. 230–250.
- [24] C. S. Han and J-H. R. Jiang, When Boolean satisfiability meets Gaussian elimination in a simplex way, in: Proc. Computer Aided Verification (CAV 2012), Berkeley 2012, LNCS 7358, Springer-Verlag, Berlin 2012, pp. 410–426.
- [25] M. J. H. Heule, J. Matti, and A. Biere, Revisiting hyper binary resolution, in: Integration of AI and OR Techniques in Constraint Programming for Combinatorial Optimization Problems (CPAIOR 2013), LNCS 7874, Springer-Verlag, Berlin 2013, pp. 77–93.
- [26] J. Horáček, Algebraic and logic solving methods for cryptanalysis, dissertation, Universität Passau, Passau 2020.
- [27] J. Horáček and M. Kreuzer, Refutation of products of linear polynomials, in: Proc. Third Int. Workshop on Satisfiability Checking and Symbolic Computation (SC^2), Oxford 2018, available at http://ceur-ws.org/Vol-2189/.
- [28] J. Horáček and M. Kreuzer, On conversions from CNF to ANF, J. Symbolic Comput. 100 (2020), 164–186.
- [29] P. Jovanovic and M. Kreuzer, Algebraic attacks using SAT-solvers, Groups Complexity Cryptology 2 (2010), 247–259.
- [30] M. Kreuzer and L. Robbiano, Computational Commutative Algebra 1, Springer-Verlag, Berlin 2000.
- [31] F. Lafitte, J. Nakahara, and D. Van Heule, Applications of SAT solvers in cryptanalysis: finding weak keys and preimages, J. Satisf. Boolean Model. Comput. 9 (2014), 1–25.
- [32] T. Laitinen, T. Junttila, and I. Niemelä, Conflict-Driven XOR-Clause Learning. in: Proc. Theory and Applications of Satisfiability Testing (SAT 2012), Trento 2012, LNCS 7317, Springer-Verlag, Berlin 2012, pp. 383–396.
- [33] A. Leventi-Peetz, O. Zendel, W. Lennartz, and K. Weber, CryptoMiniSat switches-optimization for solving cryptographic instances, in: Proc. Pragmatics of SAT 2015 and 2018, EPiC Series in Computing 59, EasyChair 2019, pp. 79-93.
- [34] I. Mironov and L. Zhang, Applications of SAT solvers to cryptanalysis of hash functions, in: Proc. Theory and Applications of Satisfiability Testing (SAT 2006), Seattle 2006, LNCS 4121, Springer-Verlag, Berlin 2006, pp. 102-115.
- [35] M. W. Moskewicz, C. F. Madigan, Y. Zhao, L. Zhang, and S. Malik, Chaff: engineering an efficient SAT solver, in: Proc. Design Automation Conference (DAC), Las Vegas 2001, ACM, New York 2001, pp. 530-535.
- [36] W. Nawrocki, Z. Liu, A. Fröhlich, M. J. H. Heule, and A. Biere, XOR local search for Boolean brent equations, in: Theory and Applications of Satisfiability Testing (SAT 2021), LNCS 12831, Springer Nature Switzerland, Cham 2021, pp. 417–435.
- [37] R. Sebastiani and P. Trentin, OptiMathSAT: a tool for optimization modulo theories, J. Automat. Reason. 64 (2020), 423–460.
- [38] M. Soos and K. S. Meel, BIRD: Engineering an efficient CNF-XOR SAT solver and its applications to approximate model counting, in: Proc. AIII Conference on Artificial Intelligence 2019, vol. 33, AIII Press, Palo Alto 2019, pp. 1592–1599.
- [39] M. Soos, K. Nohl, and C. Castelluccia, Extending SAT solvers to cryptographic problems, in: Theory and Applications of Satisfiability Testing (SAT 2009), LNCS 5584, Springer-Verlag, Berlin 2009, pp. 244–257.
- [40] R. Tarjan, Depth-first search and linear graph algorithms, SIAM J. Comput. 1 (1972), 146–160.
- [41] M. Trimoska, S. Ionica, and G. Dequen, Parity (XOR) reasoning for the index calculus attack, in: Proc. Principles and Practice of Constraint Programming (CP 2020), Louvain-la-Neuve 2020, Springer Int. Publ., Cham 2020, pp. 774-790.