SAT Solving Using XOR-OR-AND Normal Forms

Bernhard Andraschko Fakultät für Informatik und Mathematik
Universität Passau, D-94030 Passau, Germany [email protected] Julian Danner Fakultät für Informatik und Mathematik
Universität Passau, D-94030 Passau, Germany [email protected] Martin Kreuzer Fakultät für Informatik und Mathematik
Universität Passau, D-94030 Passau, Germany [email protected]

(24.10.2024)

Abstract

This paper introduces the XOR-OR-AND normal form (XNF) for logical formulas. It is a generalization of the well-known Conjunctive Normal Form (CNF) where literals are replaced by XORs of literals. As a first theoretic result, we show that every CNF formula is equisatisfiable to a formula in 2-XNF, i.e., a formula in XNF where each clause involves at most two XORs of literals. Subsequently, we present an algorithm which converts Boolean polynomials efficiently from their Algebraic Normal Form (ANF) to formulas in 2-XNF. Experiments with the cipher ASCON-128 show that cryptographic problems, which by design are based strongly on XOR-operations, can be represented using far fewer variables and clauses in 2-XNF than in CNF. In order to take advantage of this compact representation, new SAT solvers based on input formulas in 2-XNF need to be designed. By taking inspiration from graph-based 2-CNF SAT solving, we devise a new DPLL-based SAT solver for formulas in 2-XNF. Among others, we present advanced pre- and in-processing techniques. Finally, we give timings for random 2-XNF instances and instances related to key recovery attacks on round reduced ASCON-128, where our solver outperforms state-of-the-art alternative solving approaches.

Key words and phrases:

SAT solving, XOR constraint, algebraic normal form, implication graph, cryptographic attack

1991 Mathematics Subject Classification:

03B70; 13P15; 05C90; 94A60

1. Introduction

SAT solvers are programs which decide the Boolean Satisfiability Problem for propositional logic formulas. In the last decades there has been a substantial effort to improve their performance, and they have grown into versatile tools for tackling computational problems in various domains such as automatic theorem proving, graph theory, hardware verification, artificial intelligence, and cryptanalysis.

Especially problems from the latter domain have been shown to be hard for conventional SAT solvers that take a conjunctive normal form (CNF) as input. Although many new attacks on cryptosystems and other cryptographic protocols have been designed based on the idea of encoding the computational problem as an instance for CNF-based SAT solvers (see for instance [20, 23, 29, 31, 33, 34]), many problems are still out of range (e.g., see [14, 20]). This can be mainly attributed to the fact that cryptographic primitives are often built using exclusive disjunctions (XORs) of variables which lead to an exponential blow-up when encoded in CNF.

To speed up the performance of SAT solvers for such instances, one can either try to modify the problem encodings such that they lead to smaller instances (see [11, 28, 29]), or one can try to improve the solving strategy altogether. For example, the latter approach has been pursued by attempts to integrate support for XOR constraints on the input variables (see [24, 36, 39, 41]) or by combining logical SAT solving with algebraic reasoning (see [11, 26]). While purely algebraic solving techniques (as developed for instance in [9, 12, 13]) have had some success in cryptanalysis (e.g., see [4, 10, 14]), a very promising line of research seems to be to combine logic and algebraic solving paradigms.

One such attempt was initiated in [27] and refined in [26], where a new proof system called $\mathtt{s\text{-}Res}$ was introduced. Its input are products of linear Boolean polynomials, or, in the language of logic, disjunctions of XORs of literals. Thus the $\mathtt{s\text{-}Res}$ proof system is innately suitable for dealing with cryptanalytic instances, as these tend to be rich in XOR connectives. The core inference rule of $\mathtt{s\text{-}Res}$ is called $s$ -resolution. It is both a generalization of the classical resolution rule of propositional logic and of Buchberger’s S-polynomials which form the basis of Gröbner basis computations (see [30]). In [26] and [27] initial DPLL-based refutation methods utilizing $s$ -resolvents were introduced. As of today, no highly efficient implementation of these algorithms exists, and procedures to use $\mathtt{s\text{-}Res}$ for finding satisfying assignments are lacking as well.

In the first part of this paper we strive to develop efficient methods for converting propositional logic formulas to suitable inputs for $\mathtt{s\text{-}Res}$ type proof systems. After recalling some basic definitions and properties of the ring of Boolean polynomials in Section 2, we introduce and study a new XOR-based normal form in Section 3. More precisely, the new normal form is called the XOR-OR-AND normal form (XNF) for propositional logic formulas (see Definition 3.2). It generalizes the CNF by replacing the literals with XORs of literals which we simply call linerals. From an algebraic perspective, a lineral corresponds to a linear Boolean polynomial, and a disjunction of linerals corresponds to a product of linear Boolean polynomials. Using this identification, one sees that formulas in XNF occur naturally in the proof system $\mathtt{s\text{-}Res}$ . Since XNF generalizes CNF, it is clear that every propositional logic formula is equivalent to one in XNF.

While conversions from the algebraic normal form (ANF) of a Boolean polynomial to the CNF of the corresponding propositional logic formula and back have been studied carefully (see for instance [11, 28, 29]), conversions to systems offering some native support for XOR have been introduced only sparingly and elaborated much less systematically (see [32, 36, 39]).

It is well-known that one can introduce new variables and convert every Boolean polynomial system to one involving only polynomials of degree at most two. Here we show that, in fact, every XNF formula is equisatisfiable to one in 2-XNF, i.e., to an instance of XNF where each clause involves at most two linerals (see Proposition 3.7). Algebraically speaking, systems of quadratic Boolean polynomial equations can be transformed to systems consisting of products of at most two linear polynomials. Furthermore, we try to optimize this transformation by introducing as few additional variables as possible (see Propositions 3.15 and 3.17). To illustrate the potential of the conversion to 2-XNF, we apply it to instances related to algebraic attacks on the cipher $\mathtt{Ascon\text{-}128}$ (see [18]) which was recently selected for standardization by NIST for lightweight cryptography. We get 2-XNF representations which are substantially more compact than state-of-the-art representations in CNF (see Example 3.22).

In the second part of the paper we make use of this 2-XNF representation and take the first few steps towards translating the foundations of efficient CNF-based SAT solving to XNF-based SAT solving. In particular, using ideas based on efficient 2-CNF solvers and CNF pre-processing (see [5, 25]), we develop a graph based 2-XNF solver. To start with, we define an implication graph structure (IGS) $(L,V,E)$ for a given formula $F$ which consists of a set $L$ of linear Boolean polynomials known to be in the ideal $I_{F}$ , which is the algebraic representation of $F$ , and a directed graph $(V,E)$ whose edges $(f,g)$ mean that $f\in I_{F}$ implies $g\in I_{F}$ (see Definition 4.1 and Remark 4.2). Our solving algorithm then starts with a trivial IGS for $F$ (see Remark 4.4) and simplifies it using a suitable ordering on the IGSs (see Definition 4.6). Then we gradually improve the IGS by propagation, in-processing and guessing until we arrive at an implication graph structure with an empty graph, i.e., a case where the corresponding ideal is generated by linear polynomials. Given that the guesses were correct, a satisfying assignment for $F$ can be deduced immediately from a solution of the corresponding system of linear equations. The improvement of an IGS is measured in terms of the size of the linear part $L$ and in the size of the graph $(V,E)$ .

Propagation is achieved using a generalization of the classical Boolean constraint propagation which we call Gaußian Constraint Propagation (see Proposition 4.8). Two pre-processing methods are examined which yield new linear forms or new edges for the IGS (see Proposition 4.10). Unfortunately, they are too expensive to be executed repeatedly during the main solving procedure. For such in-processing methods, we provide two more efficient suggestions. Firstly, using the calculation of strongly connected components of $(V,E)$ , we are able to reach an acyclic graph (see Proposition 4.13). Secondly, we introduce the notion of failed linerals (see Definition 4.14) and apply them in order to learn new linear polynomials in $I_{F}$ (see Proposition 4.17).

Several heuristics for producing good decisions for an IGS, i.e., for making good guesses (see Definition 4.20) are discussed next. Moreover, we offer some suggestions how to implement these heuristics efficiently (see Remarks 4.22 and 4.23). Finally, we combine everything and present our new graph-based 2-XNF solver (see Proposition 4.24) together with suggestions how to implement it well using suitable data structures (see Remark 4.25).

The last section contains the results of some experiments and comparisons to established CNF-based SAT solvers, especially ones that offer some support for XOR constraints. Usually, they allow separate XOR constraints on variables in addition to a CNF, a type of input that is known as CNF-XOR. One of the first solvers for such formulas was described in [38, 39] and is implemented in $\mathtt{CryptoMiniSat}$ . Another one is $\mathtt{xnfSAT}$ (see [36]) which uses stochastic local search methods for CNF-XOR inputs. The solver $\mathtt{Bosphorus}$ allows ANF and CNF inputs, but no CNF-XOR inputs (see [11]). Moreover, we compare our method with the winner of the 2023 SAT competition $\mathtt{SBVA{\text{-}}CaDiCaL}$ (see [22]) which admits CNF formulas.

In our experiments we compare the new 2-XNF solver using the three decision heuristics explained in Section 4 to the CNF-XOR solvers $\mathtt{CryptoMiniSat}$ and $\mathtt{xnfSAT}$ , to the algebraic solver $\mathtt{PolyBoRi}$ (see [9]), to a brute force XNF solver $\mathtt{xnf{\_\kern 1.00006pt}bf}$ , and to the CNF solver $\mathtt{SBVA{\text{-}}CaDiCaL}$ . We created timings for two types of inputs. The first type are random 2-XNF instances. It turns out that our graph based 2-XNF solver involving merely some basic DPLL techniques outperforms state-of-the-art solving approaches on small random instances, both for satisfiable and unsatisfiable cases (see Figures 4(a) and 4(b)).

The second type of experiments was to try the solvers on key recovery attacks for round reduced versions of the $\mathtt{Ascon\text{-}128}$ cryptosystem. This lightweight cipher was recently selected for standardization by NIST. Again it turns out that, even with our very simple decision heuristics, the graph based 2-XNF solver performs surprisingly well (see Figure 5). Here it may be worthwhile to note that some of these round reduced key recovery attacks can be solved already in the pre-processing phase. Altogether, one main advantage of XNF solving is that the more compact problem representations require fewer decisions, and this leads to meaningful speed-ups. Finally, let us point out that the desirable extension of XNF solving to include CDCL techniques is not straightforward and will require non-trivial new tools.

Due to its simpler description, we chiefly use the algebraic point of view when we work with formulas in XNF, i.e., we regard them as products of linear Boolean polynomials. Unless explicitly noted otherwise, we use the definitions and notation introduced in [28] and [30]. The algorithms of Section 3 were implemented by B. Andraschko and the solving methods of Section 4 by J. Danner. All source code is available at https://github.com/j-danner/2xnf_sat_solving.

2. The Ring of Boolean Polynomials

Throughout this paper we let ${\mathbb{F}}_{2}$ be the field with two elements, $n\in{\mathbb{N}}_{+}$ , and $P={\mathbb{F}}_{2}[X_{1},\dots,X_{n}]$ the polynomial ring over ${\mathbb{F}}_{2}$ in the indeterminates $X_{1},\dots,X_{n}$ . Recall that the ring of Boolean polynomials is

{\mathbb{B}}_{n}\;=\;P/\langle X_{1}^{2}-X_{1},\dots,X_{n}^{2}-X_{n}\rangle

where ${\mathbb{I}}_{n}=\langle X_{1}^{2}-X_{1},\dots,X_{n}^{2}-X_{n}\rangle$ is also called the field ideal in $P$ . Whenever additional indeterminates are required, we write

{\mathbb{B}}_{n,m}\;=\;{\mathbb{F}}_{2}[X_{1},\dots,X_{n},Y_{1},\dots,Y_{m}]/{% \mathbb{I}}_{n,m}

where ${\mathbb{I}}_{n,m}=\langle X_{1}^{2}-X_{1},\dots,X_{n}^{2}-X_{n},Y_{1}^{2}-Y_{% 1},\dots,Y_{m}^{2}-Y_{m}\rangle$ . For $i\in\{1,\dots,n\}$ and $j\in\{1,\dots,m\}$ , we denote the residue class of $X_{i}$ in ${\mathbb{B}}_{n}$ and ${\mathbb{B}}_{n,m}$ by $x_{i}$ and the residue class of $Y_{j}$ in ${\mathbb{B}}_{n,m}$ by $y_{j}$ . These residue classes will be called the indeterminates of ${\mathbb{B}}_{n}$ and ${\mathbb{B}}_{n,m}$ , respectively, and the elements of these rings are called Boolean polynomials.

Every Boolean polynomial $f\in{\mathbb{B}}_{n}$ can be uniquely written as a sum of distinct square-free terms, where a term is a product of distinct residue classes $x_{i}$ . This is known as the algebraic normal form (ANF) of $f$ . (See for instance [26, Sec. 2.1] or [8] for an in-depth study of ANFs.) Altogether, we have ${\mathbb{B}}_{n}={\mathbb{F}}_{2}[x_{1},\dots,x_{n}]$ as an ${\mathbb{F}}_{2}$ -algebra and $\dim_{{\mathbb{F}}_{2}}({\mathbb{B}}_{n})=2^{n}$ .

Given $f\in{\mathbb{B}}_{n}\setminus\{0\}$ in ANF, replacing each $x_{i}$ by $X_{i}$ yields its canonical representative $F\in P$ . Then the support of $f$ is $\operatorname{Supp}(f)=\{t+{\mathbb{I}}_{n}\mid t\in\operatorname{Supp}(F)\}$ and the degree of $f$ is given by

\deg(f)\;=\;\min\{\deg(F)\mid F\in P,\;f=F+{\mathbb{I}}_{n}\}.

The ${\mathbb{F}}_{2}$ -linear span of all Boolean polynomials of degree $\leq 1$ plays a major role subsequently. It is denoted by

{\mathbb{L}}_{n}\;=\;\langle 1,x_{1},\dots,x_{n}\rangle_{\mathbb{F}_{2}}\;=\;{% \mathbb{F}}_{2}\oplus{\mathbb{F}}_{2}\,x_{1}\oplus\cdots\oplus{\mathbb{F}}_{2}% \,x_{n}

and called the vector space of linear Boolean polynomials. (Note that ${\mathbb{L}}_{n}$ includes the element 1.)

In Section 4 we also need division with remainders for Boolean polynomial rings. Let $\sigma$ be a term ordering on $P$ , and let $f,g_{1},\dots,g_{s}\in{\mathbb{B}}_{n}$ be Boolean polynomials in ANF. Let $F,G_{1},\dots,G_{s}\in P$ be the canonical representatives of $f,g_{1},\dots,g_{s}$ , respectively. Then the normal remainder of $f$ under the division by $G=(g_{1},\dots,g_{s})$ is defined by

\operatorname{NR}_{\sigma,G}(f)\;=\;\operatorname{NR}_{\sigma,(G_{1},\dots,G_{% s})}(F)+{\mathbb{I}}_{n}.

Moreover, we denote the ordering induced by $\sigma$ on the terms in ${\mathbb{B}}_{n}$ by $\sigma$ again and call $\mathop{\rm LT}\nolimits_{\sigma}(f)=\mathop{\rm LT}\nolimits_{\sigma}(F)+{% \mathbb{I}}_{n}$ the leading term of $f$ with respect to $\sigma$ . For the definitions and an explanation of these concepts in $P$ see [30], Chapter I, and for more details about orderings on Boolean polynomial rings see [8].

3. Logical Representations of Boolean Polynomials

In the following we let ${\mathbb{B}}_{n}={\mathbb{F}}_{2}[x_{1},\dots,x_{n}]$ be the ring of Boolean polynomials. Our goal is to connect Boolean polynomials to propositional logic formulas. We assume that the readers are familiar with the syntax of propositional logic and identify $\operatorname{\mathtt{true}}\equiv 1$ as well as $\operatorname{\mathtt{false}}\equiv 0$ .

Definition 3.1.

Let $S$ be a subset of ${\mathbb{B}}_{n}$ , and let $F$ be a propositional logic formula in the logical variables $X_{1},\dots,X_{n}$ .

(a)

The set $\operatorname{\mathcal{Z}}(S)=\{(a_{1},\dots,a_{n})\in{\mathbb{F}}_{2}^{n}\mid f% (a_{1},\dots,a_{n})=0$ for all $f\in S\}$ is called the zero set of $S$ .
(b)

The set $\operatorname{\mathcal{S}}(F)=\{(a_{1},\dots,a_{n})\in{\mathbb{F}}_{2}^{n}\mid F% |_{X_{1}\mapsto a_{1},\dots,X_{n}\mapsto a_{n}}\equiv\operatorname{\mathtt{% true}}\}$ is called the set of satisfying assignments of $F$ .
(c)

Given an ideal $I$ in ${\mathbb{B}}_{n}$ , a propositional logic formula $F$ is called a logical representation of $I$ if $\operatorname{\mathcal{S}}(F)=\operatorname{\mathcal{Z}}(I)$ .
(d)

Given a propositional logic formula $F$ , the uniquely determined ideal $I_{F}$ in ${\mathbb{B}}_{n}$ such that $\operatorname{\mathcal{Z}}(I_{F})=\operatorname{\mathcal{S}}(F)$ is called the algebraic representation of $F$ .

Recall that ${\mathbb{B}}_{n}$ is a principal ideal ring in which every ideal has a unique generator and that every propositional logic formula is equivalent to a formula in conjunctive normal form (CNF). Effective transformations between these representations have been studied extensively (see for instance [11] and [29]).

One disadvantage of converting Boolean polynomials to CNF is that sums correspond to XOR connectives and a long chain of XOR connectives yields an exponentially large set of CNF clauses. To address this problem, we introduce a new type of normal form next. Afterwards, we examine algorithms for converting Boolean polynomials to this normal form and back.

Definition 3.2 (XOR-OR-AND Normal Form).

Let $F$ be a propositional logic formula.

(a)

A formula of the form $L_{1}\oplus L_{2}\oplus\cdots\oplus L_{m}$ with literals $L_{1},\dots,L_{m}$ is called a lineral.
(b)

A disjunction of linerals is called an XNF clause.
(c)

The formula $F$ is said to be in XOR-OR-AND normal form (XNF) if $F$ is a conjunction of XNF clauses.
(d)

Let $k\in{\mathbb{N}}$ . If $F$ is in XNF and every XNF clause of $F$ involves at most $k$ linerals then we say that $F$ is in $k$ -XNF.

Notice that every literal is also a lineral. Hence every formula in CNF is already in XNF. The negation of a lineral is a lineral because of

\lnot(L_{1}\oplus L_{2}\oplus\cdots\oplus L_{m})\;\equiv\;\lnot L_{1}\oplus L_% {2}\oplus\cdots\oplus L_{m}.

Moreover, every lineral is equivalent to a lineral of the form $\operatorname*{\bigoplus}_{i}X_{i}$ or $\lnot(\operatorname*{\bigoplus}_{i}X_{i})$ .

Observe that [36] introduces a normal form with the same name, but for formulas that consist of CNF clauses and XOR constraints on the variables. In the terminology defined here, these are XNF unit clauses. We also refer to a formula of this type as a CNF-XOR, consistent with related research (see [19, 29, 32, 38, 39, 41]).

The motivation for introducing the XNF is its algebraic representation which can be described as follows.

Remark 3.3.

Let $X_{1},\dots,X_{n}$ be propositional logic variables.

(a)

Let $L=X_{i_{1}}\oplus\dots\oplus X_{i_{t}}$ be a lineral with $i_{1},\dots,i_{t}\in\{1,\dots,n\}$ . Then the algebraic representation of $L$ is the ideal $\langle x_{i_{1}}+\dots+x_{i_{t}}+1\rangle$ in ${\mathbb{B}}_{n}$ . Thus linerals correspond to linear polynomials in ${\mathbb{B}}_{n}$ .
(b)

Let $L_{1},\dots,L_{s}$ be linerals, and let $C=L_{1}\vee\cdots\vee L_{s}$ be an XNF clause. For $i\in\{1,\dots,s\}$ , let $\ell_{i}\in{\mathbb{L}}_{n}$ be the algebraic representation of $L_{i}$ . Then $\langle\ell_{1}\cdots\ell_{s}\rangle$ is the algebraic representation of $C$ . Thus XNF clauses correspond to products of linear Boolean polynomials.
(c)

Let $C_{1},\dots,C_{r}$ be XNF clauses, and let $F=C_{1}\wedge\cdots\wedge C_{r}$ be a logical formula in XNF. For $i\in\{1,\dots,r\}$ , let $c_{i}\in{\mathbb{B}}_{n}$ be the product of linear Boolean polynomials representing $C_{i}$ . Then the algebraic representation of $F$ is the ideal $\langle c_{1},\dots,c_{r}\rangle$ in ${\mathbb{B}}_{n}$ .

For the converse transformation, we could use the logical representation of a Boolean polynomial which is in CNF, and hence in XNF. However, as we are striving for logical formulas in XNF which have few and short clauses, i.e., correspond to few low-degree Boolean polynomials, we proceed along a different path in the following two subsections.

Moreover, the XNF is the natural input to the proof system $\mathtt{s\text{-}Res}$ (see [26]), and therefore builds the basis for any $\mathtt{s\text{-}Res}$ -based solving algorithms.

3.1. Reduction of Formulas in XNF to 2-XNF

It is a well-known property of propositional logic formulas that they can be transformed to equisatisfiable formulas in 3-CNF by introducing additional variables. In the following we focus on an analogous transformation of formulas in XNF.

Definition 3.4.

Let $S\subseteq{\mathbb{F}}_{2}^{n}$ , and let $T\subseteq{\mathbb{F}}_{2}^{n+m}$ for some $n,m\in{\mathbb{N}}$ . Then we write $S\equiv_{n}T$ if the projection map $\pi:\;{\mathbb{F}}_{2}^{n+m}\longrightarrow{\mathbb{F}}_{2}^{n}$ defined by $\pi((a_{1},\dots,a_{n+m}))=(a_{1},\dots,a_{n})$ induces a bijection $\pi|_{T}:\;T\longrightarrow S$ .

The relation $\equiv_{n}$ has the following useful properties.

Remark 3.5.

Let $F$ be a logical formula involving the variables $X_{1},\dots,X_{n}$ , and let $G$ be a formula involving the variables $X_{1},\dots,X_{n},Y_{1},\dots,Y_{m}$ .

(a)

If we have $\operatorname{\mathcal{S}}(F)\equiv_{n}\operatorname{\mathcal{S}}(G)$ then the formulas $F$ and $G$ are clearly equisatisfiable. More precisely, the satisfying assignments of $G$ are in one-to-one correspondence with the satisfying assignments of $F$ via the projection $\pi$ to the first $n$ coordinates.
(b)

In general, the relation $\equiv_{n}$ is not symmetric, but it is transitive in the following sense. Let $k,m,n\in{\mathbb{N}}$ , let $S\subseteq{\mathbb{F}}_{2}^{n}$ , let $T\subseteq{\mathbb{F}}_{2}^{n+m}$ , and let $U\subseteq{\mathbb{F}}_{2}^{n+m+k}$ . If we have $S\equiv_{n}T$ and $T\equiv_{n+m}U$ then $S\equiv_{n}U$ .

The following lemma provides the key step for the reduction of formulas in XNF to 2-XNF. It can be easily verified using a truth table.

Lemma 3.6.

Let $L_{1},L_{2}$ be two linerals, and let $Y$ be an additional logical variable. Then we have

Y\leftrightarrow(L_{1}\lor L_{2})\;\equiv\;(Y\lor\lnot L_{2})\land(\lnot(Y% \oplus L_{1})\lor L_{2}).

Notice that the left side of the equivalence in this lemma is symmetric in $L_{1}$ and $L_{2}$ . Thus, swapping $L_{1}$ and $L_{2}$ on the right-hand side of the equivalence also yields an equivalent formula. The following Algorithm 1 converts logical formulas in XNF to 2-XNF.

Input : A logical formula

F

in XNF involving

n

variables.

Output : A logical formula

G

in 2-XNF with

\operatorname{\mathcal{S}}(F)\equiv_{n}\operatorname{\mathcal{S}}(G)

2 Let

i=0

and

M=\emptyset

. Write

F=\operatorname*{\bigwedge}_{k=1}^{r}C_{k}

3 for $k=1$ to $r$ do

4 while $C_{k}$ contains more than two linerals do

5 Write

C_{k}=\operatorname*{\bigvee}_{j=1}^{s}L_{j}

with linerals

L_{j}

6 Increase

i

1

and let

Y_{i}

be a new variable.

7 Replace

C_{k}

(Y_{i}\lor\operatorname*{\bigvee}_{j=3}^{s}L_{j})

8 Adjoin

\{(Y_{i}\lor\lnot L_{2}),(\lnot(Y_{i}\oplus L_{1})\lor L_{2})\}

M

10 Append

C_{k}

M

12return

\operatorname*{\bigwedge}M

Algorithm 1

\mathtt{XNFto2XNF}

– XNF to 2-XNF Conversion

Proposition 3.7.

Let $F$ be a propositional logic formula in XNF involving $n$ logical variables. Then $\mathtt{XNFto2XNF}$ is an algorithm which returns a logical formula $G$ in 2-XNF such that $\operatorname{\mathcal{S}}(F)\equiv_{n}\operatorname{\mathcal{S}}(G)$ .

Proof.

As the number of linerals in $C_{k}$ is decreased with every execution of Line $6$ , the loop in Lines $3$ - $7$ stops after finitely many iterations. Thus the algorithm terminates after finitely many steps.

To prove correctness, we first observe that every XNF clause which is added to $M$ contains at most two linerals, so the output formula is indeed in 2-XNF. Moreover, by Lemma 3.6, we have

\operatorname{\mathcal{S}}(C_{k})\;\equiv_{n+i-1}\;\operatorname{\mathcal{S}}% \big{(}\,(Y_{i}\lor\textstyle{\operatorname*{\bigvee}_{j=3}^{s}}L_{j})\,\land% \,(Y_{i}\lor\lnot L_{2})\,\land\,(\lnot(Y_{i}\oplus L_{1})\lor L_{2})\,\big{)}

in Line $5$ of the algorithm. Hence we obtain $\operatorname{\mathcal{S}}(\operatorname*{\bigwedge}M\land C_{k})\equiv_{n+i-1% }\operatorname{\mathcal{S}}(\operatorname*{\bigwedge}M^{\prime}\land C_{k}^{% \prime})$ in Line $7$ , where $M^{\prime}$ and $C_{k}^{\prime}$ denote the values of $M$ and $C_{k}$ , respectively, after their modification inside the loop (Lines $3$ - $7$ ). By Remark 3.5.b, this implies $\operatorname{\mathcal{S}}(F)\equiv_{n}\operatorname{\mathcal{S}}(% \operatorname*{\bigwedge}M)$ after every iteration of the outer loop (Lines $2$ - $8$ ), and consequently after its termination. ∎

Example 3.8.

Consider the formula $F=X_{1}\lor X_{2}\lor X_{3}$ in 3-CNF. Applying $\mathtt{XNFto2XNF}$ to $F$ yields the logical formula

G\;=\;(Y_{1}\lor X_{3})\,\land\,(Y_{1}\lor\lnot X_{2})\,\land\,(\lnot(Y_{1}% \oplus X_{1})\lor X_{2}).

where $Y_{1}$ is a new variable, and we have $\operatorname{\mathcal{S}}(F)\equiv_{3}\operatorname{\mathcal{S}}(G)$ .

Remark 3.9.

Suppose a formula $F$ is in $k$ -XNF for some $k\in{\mathbb{N}}$ and contains $r$ XNF clauses. Then $\mathtt{XNFto2XNF}$ introduces at most $r(k-2)$ new variables and $2r(k-2)$ new clauses, since at most $k-2$ new variables are added for each clause. This shows that every formula in CNF can be converted to a formula in 2-XNF in polynomial time. Consequently, the decision problem for 2-XNF instances is NP-complete.

In spite of this seemingly negative worst-case complexity, it is well-known that 2-CNF formulas can be solved in linear time (e.g., see [5]). In Section 4, we will further address how some of the core ideas of 2-CNF solving can be translated to solving formulas in 2-XNF. Finally, note that one can not only reduce the size of the XNF clauses, but also the length of its linerals, i.e., the number of variables it contains, by using additional variables.

Remark 3.10.

Let $L,L_{1},L_{2}$ be linerals with $L\equiv L_{1}\oplus L_{2}$ . If $Y$ is an additional logical variable, then we have $L\equiv(L_{1}\oplus Y)\land(L_{2}\oplus\neg Y)$ . Repeated application and addition of new variables shows that every XNF formula can be reduced to a 2-XNF formula in which each lineral is a XOR of at most $3$ variables.

Better constructions to trade the length of linerals with additional variables can be derived from the methods of [21] and [36].

3.2. 2-XNF Representations of Boolean Polynomials

In order to apply 2-XNF solving algorithms to practical instances, we first need to create tools to convert problems given via Boolean polynomials in ANF to logical formulas in 2-XNF.

A straightforward approach is to search for XORs of variables in a CNF representation of the problem which correspond to XNF clauses of size $1$ as for instance done in [36]. While this produces XNF instances, in many situations it does not capture the XOR-rich information well. In fact we should find non-trivial XNF clauses when they exist to harness the full potential of XNF-SAT solvers. This is why we suggest to start with an ANF representation of the problem under investigation, as it is more compact and uses fewer variables. So, in this section we show how Boolean polynomials can be converted to 2-XNF. To illustrate the algorithm, we apply it to problems with a cryptographic background.

To ease the notation we switch completely to the algebraic point of view. Not only the input of our conversion algorithm is denoted algebraically, but also the output 2-XNF. In view of Remark 3.3, the following definition captures this approach.

Definition 3.11 (2-XNF Representation).

Let $I$ be an ideal in ${\mathbb{B}}_{n}$ . A set of Boolean polynomials of the form $S=\{f_{1}g_{1},\dots,f_{k}g_{k},\ell_{1},\dots,\ell_{s}\}\subseteq{\mathbb{B}}% _{n,m}$ with $f_{i},g_{i},\ell_{j}\in\mathbb{L}_{n}$ is called a 2-XNF representation of $I$ if $\operatorname{\mathcal{Z}}(I)\equiv_{n}\operatorname{\mathcal{Z}}(S)$ .

Similarly, a set $S\subseteq{\mathbb{B}}_{n,m}$ as above is called a 2-XNF representation of a Boolean polynomial $f\in{\mathbb{B}}_{n}$ if $S$ is a 2-XNF representation of $\langle f\rangle$ .

Now Proposition 3.7 immediately implies the following result.

Corollary 3.12.

Let $I$ be an ideal in ${\mathbb{B}}_{n}$ . Then there exists a 2-XNF representation of $I$ .

The next proposition shows a direct way to compute 2-XNF representations of certain polynomials. It is an algebraic formulation of Lemma 3.6.

Proposition 3.13.

Let $g=\ell_{1}\ell_{2}+\ell_{3}\in{\mathbb{B}}_{n}$ , where $\ell_{1},\ell_{2},\ell_{3}\in{\mathbb{L}}_{n}$ , and let

S\;=\;\{\ell_{3}(\ell_{2}+1),\;\ell_{2}(\ell_{1}+\ell_{3})\}.

Then we have $\langle S\rangle=\langle g\rangle$ . In particular, the set $S$ is a 2-XNF representation of $g$ .

Proof.

From $g=\ell_{3}(\ell_{2}+1)+\ell_{2}(\ell_{1}+\ell_{3})$ , we obtain $g\in\langle S\rangle$ and hence $\langle g\rangle\subseteq\langle S\rangle$ . Moreover, we have $\ell_{3}(\ell_{2}+1)=(\ell_{2}+1)g\in\langle g\rangle$ and $\ell_{2}(\ell_{1}+\ell_{3})=\ell_{2}g\in\langle g\rangle$ , which implies $S\subseteq\langle g\rangle$ and hence $\langle S\rangle\subseteq\langle g\rangle$ . ∎

Remark 3.14.

To see the connection with Lemma 3.6, let $L_{1}$ , and $L_{2}$ be linerals and $Y$ be an additional variable. Let $\ell_{1},\ell_{2},\ell_{3}\in{\mathbb{L}}_{n}$ such that $\langle\ell_{i}\rangle$ is the algebraic representation of $L_{i}$ for $i\in\{1,2\}$ and $\langle\ell_{3}\rangle$ is the algebraic representation of $Y$ . Then $\langle\ell_{1}\ell_{2}+\ell_{3}\rangle$ is the algebraic representation of $Y\leftrightarrow(L_{1}\lor L_{2})$ , $\langle\ell_{3}(\ell_{2}+1)\rangle$ is the algebraic representation of $(Y\lor\lnot L_{2})$ , and $\ell_{2}(\ell_{1}+\ell_{3})$ is the algebraic representation of $(\lnot(Y\oplus L_{1})\lor L_{2})$ .

Proposition 3.13 immediately yields the following Algorithm 2 for computing a 2-XNF representation of a given Boolean polynomial.

Input : A Boolean polynomial

f\in{\mathbb{B}}_{n}

Output : A 2-XNF representation of

f

2 Set

i=0

and

M=\emptyset

3 for $t\in\operatorname{Supp}(f)$ do

4 while $\deg(t)>1$ do

5 Increase

i

1

and let

y_{i}

be a new indeterminate.

6 Write

f=t+f^{\prime}

and

t=\ell_{1}\ell_{2}s

where

s

is a term,

\ell_{1},\ell_{2}

are distinct indeterminates, and

f^{\prime}\in{\mathbb{B}}_{n,i-1}

7 Replace

t

y_{i}s

and

f

y_{i}s+f^{\prime}

8 Adjoin

\{y_{i}(\ell_{2}+1),\;\ell_{2}(\ell_{1}+y_{i})\}

M

return

M\cup\{f\}

Algorithm 2

\mathtt{ANFto2XNF}

– Boolean Polynomials to 2-XNF

Proposition 3.15.

Let $f\in{\mathbb{B}}_{n}$ . Then $\mathtt{ANFto2XNF}$ is an algorithm which returns a 2-XNF representation $S=\mathtt{ANFto2XNF}(f)$ of $f$ .

Proof.

First we see that in each iteration of the inner loop (Lines $3$ - $7$ ), the degree of $t$ decreases by one, so it eventually reaches 1. Moreover, the polynomial $f$ is updated in Line $6$ in such a way that the term $t$ in the support of $f$ is replaced by a term of smaller degree. Thus the outer loop (Lines $2$ - $7$ ) terminates eventually and the procedure stops in Line $8$ . In particular, at this point $f$ is linear and all elements of $M\cup\{f\}$ are linear or products of two linear polynomials. Hence the output is in 2-XNF.

For the correctness, assume that we are in the $i$ -th iteration of the inner loop (Lines $3$ - $7$ ). Denote the values of $f$ and $M$ after the $i$ -th iteration by $f_{i}$ and $M_{i}$ , respectively. Here we let $M_{0}=\emptyset$ and $f_{0}$ denote the initial input value of $f$ . Consider the ideals $J=\langle M_{i-1}\cup\{f_{i-1}\}\rangle\subseteq{\mathbb{B}}_{n,i-1}$ and $J^{\prime}=\langle M_{i-1}\cup\{f_{i-1}\}\cup\{y_{i}+\ell_{1}\ell_{2}\}\rangle% \subseteq{\mathbb{B}}_{n,i}$ . For $c=(c_{1},\dots,c_{n+i})\in{\mathbb{F}}_{2}^{n+i}$ , we see that $c\in\operatorname{\mathcal{Z}}(J^{\prime})$ if and only if $(c_{1},\dots,c_{n+i-1})\in\operatorname{\mathcal{Z}}(J)$ and $c_{n+i}=(\ell_{i}\ell_{j})(c_{1},\dots,c_{n+i-1})$ . Hence $\operatorname{\mathcal{Z}}(J)\equiv_{n+i-1}\operatorname{\mathcal{Z}}(J^{% \prime})$ .

Now observe that $f_{i}=f_{i-1}+s(\ell_{1}\ell_{2}+y_{i})\equiv f_{i-1}\mod J^{\prime}$ , and hence $J^{\prime}=\langle M_{i-1}\cup\{f_{i}\}\cup\{y_{i}+\ell_{1}\ell_{2}\}\rangle$ . Thus Proposition 3.13 shows $J^{\prime}=\langle M_{i}\cup\{f_{i}\}\rangle$ . Therefore we have $\operatorname{\mathcal{Z}}(f_{0})\equiv_{n}\operatorname{\mathcal{Z}}(M\cup\{f\})$ after every iteration of the inner loop, i.e., the output in Line $8$ is indeed a 2-XNF representation of the input $f$ . ∎

Example 3.16.

Consider the polynomial $f=x_{1}x_{2}x_{3}\in{\mathbb{B}}_{3}$ . The ideal $\langle f\rangle$ is the algebraic representation of the clause $\neg X_{1}\lor\neg X_{2}\lor\neg X_{3}$ . We introduce a new indeterminate $y_{1}$ and construct the ideal

I\;=\;\langle\,f,y_{1}+x_{1}x_{2}\,\rangle\;=\;\langle\,y_{1}x_{3},\,y_{1}(x_{% 2}+1),\,x_{2}(x_{1}+y_{1})\,\rangle\;\subseteq{\mathbb{B}}_{3,1}.

Then we have $\operatorname{\mathcal{Z}}(f)\equiv_{3}\operatorname{\mathcal{Z}}(I)$ , which shows that the set $S=\{y_{1}x_{3},\,y_{1}(x_{2}+1),\,x_{2}(x_{1}+y_{1})\}\subseteq{\mathbb{B}}_{3% ,2}$ is a 2-XNF representation of $f$ . Notice that $S$ corresponds to the 2-XNF formula

(\neg Y_{1}\lor\neg X_{3})\,\land\,(\neg Y_{1}\lor X_{2})\,\land\,(\neg X_{2}% \lor\neg(X_{1}\oplus Y_{1})\,)

in the variables $X_{1},X_{2},X_{3},Y_{1}$ .

Notice that $\mathtt{ANFto2XNF}$ employs Proposition 3.13 only for replacing products of two indeterminates. For quadratic polynomials, this uses one additional variable for every non-linear term. With the following optimised Algorithm 3, one may replace more than one term at a time.

Input : A Boolean polynomial

f\in{\mathbb{B}}_{n}

with

\deg(f)\leq 2

Output : A 2-XNF representation of

f

2 Let

i=0

and

M=\emptyset

3 while $\deg(f)=2$ do

4 Increase

i

1

and let

y_{i}

be a new indeterminate.

5 Write

f=\ell_{1}\ell_{2}+f^{\prime}

for distinct

\ell_{1},\ell_{2}\in{\mathbb{L}}_{n}

and for

f^{\prime}\in{\mathbb{B}}_{n,i-1}

such that

\operatorname{Supp}(f^{\prime})

contains fewer non-linear terms than

\operatorname{Supp}(f)

6 Set

f=y_{i}+f^{\prime}

7 Adjoin

\{y_{i}(\ell_{2}+1),~{}\ell_{2}(\ell_{1}+y_{i})\}

M

return

M\cup\{f\}

Algorithm 3

\mathtt{QANFto2XNF}

– Quadratic Boolean Polynomials to 2-XNF

Proposition 3.17.

Let $f\in{\mathbb{B}}_{n}$ with $\deg(f)\leq 2$ . Then $\mathtt{QANFto2XNF}$ is an algorithm which returns a 2-XNF representation $S=\mathtt{QANFto2XNF}(f)$ of $f$ .

Proof.

After each iteration of the loop (Lines $2$ - $6$ ), the support of $f$ contains fewer non-linear terms. Therefore $f$ eventually becomes linear and the loop terminates.

For proving correctness, consider the iterations of the loop. As in Proposition 3.15, we see that $\langle M_{i-1}\cup\{f_{i-1}\}\cup\{y_{i}+\ell_{1}\ell_{2}\}\rangle=\langle M_% {i}\cup\{f_{i}\}\rangle$ , where $M_{i}$ and $f_{i}$ denote the values of $f$ and $M$ after the $i$ -th iteration, and $f_{0}$ is the initial value of $f$ . In particular, this shows that we have $\operatorname{\mathcal{Z}}(f_{0})\equiv_{n}\operatorname{\mathcal{Z}}(M\cup\{f\})$ after every iteration. Thus the output is a 2-XNF representation of the input $f$ . ∎

To implement Line $4$ of $\mathtt{QANFto2XNF}$ efficiently, we may use different approaches. The following remark collects some of them.

Remark 3.18.

Let $f\in{\mathbb{B}}_{n}$ be of degree $\leq 2$ . In order to find $\ell_{1},\ell_{2}\in{\mathbb{L}}_{n}$ such that $\operatorname{Supp}(f-\ell_{1}\ell_{2})$ contains fewer quadratic terms than $\operatorname{Supp}(f)$ , we may use one of the following methods.

(a)

Write $f=x_{i}\ell_{i}+g_{i}$ with $i\in\{1,\dots,n\}$ and $\ell_{i}\in{\mathbb{L}}_{n}\setminus{\mathbb{F}}_{2}$ such that no term in the support of $g_{i}$ is divisible by $x_{i}$ . Then the support of $f-x_{i}\ell_{i}=g_{i}$ is a proper subset of $\operatorname{Supp}(f)$ . In particular, it contains fewer quadratic terms. Repeating this step requires at most $n-1$ substitutions until all non-linear terms in $f$ have been replaced. Hence any quadratic polynomial $f\in{\mathbb{B}}_{n}$ has a 2-XNF representation that uses fewer than $n-1$ additional indeterminates, even though the support of $f$ may contain up to $\binom{n}{2}$ quadratic terms.

(b)

Let $y_{1},\dots,y_{n},z_{1},\dots,z_{n}$ be new indeterminates, and let

G\;=\;(y_{1}x_{1}+\cdots+y_{n}x_{n})\cdot(z_{1}x_{1}+\cdots+z_{n}x_{n})\in{% \mathbb{B}}_{n}[y_{1},\dots,y_{n},z_{1},\dots,z_{n}]

be a product of two generic linear Boolean polynomials. By multiplying out, we obtain a representation

G\;=\;\textstyle\sum\limits_{1\leq i<j\leq n}G_{ij}x_{i}x_{j}+\textstyle\sum% \limits_{k=1}^{n}H_{k}x_{k}.

with $G_{ij},H_{k}\in{\mathbb{F}}_{2}[y_{1},\dots,y_{n},z_{1},\dots,z_{n}]$ .

Write $f=\sum_{1\leq i<j\leq n}f_{ij}x_{i}x_{j}+\sum_{k=1}^{n}f_{k}x_{k}+f_{0}$ with $f_{ij},f_{k},f_{0}\in{\mathbb{F}}_{2}$ . If we find a tuple $c=(a_{1},\dots,a_{n},b_{1},\dots,b_{n})\in{\mathbb{F}}_{2}^{2n}$ such that as many of the equations $f_{ij}=G_{ij}(c)$ as possible are satisfied, then the linear Boolean polynomials $\ell_{1}=a_{1}x_{1}+\cdots+a_{n}x_{n}$ and $\ell_{2}=b_{1}x_{1}+\cdots+b_{n}x_{n}$ satisfy the property that $f-\ell_{1}\ell_{2}$ contains as few quadratic terms in its support as possible. Such a tuple $c$ can be found using an OMT solver, e.g., using $\mathtt{OptiMathSAT}$ (see [37]), or by rephrasing the optimization problem as a MaxSAT problem and using an adequate solver, e.g., using $\mathtt{MaxHS}$ (see [16]).

The strategy of part (b) works well on small inputs, say polynomials having fewer than 20 indeterminates. For cases involving larger numbers of indeterminates, it is better to combine part (a) with the next observation.

Lemma 3.19.

Let $f\in{\mathbb{B}}_{n}$ and $\ell_{1},\ell_{2},\ell_{1}^{\prime},\ell_{2}^{\prime}\in{\mathbb{L}}_{n}$ with $\operatorname{Supp}(\ell_{1}\ell_{2})\subseteq\operatorname{Supp}(f)$ and $\operatorname{Supp}(\ell_{1}^{\prime}\ell_{2}^{\prime})\subseteq\operatorname{% Supp}(f)$ . Then we have $\operatorname{Supp}(m_{1}m_{2})\subseteq\operatorname{Supp}(f)$ for

m_{1}=\textstyle\sum(\operatorname{Supp}(\ell_{1})\cup\operatorname{Supp}(\ell% _{1}^{\prime}))\quad\text{and}\quad m_{2}=\textstyle\sum(\operatorname{Supp}(% \ell_{2})\cap\operatorname{Supp}(\ell_{2}^{\prime})).

Proof.

Let $t=x_{i_{1}}x_{i_{2}}\in\operatorname{Supp}(m_{1}m_{2})$ where $x_{i_{1}}\in\operatorname{Supp}(m_{1})$ and $x_{i_{2}}\in\operatorname{Supp}(m_{2})$ . Then $x_{i_{1}}\in\operatorname{Supp}(\ell_{1})$ or $x_{i_{1}}\in\operatorname{Supp}(\ell_{1}^{\prime})$ , and $x_{i_{2}}\in\operatorname{Supp}(\ell_{2})\cap\operatorname{Supp}(\ell_{2}^{% \prime})$ . This shows $x_{i_{1}}x_{i_{2}}\in\operatorname{Supp}(\ell_{1}\ell_{2})$ or $x_{i_{1}}x_{i_{2}}\in\operatorname{Supp}(\ell_{1}^{\prime}\ell_{2}^{\prime})$ . Both imply $t\in\operatorname{Supp}(f)$ . ∎

Using the method of Remark 3.18.a, we can now find many distinct pairs $(\ell_{1},\ell_{2})\in{\mathbb{L}}_{n}^{2}$ with $\operatorname{Supp}(\ell_{1}\ell_{2})\subseteq\operatorname{Supp}(f)$ . Applying the Lemma randomly to two such pairs of linear polynomials, we find more pairs $(m_{1},m_{2})\in{\mathbb{L}}_{n}^{2}$ with $\operatorname{Supp}(m_{1}m_{2})\subseteq\operatorname{Supp}(f)$ . Repeating this procedure for some time can generate many non-trivial such pairs, and we can simply choose the one which eliminates the most non-linear terms. This has proven to produce very good results, even for polynomials with a high number of indeterminates.

Example 3.20.

Let us apply Algorithm $\mathtt{QANFto2XNF}$ to the Boolean polynomial $f=x_{1}x_{3}+x_{2}x_{3}+x_{1}x_{4}+x_{2}x_{4}+x_{1}\in{\mathbb{B}}_{4}$ . In Line 4 we try to cancel out as many non-linear terms as possible, following the above approach. Using Remark 3.18.a, we see that $\operatorname{Supp}(\,x_{1}\cdot(x_{3}+x_{4}+1)\,)\,\subseteq\,\operatorname{% Supp}(f)$ and $\operatorname{Supp}(\,x_{2}\cdot(x_{3}+x_{4})\,)\,\subseteq\,\operatorname{% Supp}(f)$ . By applying Lemma 3.19 with $m_{1}=x_{1}+x_{2}$ and $m_{2}=x_{3}+x_{4}$ , we get $\operatorname{Supp}(m_{1}m_{2})\subseteq\operatorname{Supp}(f)$ . Let $y_{1}$ be a new indeterminate and write $f=m_{1}m_{2}+x_{1}$ . Now we replace $f$ by $y_{1}+x_{1}$ and set

M\;=\;\{\,y_{1}(x_{3}+x_{4}+1),\,(x_{3}+x_{4})(x_{1}+x_{2}+y_{1})\,\}.

Notice that the loop now ends, as $f$ is linear, and the 2-XNF representation $\{f\}\cup M$ of $f$ is returned. This corresponds to the 2-XNF formula

\left(\neg Y_{1}\lor(X_{3}\oplus X_{4})\right)\,\land\,(\neg(X_{3}\oplus X_{4}% )\lor\neg(X_{1}\oplus X_{2}\oplus Y_{1}))\,\land\,\neg(Y_{1}\oplus X_{1}))

in the variables $X_{1},X_{2},X_{3},X_{4},Y_{1}$ .

After discussing the effective computation of 2-XNF representations of individual polynomials, we now turn our attention to Boolean polynomial ideals given by several generators. In this case we can avail ourselves of the following approaches.

Remark 3.21.

Let $f_{1},\dots,f_{s}\in{\mathbb{B}}_{n}\setminus\{0\}$ , and let $I=\langle f_{1},\dots,f_{s}\rangle$ . The following methods can be applied to find a 2-XNF representation of $I$ .

(a)

The most basic approach is to apply $\mathtt{ANFto2XNF}$ (or $\mathtt{QANFto2XNF}$ ) to $f_{i}$ for $i\in\{1,\dots,s\}$ and to combine the individual 2-XNF representations to get one for $I$ . Unfortunately, this tends to introduce more additional variables than necessary, since the same terms in different polynomials will be replaced with distinct additional indeterminates.

(b)

If $f_{1},\dots,f_{s}$ are quadratic, the problem in (a) can be counteracted as follows. During the computation of the 2-XNF representations of the $f_{1},\dots,f_{s}$ , we remember how the additional indeterminates $y_{1},\dots,y_{m}$ were used to substitute products $\ell_{11}\ell_{12},\dots,\ell_{m1}\ell_{m2}$ in the execution of Lines $4$ - $5$ of $\mathtt{QANFto2XNF}$ . After those individual conversions, we compute an ${\mathbb{F}}_{2}$ -basis $\{h_{1},\dots,h_{t}\}\subseteq{\mathbb{L}}_{m}$ of the set of relations

\{g\in{\mathbb{L}}_{m}\mid g(\ell_{11}\ell_{12},\dots,\ell_{m1}\ell_{m2})=0\}.

Then we return the union of all the individual 2-XNF representations and $\{h_{1},\dots,h_{t}\}$ . Each of these linear Boolean polynomials eliminates one variable in the process of computing $\operatorname{\mathcal{Z}}(I)$ .

In particular, instances coming from cryptographic attacks can be converted efficiently using those approaches. In many ciphers the only non-linearity appears in the so-called S-Boxes. Usually, these involve only a small number of indeterminates, i.e., they can be represented by relatively few non-linear polynomials in a small number of indeterminates. To illustrate this approach, let us examine the encryption map of the $\mathtt{Ascon}$ cryptosystem (see [18]) which has been selected for the standardization of lightweight ciphers by NIST.

Example 3.22.

As specified in [18], the $\mathtt{Ascon}$ cryptosystem is a 128-bit lightweight cipher.

(a)

Let $s\colon{\mathbb{F}}_{2}^{5}\to{\mathbb{F}}_{2}^{5}$ be the 5-bit S-box used in the $\mathtt{Ascon}$ cipher. Consider the Boolean polynomial ring ${\mathbb{B}}_{5,5}={\mathbb{F}}_{2}[x_{1},\dots,x_{5},y_{1},\dots,y_{5}]$ and let $I\subseteq{\mathbb{B}}_{5,5}$ be the vanishing ideal of the set of points $\{(a,s(a))\mid a\in{\mathbb{F}}_{2}^{5}\}\,\subseteq\,{\mathbb{F}}_{2}^{10}$ . Using [6], we know that $I$ is generated by five quadratic polynomials in ${\mathbb{B}}_{5,5}$ . Applying $\mathtt{QANFto2XNF}$ together with the method from Remark 3.18.b and Remark 3.21.b, we obtain a 2-XNF representation of $I$ consisting of $10$ products of two linear polynomials and not a single additional indeterminate.
(b)

Altogether, these methods construct a 2-XNF representation of the entire $\mathtt{Ascon\text{-}128}$ cipher (processing $8$ bytes of plaintext) involving as little as $6080$ variables and $17\,664$ clauses.

For comparison, converting the same polynomials to CNF using $\mathtt{PolyBoRi}$ (see [9]) requires $12\,224$ variables and $137\,739$ clauses, the methods from [29] require $55\,825$ variables and $214\,024$ clauses, and the conversion tool within $\mathtt{Bosphorus}$ (see [11]) requires $49\,289$ variables and $1\,424\,034$ clauses for the logical representation of the cipher.

This shows that encoding XOR-rich formulas in 2-XNF yields far more compact representations than state-of-the-art conversions to sets of CNF clauses.

Remark 3.23.

To efficiently store instances in XNF, we suggest a derivation of the established DIMACS standard for CNFs: in the place of literals (encoded as -L or L) we encode linerals as literals connected (without whitespace) with the symbol +. Then the $\mathtt{Ascon}$ S-Box has the following XNF-representation:

p xnf 10 10
-2 4+5+6 0
2+3 -1+2+4+5+7 0
-1 2+3+9 0
-2+3 1+5+7 0
-2 1+4+10 0 1 -4 2+3+8 0
1 -2+3+4+5+9 0
2 -1+3+4+6 0
2 -4+5+10 0
4 2+3+5+8 0

Note that solvers supporting this encoding can also process usual DIMACS CNF files correctly.

4. Graph-based 2-XNF SAT Solving

It is well-known that a satisfiable assignment of a 2-CNF instance $F$ , i.e., a propositional logic formula in CNF where every clause has at most two literals, can be found with linear time and space complexity (see [5]). The key idea is to express the formula $F$ by a (directed) implication graph whose set of vertices is the set of literals occurring in $F$ and their respective negations, and for which every clause $L_{i}\lor L_{j}$ of $F$ corresponds to the pair of edges $(\neg L_{i},L_{j})$ and $(\neg L_{j},L_{i})$ . Then a greedy algorithm working along a topological ordering of the strongly connected components of this graph constructs a satisfying assignment. In this section we present a graph-based 2-XNF solver that follows a DPLL approach where the above ideas form the basis of the in-processing step.

4.1. Implication Graph Structures

Recall that, for a propositional logic formula $F$ in 2-XNF, the algebraic representation $I_{F}\subseteq{\mathbb{B}}_{n}$ is of the form

I_{F}=\langle f_{1}g_{1},\dots,f_{k}g_{k},\ell_{1},\dots,\ell_{s}\rangle% \subseteq{\mathbb{B}}_{n}

for some $f_{i},g_{i},\ell_{j}\in{\mathbb{L}}_{n}$ . Based on the central idea of implication graph based linear time 2-CNF solving, we introduce the following notion.

Definition 4.1 (Implication Graph Structures).

Let $F$ be a formula in 2-XNF.

(a)
A tuple $(L,V,E)$ , where $L,V\subseteq{\mathbb{L}}_{n}$ and $E\subseteq V^{2}$ , is called an implication graph structure (IGS) for $F$ if the following conditions are satisfied:
- (1)
  
  $I_{F}=\langle L\rangle+\langle fg\mid(f+1,g)\in E\rangle$ .
- (2)
  
  (Skew-Symmetry) For all $(f+1,g)\in E$ , we have $(g+1,f)\in E$ .
- (3)
  
  For all $f\in V$ , we have $(f,f)\notin E$ .

(b)

Let $\sigma$ be a term ordering. An IGS $(L,V,E)$ for $F$ is called $\sigma$ -reduced if the polynomials in $L$ have pairwise distinct leading terms and

\mathop{\rm LT}\nolimits_{\sigma}(L)\cap\textstyle\bigcup_{f\in V}% \operatorname{Supp}(f)=\emptyset.

For an IGS $(L,V,E)$ , the pair $(V,E)$ is clearly a graph. Such graphs are called implication graphs in view of the following observation.

Remark 4.2.

Let $(L,V,E)$ be an IGS for a formula $F$ , and let $(f,g)\in E$ . By definition, we then have $(f+1)g\in I_{F}$ , and therefore

f\in I_{F}\quad\implies\quad g\;=\;fg+(f+1)g\in I_{F}.

In other words, if the source node of an edge in the graph $(V,E)$ is contained in the ideal $I_{F}$ , then its target node is in $I_{F}$ , too. The set $L$ simply collects all known linear information of $I_{F}$ .

Given an IGS $G=(L,V,E)$ for a formula $F$ , a sequence $f_{1},\dots,f_{s}\in V$ with $(f_{i},f_{i+1})\in E$ for $i\in\{1,\dots,s-1\}$ is called a path in $G$ . In this case we also write $f_{1}\to f_{s}$ .

Lemma 4.3.

Let $G$ be an IGS for a formula $F$ , and let $f\to g$ be a path in $G$ . Then we have $(f+1)g\in I_{F}$ .

Proof.

Let the path $f\to g$ be given by $(f_{i},f_{i+1})\in E$ for $i\in\{1,\dots,s-1\}$ , where $f=f_{1}$ and $g=f_{s}$ for some $s\in{\mathbb{N}}_{+}$ . We show the claim by induction on $s$ . By Definition 4.1, the statement is true if $s=1$ . Assume that the claim is correct for paths of length $s-1$ . Then we have $(f_{2}+1)f_{s}\in I_{F}$ , and by Definition 4.1 also $(f_{1}+1)f_{2}\in I_{F}$ . This shows

(f_{1}+1)f_{s}\;=\;(f_{1}+1)f_{2}f_{s}+(f_{1}+1)(f_{2}+1)f_{s}\in I_{F}.

∎

This lemma implies that the transitive closure $(V,E^{\prime})$ of $(V,E)$ yields an implication graph structure $(L,V,E^{\prime})$ for $F$ . It is easy to find an implication graph structure for a formula in 2-XNF, as the next remark indicates.

Remark 4.4 (Trivial Implication Graph Structures).

Let $F$ be a formula in 2-XNF with an algebraic representation of the form

I_{F}\;=\;\langle f_{1}g_{1},\dots,f_{k}g_{k},\ell_{1},\dots,\ell_{s}\rangle% \subseteq{\mathbb{B}}_{n}

where $f_{i},g_{i},\ell_{j}\in{\mathbb{L}}_{n}$ are pairwise distinct.

(a)

Then the implication graph structure $(L,V,E)$ given by $L=\{\ell_{1},\dots,\ell_{s}\}$ ,

V\;=\;\bigcup_{i=1}^{k}\,\{\,f_{i},\,f_{i}+1,\,g_{i},\,g_{i}+1\,\},\hbox{\quad and% \quad}E\;=\;\bigcup_{i=1}^{k}\,\{\;(f_{i}+1,g_{i}),\,(g_{i}+1,f_{i})\;\}

is called the trivial implication graph structure for $F$ .

(b)

The implication graph structure $(L,V,E)$ given by $L=\{\ell_{1},\dots,\ell_{s}\}$ ,

	$\displaystyle V$	$\displaystyle\;=\;\{\,f_{i},\,f_{i}+1,\,g_{i},\,g_{i}+1,\,f_{i}+g_{i},\,f_{i}+% g_{i}+1\;\mid 1\leq i\leq k\},\hbox{\ and}$
	$\displaystyle E$	$\displaystyle\;=\;\bigcup_{i=1}^{k}\{\;(f_{i}+1,g_{i}),\,(f_{i}+1,f_{i}+g_{i}+% 1),\,(f_{i}+g_{i},g_{i})\;\}$
		$\displaystyle\qquad\qquad\cup\bigcup_{i=1}^{k}\{\;(g_{i}+1,f_{i}),\,(f_{i}+g_{% i},f_{i}),\,(g_{i}+1,f_{i}+g_{i}+1)\;\}$

is called the extended trivial implication graph structure for $F$ .

In both cases the size of the graph $(V,E)$ is linear in the input size of the formula $F$ , because we have $\#V\leq 6k$ and $\#E\leq 3k$ .

Example 4.5.

Let $F$ be a formula in 2-XNF with algebraic representation

	$\displaystyle I_{F}=\Big{\langle}\,$	$\displaystyle(x_{1}+1)x_{2},\,(x_{2}+1)(x_{1}+x_{3}),\,(x_{2}+1)x_{4},\,(x_{5}% +x_{2}+1)(x_{1}+x_{3}),\,$
		$\displaystyle(x_{1}+x_{3}+1)(x_{1}+x_{2}+x_{3}+1),\,(x_{4}+1)x_{3},\,(x_{5}+1)% x_{4}\,\Big{\rangle}\;\subseteq\;{\mathbb{B}}_{5}.$

Then the trivial IGS of $F$ is $(L_{0},V_{0},E_{0})$ where $L_{0}=\emptyset$ and $(V_{0},E_{0})$ is the graph given in Figure 1.

Figure 1. Implication graph

(V_{0},E_{0})

from Example 4.5.

Our solving algorithm starts with such a trivial IGS for $F$ and improves it gradually by propagation, in-processing and guessing until we arrive at an IGS with an empty graph, i.e., a case where the corresponding ideal is generated just by linear polynomials. Given that the guesses were correct, a satisfying assignment of $F$ can then be deduced immediately from a solution to the corresponding system of linear equations. This improvement is measured in terms of the size of the linear part $L$ and in the size of the graph $(V,E)$ . The following relation specifies this in detail.

Definition 4.6.

Let $F$ be a formula in 2-XNF, and let $G^{\prime}=(L^{\prime},V^{\prime},E^{\prime})$ as well as $G=(L,V,E)$ be two implication graph structures for $F$ . Then we write $G^{\prime}\preceq G$ if and only if $\langle L^{\prime}\rangle_{\mathbb{F}_{2}}\supseteq\langle L\rangle_{\mathbb{F% }_{2}}$ and $\#V^{\prime}\leq\#V$ . Moreover, if one of the two conditions is strict, we write $G^{\prime}\prec G$ .

The relation $\preceq$ defines a partial quasi-ordering on the set of all implication graph structures, i.e., it is reflexive, transitive, and by the following lemma it satisfies the descending chain condition. The latter property is the key ingredient for proving finiteness of the upcoming algorithms.

Lemma 4.7 (Descending Chain Condition for Implication Graph Structures).

Let $F$ be a formula in 2-XNF. Then there is no infinite, strictly descending chain of implication graph structures for $F$ .

Proof.

For a contradiction, assume there is an infinite strictly descending chain $(L_{1},V_{1},E_{2})\succ(L_{2},V_{2},E_{2})\succ\cdots$ of implication graph structures for $F$ . By definition, it follows that there is an ascending chain of subspaces $\langle L_{1}\rangle_{\mathbb{F}_{2}}\subseteq\langle L_{2}\rangle_{\mathbb{F}% _{2}}\subseteq\cdots$ in ${\mathbb{B}}_{n}$ . Since ${\mathbb{B}}_{n}$ is a finite-dimensional ${\mathbb{F}}_{2}$ -vector space, this chain becomes eventually stationary, i.e., there exists a number $k\in{\mathbb{N}}_{+}$ such that $\langle L_{k}\rangle_{\mathbb{F}_{2}}=\langle L_{i}\rangle_{\mathbb{F}_{2}}$ for all $i\geq k$ . By Definition 4.6, this implies $\#V_{i+1}<\#V_{i}$ for all $i\geq k$ . In this way, the $\#V_{i}$ form a decreasing sequence in ${\mathbb{N}}$ which eventually becomes stationary. Consequently, at some point in the sequence, we have $\langle L_{i+1}\rangle_{\mathbb{F}_{2}}=\langle L_{i}\rangle_{\mathbb{F}_{2}}$ and $\#V_{i+1}=\#V_{i}$ , i.e. the chain is not strictly decreasing. ∎

To conclude this section, we present the updating Algorithm 4 of our solver which computes the $\sigma$ -reduction of any given IGS. The method is an adaption of Gaußian Constraint Propagation (see [26, Algorithm 5.7]) to implication graph structures. Note that Gaußian Constraint Propagation itself is a generalization of Boolean Constraint Propagation, also known as Unit Propagation, in traditional CNF-based SAT solvers.

Input : An IGS

G

for a formula

F

, a term ordering

\sigma

Output : A

\sigma

-reduced IGS

G^{\prime}

for

F

with

G^{\prime}\preceq G

1 Write

G=(L,V,E)

and

\mathop{\rm LT}\nolimits_{\sigma}

-interreduce

L

2 Let

(L^{\prime},V^{\prime},E^{\prime})=(L,\emptyset,\emptyset)

3 for $(f,g)\in E$ do

4 Let

f^{\prime}=\operatorname{NR}_{\sigma}(f,L)

and

g^{\prime}=\operatorname{NR}_{\sigma}(g,L)

5 if $f^{\prime}=0$ and $g^{\prime}\neq 0$ then append

g^{\prime}

L^{\prime}

6 if $g^{\prime}=1$ and $f^{\prime}\neq 1$ then append

f^{\prime}+1

L^{\prime}

7 if $f^{\prime}\notin{\mathbb{F}}_{2}$ and $g^{\prime}\notin{\mathbb{F}}_{2}$ and $f^{\prime}\neq g^{\prime}$ then

8 append

(f^{\prime},g^{\prime})

E^{\prime}

, append

f^{\prime}

and

g^{\prime}

V^{\prime}

10if $L\neq L^{\prime}$ then set

(L,V,E)=(L^{\prime},V^{\prime},E^{\prime})

and go to Line

2

11 else return

(L^{\prime},V^{\prime},E^{\prime})

Algorithm 4

\mathtt{GGCP}

– Graph Gaußian Constraint Propagation

Proposition 4.8.

Let $\sigma$ be a term ordering, let $F$ be a formula in 2-XNF, and let $G$ be an IGS for $F$ . Then $\mathtt{GGCP}$ is an algorithm which returns a $\sigma$ -reduced implication graph structure $G^{\prime}=\mathtt{GGCP}_{\sigma}(G)$ for $F$ such that $G^{\prime}\preceq G$ .

Proof.

Since $(L,V,E)$ is an IGS for $F$ , we have $L\subseteq I_{F}$ and $(f+1)g\in I_{F}$ for every pair $(f,g)\in E$ . Thus we see that $(f^{\prime}+1)g^{\prime}=(\operatorname{NR}_{\sigma}(f,L)+1)\operatorname{NR}_% {\sigma}(g,L)\in I_{F}$ holds in Line $4$ .

For $f^{\prime}=0$ , this yields $g^{\prime}\in I_{F}$ , and for $g^{\prime}=1$ , we get $f^{\prime}+1\in I_{F}$ . For all other cases, where $f^{\prime}\in{\mathbb{F}}_{2}$ , $g^{\prime}\in{\mathbb{F}}_{2}$ , or $f^{\prime}=g^{\prime}$ , we have $(f^{\prime}+1)g^{\prime}=0$ , and the corresponding edge can be ignored. This shows that after Lines $3$ - $8$ have been executed, the tuple $G^{\prime}=(L^{\prime},V^{\prime},E^{\prime})$ is indeed an IGS for $F$ . Moreover, $G^{\prime}$ is $\sigma$ -reduced, because for all $f^{\prime}\in V^{\prime}$ we have $\mathop{\rm LT}\nolimits_{\sigma}(L)\cap\operatorname{Supp}(f^{\prime})=\emptyset$ by construction.

Finally, note that we always have $\langle L^{\prime}\rangle_{\mathbb{F}_{2}}\supseteq\langle L\rangle_{\mathbb{F% }_{2}}$ and $\#V^{\prime}\leq\#V$ . This implies $G^{\prime}\preceq G$ for every iteration of Lines $2$ - $8$ , and this relation is strict if $L\neq L^{\prime}$ . By Line $9$ , these steps are repeated as long as this is the case, and the implication graph structures $(L^{\prime},V^{\prime},E^{\prime})$ resulting from these iterations form a strictly descending chain. By Lemma 4.7, this chain must be finite, i.e., there can only be finitely many iterations, and the procedure has to terminate in Line $10$ . ∎

4.2. Pre-Processing Techniques

In this subsection we present two results which allow us to deduce new information from a given implication graph structure. The first one derives new linerals, and the second one finds new edges between the vertices of a given implication graph. These techniques are computationally rather expensive and should be seen as pre-processing techniques which are only applied once before the main solving procedure.

Definition 4.9.

Let $F$ be a formula in 2-XNF, and let $(L,V,E)$ be an IGS for $F$ .

(a)

The set of descendants of a vertex $f\in V$ is defined by

D_{f}\;=\;\{f\}\cup\{g\in V\mid\;\text{there is a path }f\to g\text{ in }(V,E)\}.

Note that we consider $f$ as a descendant of itself, since we have $(f+1)f=0\in I_{F}$ .

(b)

The vector space $\Delta_{f}=\langle D_{f}\rangle_{\mathbb{F}_{2}}\subseteq{\mathbb{L}}_{n}$ will be called the space of descendants of $f$ .

Note that, for a vector subspace $U$ of ${\mathbb{L}}_{n}$ , we let $1+U=\{f+1\mid f\in U\}$ be the affine subspace of ${\mathbb{L}}_{n}$ representing the negation of $U$ . The space of descendants of $f\in V$ has the following useful properties.

Proposition 4.10.

Let $F$ be a formula in $2$ -XNF, let $(L,V,E)$ be an implication graph structure for $F$ .

(a)

For all $f\in V$ and $g\in\Delta_{f}$ , we have $(f+1)g\in I_{F}$ .
(b)

Let $f,g\in V$ . If $\Delta_{f}\cap(1+\Delta_{g})\neq\emptyset$ then $(f+1)(g+1)\in I_{F}$ .
(c)

For all $f\in V$ , we have $\Delta_{f}\cap\Delta_{f+1}\subseteq I_{F}$ .

Proof.

To show (a), let $g\in\Delta_{f}$ . We write $g=\sum_{j=1}^{k}g_{j}$ with $g_{j}\in D_{f}$ . By Lemma 4.3, we have $(f+1)g_{j}\in I_{F}$ for $j\in\{1,\dots,k\}$ . Hence we obtain $(f+1)g=\sum_{j=1}^{k}(f+1)g_{j}\in I_{F}$ .

To prove (b), let $h\in\Delta_{f}$ and $h+1\in\Delta_{g}$ . Then (a) implies $(f+1)h\in I_{F}$ and $(g+1)(h+1)\in I_{F}$ . This shows

(f+1)(g+1)=(f+1)h(g+1)+(f+1)(h+1)(g+1)\in I_{F}.

For the proof of (c), let $g\in\Delta_{f}\cap\Delta_{f+1}$ . From (a) we get $(f+1)g\in I_{F}$ and $fg\in I_{F}$ , and therefore $g=fg+(f+1)g\in I_{F}$ . ∎

Example 4.11.

In the situation of Example 4.5, we have $x_{1}+x_{2}\in\Delta_{x_{2}}\cap\Delta_{x_{2}+1}$ . Proposition 4.10.c then implies $x_{1}+x_{2}\in I_{F}$ , and thus $(L_{0}\cup\{x_{1}+x_{2}\},V_{0},E_{0})$ is an IGS for $F$ as well. Let $\sigma=\mathtt{lex}$ and apply $\mathtt{GGCP}_{\mathtt{lex}}$ to this tuple to get an IGS $(L_{1},V_{1},E_{1})$ for $F$ where $L_{1}=\{x_{1}+x_{2}\}$ and $(V_{1},E_{1})$ is graph given in Figure 2.

Figure 2. Implication graph

(V_{1},E_{1})

from Example 4.11.

Using this proposition, we construct the following straightforward pre-processing Algorithm 5. It runs in polynomial time in the size of $F$ and can find new linear information as well as new edges. Notice that numerous intersections of affine ${\mathbb{F}}_{2}$ -subspaces of ${\mathbb{F}}_{2}^{n}$ have to be computed.

Input : An IGS

G

for a formula

F

, a term ordering

\sigma

Output : A

\sigma

-reduced IGS

G^{\prime}

for

F

1 Let

(L^{\prime},V^{\prime},E^{\prime})=\mathtt{GGCP}_{\sigma}(G)

, let

L_{\mathtt{pp}}=\emptyset

and let

E_{\mathtt{pp}}=\emptyset

2 for $f\in V$ do

3 Add a basis of

\Delta_{f}\cap\Delta_{f+1}

L_{\mathtt{pp}}

4 for $g\in V\setminus\{f+1\}$ do

5 if $\Delta_{f}\cap(1+\Delta_{g})\neq\emptyset$ then add

(f+1,g)

and

(g+1,f)

E_{\mathtt{pp}}

8if $L_{\mathtt{pp}}\neq\emptyset$ or $E_{\mathtt{pp}}\neq\emptyset$ then set

G=(L^{\prime}\cup L_{\mathtt{pp}},V^{\prime},E^{\prime}\cup E_{\mathtt{pp}})

and go to Line

1

9 else return

(L^{\prime},V^{\prime},E^{\prime})

Algorithm 5

\mathtt{PP}

– (Edge-Extending) Pre-Processing

It is clear that there is room for optimization of this algorithm if $G$ does not contain any cycles. In this case it suffices to check whether $\Delta_{f}\cap(1+\Delta_{g})\neq\emptyset$ (see Line $5$ ) initially only for sources $f,g\in V$ of $G$ , i.e., for vertices with no incoming edges. Only if those spaces have a non-empty intersection, we need to consider their corresponding descendants. (This follows immediately from the fact that $D_{g}\subseteq D_{f}$ if there is a path $f\to g$ .) Even with this optimization, finding new edges is still computationally quite expensive. Hence Lines $4$ and $5$ are skipped in our implementation by default.

4.3. In-Processing Techniques

Next we introduce two algorithms which deduce new linear polynomials from a given implication graph structure more efficiently. Therefore they are suited as default in-processing techniques during the main solving procedure. In particular, the methods we look at here are (partial) generalizations of the notions of equivalent and failed literals, as discussed in [25].

As usual for directed graphs $G=(V,E)$ , a subset $S\subseteq V$ is called a strongly connected component (SCC) of $G$ if, for all $f,g\in S$ , there is a path $f\to g$ in $G$ and if $S$ is maximal with this property. It is well-known that for any directed graph, the set of all SCCs can be computed in $\operatorname{\mathcal{O}}(\#V+\#E)$ space and time (see [40]). The following proposition indicates how these components can be used to deduce new linear information.

Proposition 4.12.

Let $F$ be a formula in 2-XNF, and let $G=(L,V,E)$ be an IGS for $F$ . Denote the set of SCCs of $(V,E)$ by $\mathcal{C}$ .

(a)

Let $\{f_{1},\dots,f_{r}\}\in\mathcal{C}$ . Then $f_{1}+f_{i}\in I_{F}$ for $i\in\{1,\dots,r\}$ .
(b)

If $\#\mathcal{C}$ is odd, then $F$ is unsatisfiable, i.e., we have $I_{F}=\langle 1\rangle$ .

Proof.

Due to the skew-symmetry of implication graph structures, for every strongly connected component $S=\{f_{1},\dots,f_{r}\}\in\mathcal{C}$ also $S+1=\{f_{1}+1,\dots,f_{r}+1\}$ is an SCC of $(V,E)$ .

To show (a), we let $i\in\{1,\dots,r\}$ and note that $f_{1},f_{i}\in S$ implies that there are paths $f_{1}\to f_{i}$ and $f_{i}\to f_{1}$ in $G$ . By the skew-symmetry, we get $f_{1}+1\to f_{i}+1$ . This shows $f_{1},f_{i}\in D_{f_{1}}$ and $f_{1}+1,f_{i}+1\in D_{f_{1}+1}$ , and hence $f_{1}+f_{i}\in\Delta_{f_{1}}$ as well as $f_{1}+f_{i}=(f_{1}+1)+(f_{i}+1)\in\Delta_{f_{1}+1}$ . By Proposition 4.10.c, we thus have $f_{1}+f_{i}\in I_{F}$ .

For the proof of (b), notice that we can write $\mathcal{C}=\{S_{1},\dots,S_{c},S_{1}+1,\dots,S_{c}+1\}$ for some $c\in{\mathbb{N}}$ , where we have $S_{i}\neq S_{j}$ and $S_{i}\neq S_{j}+1$ for $i\neq j$ . If $\#\mathcal{C}$ is odd, there exists an index $i\in\{1,\dots,r\}$ with $S_{i}=S_{i}+1$ . For $f\in S_{i}$ , we then have $f+1\in S_{i}+1=S_{i}$ and thus $1=f+(f+1)\in I_{F}$ by (a). ∎

By repeatedly computing all linear polynomials resulting from the strongly connected components and propagating them using $\mathtt{GGCP}$ , one can update a given implication graph structure $(L,V,E)$ such that it contains no cycles, i.e., such that $(V,E)$ becomes a directed acyclic graph (DAG). This is important, as for many graph-theoretic problems there are linear time algorithms if the underlying graph is a DAG. Algorithm 6 performs these updates.

Input : An IGS

G

for a formula

F

, a term ordering

\sigma

Output : An acyclic

\sigma

-reduced IGS

G^{\prime}

for

F

with

G^{\prime}\preceq G

1 Compute

(L^{\prime},V^{\prime},E^{\prime})=\mathtt{GGCP}_{\sigma}(G)

and let

L_{\mathtt{SCC}}=\emptyset

2 Compute the set

\mathcal{C}

of all strongly connected components of

(V^{\prime},E^{\prime})

3 if $\#\mathcal{C}$ is odd then return

({\mathbb{L}}_{n},\emptyset,\emptyset)

4 for $S\in\mathcal{C}$ do

5 Write

S=\{f_{1},\dots,f_{r}\}

and for all

i\in\{2,\dots,r\}

append

f_{1}+f_{i}

L_{\mathtt{SCC}}

7if $L_{\mathtt{SCC}}\neq\emptyset$ then set

G=(L^{\prime}\cup L_{\mathtt{SCC}},V^{\prime},E^{\prime})

and go to Line

1

8 else return

(L^{\prime},V^{\prime},E^{\prime})

Algorithm 6

\mathtt{crGGCP}

– cycle-removing GGCP

Proposition 4.13.

Let $\sigma$ be a term ordering, let $F$ be a formula in 2-XNF, and let $G$ be an IGS for $F$ . Then $\mathtt{crGGCP}$ is an algorithm which returns a tuple $G^{\prime}=\mathtt{crGGCP}_{\sigma}(G)$ with the following properties.

(a)

The tuple $G^{\prime}=(L^{\prime},V^{\prime},E^{\prime})$ is a $\sigma$ -reduced implication graph structure for $F$ .
(b)

We have $G^{\prime}\preceq G$ .
(c)

The graph $(V^{\prime},E^{\prime})$ is acyclic.

Proof.

First note that if the procedure terminates in Line $3$ , the output is correct by Proposition 4.12.b. Thus we may assume that the procedure does not terminate in Line 3.

The tuples $(L^{\prime},V^{\prime},E^{\prime})$ and $(L^{\prime}\cup L_{\mathtt{SCC}},V^{\prime},E^{\prime})$ in Lines 1 and 6 are implication graph structures for $F$ with $(L^{\prime},V^{\prime},E^{\prime})\preceq(L,V,E)$ by Propositions 4.8 and 4.12. Moreover, if $L_{\mathtt{SCC}}\neq\emptyset$ then it contains at least one linear polynomial $f$ with $\mathop{\rm LT}\nolimits_{\sigma}(f)\notin\mathop{\rm LT}\nolimits_{\sigma}(L^% {\prime})$ , as $(L^{\prime},V^{\prime},E^{\prime})$ is a $\sigma$ -reduced IGS. This shows $(L^{\prime}\cup L_{\mathtt{SCC}},V^{\prime},E^{\prime})\prec(L^{\prime},V^{% \prime},E^{\prime})$ .

Next we observe that the repeated iterations of Lines $1$ - $6$ yield a strictly descending chain of IGSs which has to become stationary after finitely many steps by Lemma 4.7. Therefore we eventually have $L_{\mathtt{SCC}}=\emptyset$ , and the procedure terminates in Line $7$ . In that case, the graph $(V^{\prime},E^{\prime})$ cannot contain any cycles, as otherwise there would be a strongly connected component, and hence Line 5 would create elements in $L_{\mathtt{SCC}}$ .

Finally, note that $(L^{\prime},V^{\prime},E^{\prime})$ is $\sigma$ -reduced by Proposition 4.8 and the fact that this tuple is not changed in the last iteration of Lines 2-6. ∎

As a second in-processing technique, we adapt the concept of failed literals, as discussed in [25], to our more general setting.

Definition 4.14.

Let $F$ be a formula in 2-XNF, and let $G=(L,V,E)$ be an implication graph structure for $F$ .

(a)

A vertex $f\in V$ is called a failed lineral of $G$ if $1\in\Delta_{f}$ .
(b)

A failed lineral $f\in V$ of $G$ is called trivial if there is an element $g\in V$ with $f\to g$ , and with $f\to g+1$ or $f\to f+1$ .

These literals are of interest for in-processing, if they can be found efficiently, since for every failed lineral we learn a new linear polynomial in $I_{F}$ in the following way.

Lemma 4.15.

Let $F$ be a formula in 2-XNF, and let $G=(L,V,E)$ be an IGS for $F$ . If $f\in V$ is a failed lineral of $G$ , then $f+1\in I_{F}$ .

Proof.

Let $f$ be a failed lineral of $G$ . Then $1\in\Delta_{f}$ yields $f+1\in\Delta_{f}$ . Using Proposition 4.10.c and $f+1\in\Delta_{f+1}$ , we get $f+1\in\Delta_{f}\cap\Delta_{f+1}\subseteq I_{F}$ . ∎

To find a failed lineral, it is sufficient to check whether the vector subspace $\Delta_{f}$ contains the constant polynomial $1$ . This can be done for instance by computing the row-echelon form of a matrix in ${\mathbb{F}}_{2}^{\#D_{f}\times(n+1)}$ . Thus we obtain an in-processing algorithm which runs in polynomial time and space. However, trivial failed linerals can be found in near-linear time, as the next remark indicates.

For an implication graph structure $(L,V,E)$ for a formula $F$ in 2-XNF, we denote the set of ancestors of a vertex $f\in V$ by

A_{f}\;=\;\{f\}\cup\{g\in V\mid\text{there is a path }g\to f\text{ in }(V,E)\}.

Remark 4.16.

Let $F$ be a formula in 2-XNF, and let $(L,V,E)$ be an acyclic implication graph structure for $F$ .

(a)

For every $g\in V$ , all common ancestors of $g$ and $g+1$ , i.e., the elements of $A_{g}\cap A_{g+1}$ , are trivial failed linerals by definition. Conversely, every trivial failed lineral $f\in V$ is contained in $A_{g}\cap A_{g+1}$ for some $g\in V$ . Thus the set $\bigcup_{g\in V}(A_{g}\cap A_{g+1})$ consists exactly of the trivial failed linerals of $G$ .
(b)

If $g\in V$ is a failed lineral then every $f\in A_{g}$ is a failed lineral as well, since $D_{g}\subseteq D_{f}$ . Thus, instead of searching for all common ancestors of $g$ and $g+1$ , it suffices to find the so-called lowest common ancestors, i.e., the vertices $f\in V$ such that no out-neighbour of $f$ is a common ancestor of both $g$ and $g+1$ .
(c)

For sparse graphs, one of the lowest common ancestors of two vertices can be found in constant time after a near-linear time pre-processing phase, see [15]. This produces many, but in general not all, trivial failed linerals rather quickly under the assumption that the graph $(V,E)$ is sparse (see Remark 4.4).

Our implementation does not feature this advanced method for finding trivial failed linerals, as the corresponding algorithms seem hard to implement. Instead we resort to the following simple Algorithm 7 which can be implemented using only breadth-first-searches (BFS). Moreover, unlike the method of the previous remark, it computes all trivial failed linerals.

Input : An acyclic IGS

G

for a 2-XNF formula

F

Output : All trivial failed linerals

L_{\mathtt{TF}}

G

1 Write

G=(L,V,E)

, let

M=\emptyset

, and let

L_{\mathtt{TF}}=\emptyset

2 Compute the set

S

of sources of

(V,E)

3 for $s\in S$ do

4 if $s+1\in D_{s}$ then append

(s,s+1)

M

5 for all $g\in V$ with $s\to g$ and $s\to g+1$ do append

(s,g)

M

7for $(s,g)\in M$ do

8 Append all common ancestors of

g

and

g+1

L_{\mathtt{TF}}

return

L_{\mathtt{TF}}

Algorithm 7

\mathtt{tFLS}

– Trivial Failed Lineral Search

Proposition 4.17.

Let $F$ be a formula in $2$ -XNF, and let $G$ be an acyclic implication graph structure for $F$ . Then $\mathtt{tFLS}$ is an algorithm which returns a set $L=\mathtt{tFLS}(G)$ containing all trivial failed linerals of $G$ satisfying $1+L\subseteq I_{F}$ .

In particular, the algorithm can be implemented to run in $\operatorname{\mathcal{O}}(\#S\cdot(\#V+\#E))$ time and space, where $S$ is the set of sources in $(V,E)$ .

Proof.

The finiteness of the procedure is clear, since the graph $(V,E)$ is finite. The correctness follows from Remark 4.16 and the fact that in Line $7$ the elements of $L_{\mathtt{TF}}$ are exactly the common ancestors of vertices $g$ and $g+1$ for all $g\in V$ . Now $L+1\subseteq I_{F}$ follows immediately from Proposition 4.15. The claimed run-time complexity is a consequence of the observation $\#M\leq\#S$ and the facts that Lines $4$ - $5$ can be implemented by a single BFS starting at $s$ , and that Line $7$ amounts to two BFSs starting at $g$ and $g+1$ on the graph with reversed edges. ∎

To end this section we remark that our pre-processing algorithm $\mathtt{PP}$ is superior to our in-processing methods in that it learns at least the same linear information, but might also increase the number of edges of the implication graph.

Remark 4.18.

Let $\sigma$ be a term ordering, let $F$ be a formula in $2$ -XNF, let $G$ be an IGS for $F$ , and let $G^{\prime}=(L^{\prime},V^{\prime},E^{\prime})=\mathtt{PP}_{\sigma}(G)$ . Then we have $1+\mathtt{tFLS}(G)\subseteq\langle L^{\prime}\rangle_{\mathbb{F}_{2}}$ and $G^{\prime}\preceq\mathtt{crGGCP}(G)$ .

This follows immediately from the fact that $\mathtt{tFLS}$ is based on Lemma 4.15 whose proof already shows that all failed linerals are contained in $\Delta_{f}\cap\Delta_{f+1}\subseteq I_{F}$ for some $f\in V$ . Thus these linerals are also found by $\mathtt{PP}$ .

Similarly, Algorithm $\mathtt{crGGCP}$ is based on Proposition 4.12 whose proof shows that all linear polynomials which can be learnt here are already contained in $\Delta_{f}\cap\Delta_{f+1}$ for some $f\in V$ . Once again, these linerals are found and propagated by $\mathtt{PP}$ . Altogether, we see that $\mathtt{PP}$ essentially emulates both $\mathtt{crGGCP}$ and $\mathtt{tFLS}$ . As a consequence, Algorithm $\mathtt{PP}$ also ensures that its output implication graph structure $G^{\prime}$ is acyclic.

While this shows that pre-processing with $\mathtt{PP}$ is more powerful than in-processing with $\mathtt{tFLS}$ and $\mathtt{crGGCP}$ , keep in mind that it is also rather expensive due to its polynomial runtime.

Example 4.19.

Let $(L_{1},V_{1},E_{1})$ be the IGS from Example 4.11, then we have $\mathtt{tFLS}(L_{1},V_{1},E_{1})=\{x_{2}\}$ , since there is a path $x_{2}\to x_{2}+1$ (see Figure 2). This shows that $x_{2}$ is a failed lineral and we get $x_{2}+1\in I_{F}$ . An application of $\mathtt{GGCP}_{\mathtt{lex}}$ to $(L_{1}\cup\{x_{2}+1\},V_{1},E_{1})$ yields the IGS $(L_{2},V_{2},E_{2})$ where $L_{2}=\{x_{1}+1,\,x_{2}+1\}$ and $(V_{2},E_{2})$ is given in Figure 3.

Figure 3. Implication graph

(V_{2},E_{2})

from Example 4.19.

Notice that $(V_{2},E_{2})$ has two strongly connected components. Thus we can use Proposition 4.12.a with the SCC $\{x_{3},\,x_{4},\,x_{5}\}$ to get $x_{3}+x_{5},\,x_{4}+x_{5}\in I_{F}$ . Another application of $\mathtt{GGCP}_{\mathtt{lex}}$ to $(L_{2}\cup\{x_{3}+x_{5},\,x_{4}+x_{5}\},V_{2},E_{2})$ yields the IGS $(L_{3},\emptyset,\emptyset)$ for $F$ with $L_{3}=\{x_{1}+1,\,x_{2}+1,\,x_{3}+x_{5},\,x_{4}+x_{5}\}$ . By definition we now have $I_{F}=\langle L_{3}\rangle$ , i.e., a solution of $F$ can be found by solving a system of linear equations.

Note that this is exactly the IGS that is also derived by applying $\mathtt{PP}_{\mathtt{lex}}$ to $(L_{0},V_{0},E_{0})$ from Example 4.5.

4.4. Decision Heuristics

Before we introduce our main DPLL-Solving Algorithm in the final subsection, we discuss decision heuristics, i.e., methods to make good guesses. First of all, let us define what we precisely mean when we talk about decisions.

Definition 4.20.

Let $F$ be a formula in $2$ -XNF, and let $G=(L,V,E)$ be an IGS for $F$ . A decision for $G$ is a tuple $(L_{0},L_{1})$ with $L_{0},L_{1}\subseteq{\mathbb{L}}_{n}$ such that the following conditions are satisfied.

(a)

$L_{0}\setminus\langle L\rangle_{\mathbb{F}_{2}}\neq\emptyset$ and $L_{1}\setminus\langle L\rangle_{\mathbb{F}_{2}}\neq\emptyset$ .
(b)

$\operatorname{\mathcal{Z}}(I_{F})\subseteq\operatorname{\mathcal{Z}}(I_{F}+% \langle L_{0}\rangle)\cup\operatorname{\mathcal{Z}}(I_{F}+\langle L_{1}\rangle)$ .

These conditions ensure that guessing either $L_{0}$ or $L_{1}$ will lead to a solution of $F$ – if there exists one at all. Moreover, it means that a decision $(L_{0},L_{1})$ for $G=(L,V,E)$ implies that $G_{0}=(L\cup L_{0},V,E)$ and $G_{1}=(L\cup L_{1},V,E)$ satisfy $G\succ G_{0}$ and $G\succ G_{1}$ , i.e., both parts of the decisions improve our implication graph structure.

Traditionally, CNF-based SAT solvers use decisions of the form $(\{x_{i}\},\,\{x_{i}+1\})$ or $(\{x_{i}+1\},\,\{x_{i}\})$ . Our more general point of view on decisions allows us to guess multiple linerals at once. Before we explicitly suggest three decision heuristics, let us consider the following general constructions.

Proposition 4.21.

Let $\sigma$ be a term ordering, let $F$ be a formula in $2$ -XNF, and let $G=(L,V,E)$ be a $\sigma$ -reduced IGS for $F$ .

(a)

For every $f\in V$ , the tuple $(D_{f},D_{f+1})$ is a decision for $G$ .
(b)

If $f_{1}\to\dots\to f_{r}$ is a path in $G$ then $(\{f_{1}+f_{i}\mid i\in\{2\dots,r\}\},\,\{f_{1}+1,f_{r}\})$ is a decision for $G$ .

Proof.

Let $f\in V$ . Then the fact that $G$ is $\sigma$ -reduced yields $f,f+1\notin\langle L\rangle_{\mathbb{F}_{2}}$ . For every $a\in\operatorname{\mathcal{Z}}(I_{F})$ , we have $f(a)=1$ or $f(a)=0$ . This shows that $(\{f\},\{f+1\})$ is a decision for $G$ . Now it suffices to note that $I_{F}+\langle f\rangle=I_{F}+\Delta_{f}=I_{F}+\langle D_{f}\rangle_{\mathbb{F}% _{2}}$ by Proposition 4.10 and Remark 4.2.

Next we let $f_{1}\to\dots\to f_{r}$ be a path as in (b). Then we have $f_{1}+f_{r},f_{r}\notin\langle L\rangle_{\mathbb{F}_{2}}$ , since $G$ is $\sigma$ -reduced. Consider a point $a\in\operatorname{\mathcal{Z}}(I_{F})$ . If $((f_{r}+1)f_{1})(a)=1$ then $f_{r}(a)=0$ and $f_{1}(a)=1$ , i.e., we have $a\in\operatorname{\mathcal{Z}}(I_{F}+\langle f_{1}+1,f_{r}\rangle)$ . Otherwise, we have $((f_{r}+1)f_{1})(a)=0$ . In this case $a$ is a zero of $(f_{r}+1)f_{1}$ . Using Proposition 4.10, we deduce from $a\in\operatorname{\mathcal{Z}}(I_{F})$ that $a$ is a zero of $(f_{i}+1)f_{j}$ for all $i,j\in\{1,\dots,r\}$ with $i<j$ , as there is a path $f_{i}\to f_{j}$ in $G$ .

It follows that $(f_{i}+1)f_{r}\cdot f_{1}+(f_{r}+1)f_{1}\cdot(f_{i}+1)=(f_{i}+1)f_{1}$ vanishes at $a$ for all $i\in\{1,\dots,r\}$ . This shows that the point $a$ is a zero of $(f_{1}+1)f_{i}+(f_{i}+1)f_{1}=f_{1}+f_{i}$ for all $i\in\{2,\dots,r\}$ . Finally, we get that $a\in\operatorname{\mathcal{Z}}(I_{F}+\langle f_{1}+f_{i}\mid i\in\{2,\dots,r\}\rangle)$ , and the claim follows. ∎

This proposition allows us to introduce several simple decision heuristics. In the next section, we will see that they prove quite effective on certain types of inputs.

Remark 4.22 (Decision Heuristics).

Let $\sigma$ be a term ordering, let $F$ be a 2-XNF formula, and let $(L,V,E)$ be a $\sigma$ -reduced acyclic IGS.

MaxReach. Find a source $f\in V$ such that the number of paths starting at $f\in V$ is maximal. Then we consider the decision $(D_{f},\{f+1\})$ . Since $f$ is a source, the vertex $f$ has no in-going edges. Thus the skew-symmetry of $G$ implies that $f+1$ has no out-going edges. This yields $D_{f+1}=\{f+1\}$ .

MaxBottleneck. Instead of focusing on the first part of the decisions, another approach is to find $f\in V$ such that the sum of the number of paths ending in $f$ and the number of paths starting at $f$ is maximal. Then we consider the decision $(D_{f},D_{f+1})$ .

MaxPath. Let $f_{1}\to\dots\to f_{r}$ be a maximal path in $(V,E)$ . Then we consider the decision $(\{f_{1}+f_{i}\mid 1\leq i\leq r\},\,\{f_{1}+1,f_{r}\})$ . Conceptually speaking, this means that instead of guessing vertices in the graph, we guess the edge $f_{r}\to f_{1}$ , i.e., the polynomial $(f_{r}+1)f_{1}$ . In view of the proof of Proposition 4.21 and of Remark 4.2, this yields a strongly connected component of $(V,E)$ .

While the first two of these heuristics are close to the classical approach to decisions, the MaxPath heuristic is a rather new one. Note, however, that these heuristics are just some initial suggestions and should be combined with well-studied heuristics of established CDCL SAT solvers. Unfortunately, the adaptions of those heuristics to linerals are not straightforward.

The heuristics suggested in the previous remark are designed such that we can compute them efficiently, i.e., in linear time and space. Let us give some more information on how this can be done.

Remark 4.23 (Efficient Implementation of Decision Heuristics).

Recall that a topological ordering of a directed acyclic graph $(V,E)$ is a linear ordering $\triangleleft$ of $V$ such that $(f,g)\in E$ implies $f\triangleleft g$ , and that such an ordering can be computed in linear time and space (see [5]).

MaxReach. For $f\in V$ , denote the number of paths starting at $f$ by $p_{f}$ . Then we have $p_{f}=1+\sum_{(f,g)\in E}\,p_{g}$ for every $f\in V$ . This means that traversing the graph in a reverse topological order once allows us to find $p_{f}$ for all $f\in V$ . In particular, the vertex $f\in V$ which maximizes $p_{f}$ can be found in linear time.

MaxBottleneck. Similarly, we can find the number of paths ending in each vertex $f\in V$ by a single traversal of the graph in topological order. Thus the vertex $f\in V$ which has the most paths starting and ending in $f$ can be found by a total of two graph traversals.

MaxPath. For $f\in V$ , denote the length of the longest path starting at $f$ by $\ell_{f}$ . Then we have $\ell_{f}=1+\max_{(f,g)\in E}\ell_{g}$ . The value $\ell_{f}$ for all $f\in V$ can now be computed by a single traversal of the graph in a reverse topological order. By storing the vertex $g\in V$ for which $\ell_{g}$ is largest at every $f\in V$ with $(f,g)\in E$ , the path of length $\ell_{f}$ starting at $f$ can be recovered in linear time. Altogether, the MaxPath heuristic can be implemented in linear time and space.

4.5. Graph-based 2-XNF DPLL-Solving

Finally, we have all the tools at our disposal to present our graph-based 2-XNF solver which is based on the well-known DPLL-technique (see [17]).

Input : An IGS

(L,V,E)

for a formula

F

in 2-XNF, a term ordering

\sigma

Output :

\mathtt{UNSAT}

or an assignment

a\in\operatorname{\mathcal{S}}(F)

Let

(L,V,E)=\mathtt{crGGCP}_{\sigma}(L,V,E)

// propagation

Let

L_{\mathtt{FL}}=\mathtt{tFLS}(L,V,E)

and adjoin

L_{\mathtt{FL}}

L

// in-processing

1 if $L_{\mathtt{FL}}\neq\emptyset$ then go to Line

1

2 if $1\in\langle L\rangle_{\mathbb{F}_{2}}$ then return

\mathtt{UNSAT}

3 if $E=\emptyset$ then return

a\in\operatorname{\mathcal{Z}}(L)\,\subseteq\,{\mathbb{F}}_{2}^{n}

Use Remark 4.22 to compute a decision

(L_{0},L_{1})

for

(L,V,E)

// decision

4 if $\mathtt{G{\_\kern 0.80002pt}2XNF{\_\kern 1.19995pt}DPLL}_{\sigma}(L\cup L_{0},% V,E)$ returns $a\in{\mathbb{F}}_{2}^{n}$ then return

a

5 else return

\mathtt{G{\_\kern 0.80002pt}2XNF{\_\kern 1.19995pt}DPLL}_{\sigma}(L\cup L_{1},% V,E)

Algorithm 8

\mathtt{G{\_\kern 0.80002pt}2XNF{\_\kern 1.19995pt}DPLL}

– Graph-Based 2-XNF DPLL-Solver

Proposition 4.24.

Let $F$ be a formula in 2-XNF with an implication graph structure $(L,V,E)$ , and let $\sigma$ be a term ordering. Then $\mathtt{G{\_\kern 0.80002pt}2XNF{\_\kern 1.19995pt}DPLL}$ is an algorithm which returns $\mathtt{UNSAT}$ if and only if $\operatorname{\mathcal{S}}(F)=\emptyset$ . Otherwise, it returns an element $a\in\operatorname{\mathcal{S}}(F)$ .

Proof.

First notice that Line 1 ensures that the IGS $(L,V,E)$ is always $\sigma$ -reduced and acyclic. Hence Line 6 can be performed efficiently, as explained in Remark 4.23.

Next we show the finiteness of the procedure. In every iteration of Lines $1$ - $3$ where $L_{\mathtt{FL}}\neq\emptyset$ the IGS $(L,V,E)$ decreases strictly w.r.t. $\prec$ . By Lemma 4.7, we eventually reach $L_{\mathtt{FL}}=\emptyset$ in Line $3$ , and the loop stops after finitely many steps. For the finiteness of the recursive calls observe that if $(L_{0},L_{1})$ is a decision for $(L,V,E)$ as in Line 6, then $\dim_{{\mathbb{F}}_{2}}\langle L\rangle_{\mathbb{F}_{2}}<\dim_{{\mathbb{F}}_{2% }}\langle L\cup L_{0}\rangle_{\mathbb{F}_{2}}$ and $\dim_{{\mathbb{F}}_{2}}\langle L\rangle_{\mathbb{F}_{2}}<\dim_{{\mathbb{F}}_{2% }}\langle L\cup L_{1}\rangle_{\mathbb{F}_{2}}$ . This means that the dimension of $\langle L\rangle_{\mathbb{F}_{2}}$ increases strictly with every recursive call. Now it suffices to note that this dimension is bounded from above by $n+1$ , and in case $\dim_{{\mathbb{F}}_{2}}\langle L\rangle_{\mathbb{F}_{2}}=n+1$ we have $1\in\langle L\rangle_{\mathbb{F}_{2}}$ , i.e., the procedure terminates in Line 4.

To prove correctness, note that if the algorithm terminates in Line 4, then $F$ cannot have any solution since $\langle L\rangle_{\mathbb{F}_{2}}\subseteq I_{F}$ . Similarly, if it terminates in Line 5, the implication graph must be empty and we get $I_{F}=\langle L\rangle$ , i.e., $a\in\operatorname{\mathcal{Z}}(L)=\operatorname{\mathcal{Z}}(I_{F})=% \operatorname{\mathcal{S}}(F)$ . Next we show by induction on $d$ that the output in all lines is correct if $\dim\langle L\rangle_{\mathbb{F}_{2}}=d$ for $d\in\{0,\dots,{n+1}\}$ . Note that $\dim_{{\mathbb{F}}_{2}}\langle L\rangle_{\mathbb{F}_{2}}=n+1$ implies $1\in\langle L\rangle_{\mathbb{F}_{2}}\subseteq I_{F}$ , i.e., the algorithm terminates already in Line 4 and is correct by the above. Now suppose that the algorithm terminates correctly if $\dim_{{\mathbb{F}}_{2}}\langle L\rangle_{\mathbb{F}_{2}}>s$ for some $s\in\{0,\dots,n\}$ and let $\dim_{{\mathbb{F}}_{2}}\langle L\rangle_{\mathbb{F}_{2}}{=s}$ . It suffices to consider the case where the algorithm terminates in Lines 7 or 8. Note that by definition of the decision $(L_{0},L_{1})$ from Line 6 we have $\operatorname{\mathcal{Z}}(I_{F})\subseteq\operatorname{\mathcal{Z}}(I_{F}+% \langle L_{0}\rangle)\cup\operatorname{\mathcal{Z}}(I_{F}+\langle{L_{1}}\rangle)$ , and as above the dimension of $\langle L\rangle_{\mathbb{F}_{2}}$ is strictly smaller than the dimensions of $\langle L\cup L_{0}\rangle_{\mathbb{F}_{2}}$ and $\langle L\cup L_{1}\rangle_{\mathbb{F}_{2}}$ , respectively. Thus the recursive call in Line 7 terminates correctly, i.e., returns $\mathtt{UNSAT}$ if and only if $\operatorname{\mathcal{Z}}(I_{F}+\langle{L_{0}}\rangle)=\emptyset$ , otherwise it returns $a\in\operatorname{\mathcal{Z}}(I_{F}+\langle{L_{0}}\rangle)\supseteq% \operatorname{\mathcal{Z}}(I_{F})$ . If the algorithm does not terminate here, then we must have $\operatorname{\mathcal{Z}}(I_{F}+\langle L_{0}\rangle)=\emptyset$ and the algorithm terminates with the recursive call in Line 8. Analogous to the call in Line 7, we get $\mathtt{UNSAT}$ if and only if $\operatorname{\mathcal{Z}}(I_{F}+\langle L_{1}\rangle)=\emptyset$ , which occurs if and only if $\operatorname{\mathcal{Z}}(I_{F})\subseteq\operatorname{\mathcal{Z}}(I_{F}+% \langle L_{0}\rangle)\cup\operatorname{\mathcal{Z}}(I_{F}+\langle{L_{1}}% \rangle)=\emptyset$ . Otherwise it returns a satisfying assignment $a\in\operatorname{\mathcal{Z}}(I_{F}+\langle L_{1}\rangle)\,\supseteq\,% \operatorname{\mathcal{Z}}(I_{F})=\operatorname{\mathcal{S}}(F)$ of $F$ . ∎

To obtain an efficient implementation we need appropriate data structures which support fast backtracking. The following method allows us to avoid creating a copy of the entire implication graph structures in the recursive calls of Lines $7$ and $8$ .

Remark 4.25 (Data Structures for Implication Graph Structures).

In order to store an implication graph structure $(L,V,E)$ internally, it is beneficial to actually store a graph $(V^{\prime},E^{\prime})$ based on integer vertices $V^{\prime}\subseteq{\mathbb{Z}}$ and a map $\lambda:\;V^{\prime}\to{\mathbb{L}}_{n}$ such that $V=\lambda(V^{\prime})$ and such that $E=\{\,(\lambda(v),\lambda(w))\mid(v,w)\in E^{\prime}\}$ .

Let us suggest two data structures, one for the labeling map $\lambda$ , and one for the graph $(V^{\prime},E^{\prime})$ which are tailored towards efficient backtracking.

(a)

To efficiently represent $\lambda$ , we use a prefix tree, i.e., a tree whose non-root vertices are elements of $\{1,x_{1},\dots,x_{n}\}$ , where the children of every node are bigger than their parent w.r.t. a term ordering $\sigma$ , and where the root is $t_{0}=0$ . Then every vertex $v\in V^{\prime}$ is associated to a vertex $\eta(v)$ of the tree such that the unique path starting at the root $t_{0}\to\dots\to t_{r}=\eta(v)$ satisfies $\lambda(v)=t_{0}+\dots+t_{r}$ .

Note that insertion can be performed in amortized linear time in the size of $\operatorname{Supp}(\lambda(v))$ if the children are accessed by hash maps, and deletion can be performed in constant time. If $\lambda$ needs to be copied, it suffices to copy $\eta(v)$ for every $v\in V^{\prime}$ . The actual linear polynomials $\lambda(v)$ are not copied. For the backtracking, we simply replace $\eta$ internally, and the previous $\lambda$ is restored immediately.
(b)

For the graph itself, we suggest to use a modified lean hybrid graph representation, as devised in [1, 2, 3]. This data structure was proposed only for undirected graphs, but an extension to directed skew-symmetric graphs is possible. The data structure is rather advanced and allows backtracking of edge deletions and vertex contractions in constant time. In particular, it allows us to store any state of the graph with a space complexity of $\operatorname{\mathcal{O}}(\#V)$ . Backtracking to such a previous state has complexity $\operatorname{\mathcal{O}}(\#V)$ .

Altogether, it is possible to implement the algorithm with a space complexity of $\operatorname{\mathcal{O}}((n+1)\cdot\#V+\#E)$ , where $(V,E)$ is part of the initial trivial IGS.

Notice that $\mathtt{G{\_\kern 0.80002pt}2XNF{\_\kern 1.19995pt}DPLL}$ is based on the well-known DPLL framework. An extension to a conflict-driven clause learning (CDCL) directive encounters the following obstacles.

Remark 4.26 (Conflict-Driven XNF Clause Learning).

Although the 2-XNF theory originates from the $\mathtt{s\text{-}Res}$ proof system which in turn is a generalization of classical resolution, it is not easy to extend conflict-driven clause learning to 2-XNF instances. This is mainly due to two problems:

(1)

The resolvent of two clauses may be the zero clause, i.e., resolving the conflict clause may lead to a clause that is trivially satisfied (see [26]).
(2)

In general, the resolvent is not in 2-XNF, i.e., it cannot be added to the implication graph structure in a straightforward way.

Overcoming these obstacles is an important objective of future research, because CDCL techniques promise significant speed-ups of XNF solvers.

5. Experiments and Timings

In this section we evaluate the methods of Section 4 on random 2-XNF instances and on instances coming from round-reduced $\mathtt{Ascon\text{-}128}$ key-recovery attacks. For comparison, we ran our $\mathtt{C\text{++}}$ implementation of Algorithm $\mathtt{G{\_\kern 0.80002pt}2XNF{\_\kern 1.19995pt}DPLL}$ , which we named $\mathtt{2\text{-}Xornado}$ , against SAT solvers with XOR support, i.e., CNF-based SAT solvers that can read and process XOR constraints on the variables natively. We say that formulas of the type processed by these solvers are in CNF-XOR.

State-of-the-art SAT solvers that support CNF-XOR input are $\mathtt{CryptoMiniSat}$ (see [39]), an established CDCL-based solver, and $\mathtt{xnfSAT}$ (see [36]), which is based on a stochastic local search approach, i.e., it can only be used on satisfiable instances. (Note that $\mathtt{xnfSAT}$ , despite its name, cannot work with XNFs as introduced in this article. It only supports CNF-XOR instances.) To use these solvers on XNF instances, we use the following reduction.

Remark 5.1.

Let $F$ be a 2-XNF formula involving $n$ variables. Then we can write the XNF clauses of $F$ as $C_{1},\dots,C_{r}$ , $L_{1},\dots,L_{s}$ , where $C_{i}=L_{i,1}\lor L_{i,2}$ with linerals $L_{i,j}$ , and where $L_{1},\dots,L_{s}$ are already linerals. Now we introduce $2r$ additional variables $Y_{i,j}$ and consider the CNF-XOR formula $G$ consisting of the clauses $C^{\prime}_{i}=Y_{i,1}\lor Y_{i,2}$ , the XOR constraints $\neg Y_{i,j}\oplus L_{i,j}$ for $i\in\{1,\dots,r\}$ and $j\in\{1,2\}$ , and the original XOR constraints $L_{1},\dots,L_{s}$ . Then we have $\operatorname{\mathcal{Z}}(F)\equiv_{n}\operatorname{\mathcal{Z}}(G)$ .

Furthermore, a 2-XNF instance can also be seen as a system of quadratic Boolean polynomial equations that can be solved by an algebraic solver such as $\mathtt{PolyBoRi}$ (see [9]). This package offers an implementation of the Buchberger algorithm adapted to Boolean polynomial rings and employs highly optimized data structures. Additionally, we consider the solver $\mathtt{Bosphorus}$ (see [11]), which employs both algebraic and logical reasoning, and processes ANF (and CNF) input. For instances with fewer than $40$ variables, we also compare the solvers to $\mathtt{xnf{\_\kern 1.00006pt}bf}$ , our $\mathtt{C\text{++}}$ implementation of a brute-force XNF solver. Finally, we also consider the winner of the 2023 SAT competition $\mathtt{SBVA{\text{-}}CaDiCaL}$ (see [22]) which processes CNF inputs. The CNF files were generated from the CNF-XOR representation by converting the additional XOR constraints on the variables to a set of CNF clauses. Since a direct encoding of long XORs results in exponentially many CNF clauses, they are split using new variables such that we only consider direct encodings of XOR constraints involving at most $5$ variables. This corresponds to a linear encoding with cutting number $5$ (see [36]).

All experiments were run on an Intel Xeon E5-2623 v3 processor with 128GB of RAM under Debian 10. We used $\mathtt{CryptoMiniSat}$ version $5.8$ , $\mathtt{xnfSAT}$ version $03v$ , $\mathtt{Bosphorus}$ version $3.0$ , and $\mathtt{SBVA{\text{-}}CaDiCaL}$ with $\mathtt{CaDiCaL}$ 2.0 (see [7]).

Random 2-XNF Clauses

First we consider random 2-XNF instances involving $n$ variables and $m$ clauses. Every clause in the formula is generated by picking two linerals uniformly at random in ${\mathbb{L}}_{n}\setminus{\mathbb{F}}_{2}$ . With $m=3\cdot n$ and $n\in\{21,\dots,40\}$ , experiments showed that such an instance is $\mathtt{UNSAT}$ with a probability of at least $98\%$ . If a solution is desired, we simply choose $a\in{\mathbb{F}}_{2}^{n}$ at random and for every clause that is not satisfied by $a$ , we randomly flip the constant of one of the two linerals. This ensures that $a$ indeed forms a satisfying assignment of the generated 2-XNF instance. Two random benchmark suites are considered, each containing $400$ random instances with $n\in\{21,\dots,40\}$ variables in $m=3\cdot n$ clauses, where we have $20$ instances for every $n$ . One set contains only satisfiable instances, the other only unsatisfiable ones.

Refer to caption — (a) Benchmark suite consisting of $400$ random satisfiable 2-XNF instances in $n$ indeterminates and $3n$ clauses where $n\in\{21,\dots,40\}$ .

The cactus plots in Figure 4 show that such small random instances are hard for state-of-the-art CNF and CNF-XOR solvers. In particular, we see that $\mathtt{xnfSAT}$ and $\mathtt{SBVA{\text{-}}CaDiCaL}$ are even out-performed by a simple brute-force implementation. Algebraic solving with $\mathtt{PolyBoRi}$ performs not significantly worse than $\mathtt{CryptoMiniSat}$ . While the plot clearly shows that $\mathtt{2\text{-}Xornado}$ performs best on this benchmark, one should note that this is not due to some clever data structures that allow very fast propagation. The main reason for its better overall performance is that the required number of decisions of $\mathtt{2\text{-}Xornado}$ (with any heuristic) is smaller by a factor of $60$ - $80$ compared to the number of decisions taken by $\mathtt{CryptoMiniSat}$ .

Round-Reduced Ascon Key Recovery Attacks

Our second benchmark set consists of instances related to key-recovery attacks on round-reduced versions of the cipher $\mathtt{Ascon\text{-}128}$ (see [18]). In particular, we consider attacks where the $128$ -bit nonce and the $320$ -bit internal state are known and the goal is to undo the initialization step consisting of $12$ rounds in order to obtain the $128$ -bit secret key. If this problem can be solved efficiently, the cipher is broken in a nonce-misuse scenario, see [6]. Here we consider round-reduced variants: $20$ instances with $2$ rounds, $20$ instances with $3$ rounds and knowledge of the first $k$ key bits for each $k\in\{55,\dots,64\}$ , and $20$ instances with $4$ rounds and knowledge of the first $k$ key bits for each $k\in\{92,\dots,100\}$ . The instances were generated by applying $\mathtt{QANFto2XNF}$ to a polynomial representation of the cryptosystem, see Example 3.22, augmented with some additional XNF clauses, which speed up propagation in $\mathtt{GGCP}$ .

Figure 5 contains a cactus plot for these cryptographic instances. Here $\mathtt{xnfSAT}$ was not included due to its bad performance on the random set. It turns out that for the 2-round version $\mathtt{2\text{-}Xornado}$ can already solve all instances (starting with the trivial IGS) during pre-processing in less than $0.3$ seconds on average. On these instances, $\mathtt{CryptoMiniSat}$ requires more than $80\,000$ decisions and several seconds; and $\mathtt{SBVA{\text{-}}CaDiCaL}$ about $20\,000$ decisions and one second. Our solver $\mathtt{2\text{-}Xornado}$ with the MaxBottleneck or the MaxReach heuristic and in-processing with $\mathtt{tFLS}$ also performs very well on the remaining benchmark and comes out as the average best solver. The bad performance with the MaxPath heuristic may be attributed to the fact that the corresponding decision linerals contain more variables and therefore $\mathtt{crGGCP}$ execution requires more time, increases the average length of linerals of the implication graph vertices, i.e., increases its memory footprint, and thereby makes backtracking more expensive. It should be noted that on the 4-round instances the CNF-XOR solver $\mathtt{CryptoMiniSat}$ had a better performance with fewer timeouts. So its advanced decision heuristics, the highly optimized data structures, and the conflict-learning methods do pay off on larger instances. Nonetheless $\mathtt{2\text{-}Xornado}$ still requires fewer decisions by a factor of $60$ - $80$ . The CNF-SAT solver $\mathtt{SBVA{\text{-}}CaDiCaL}$ , however, with data structures and conflict-learning methods similar to $\mathtt{CryptoMiniSat}$ could only solve $8$ of these instances. This highlights the effectiveness of the encodings of these innately XOR-rich problems in CNF-XOR and XNF. Also note that $\mathtt{PolyBoRi}$ could not solve a single instance when given in its ANF format, however when feeding it with the system of quadratic equations corresponding to the 2-XNF, some instances could be solved. The situation for $\mathtt{Bosphorus}$ is similar, with better performance on the input that comes from our XNF encoding.

Conclusions

A generalization of the well-known CNF that allows compact representations of XOR-rich problems, like those originating from cryptographic attacks, has been introduced. On top of that we generalized pre- and in-processing techniques and introduced a DPLL-based solving algorithm with a simplistic decision heuristic that outperforms other state-of-the-art solving approaches on random instances and on problems originating from cryptographic attacks on $\mathtt{Ascon\text{-}128}$ . An extension to CDCL-based solving is in preparation and better decision heuristics will be investigated.

Acknowledgements. During part of this research, the second author was supported by the DFG project Algebraische Fehlerangriffe KR 1907/6-2. The first author gratefully acknowledges Cusanuswerk e.V. for financial support.

References

[1] F. N. Abu-Khzam, K. A. Jahed, and A. E. Mouawad, A hybrid graph representation for exact graph algorithms, preprint 2014, available at arxiv.org/pdf/1404.6399.pdf (accessed on 23 February 2023).
[2] F. N. Abu-Khzam, D. Kim, M. Perry, K. Wang, and P. Shaw, Accelerating vertex cover optimization on a GPU architecture, in: Int. Symposium on Cluster, Cloud and Grid Computing (CCGRID), Washington 2018, IEEE Xplore, pp.616–625.
[3] F. N. Abu-Khzam, M. A. Langston, and C. P. Nolan, A hybrid graph representation for recursive backtracking algorithms, in: Frontiers in Algorithmics (FAW 2010), LNCS 6213, Springer-Verlag, Berlin 2010, pp. 136–147.
[4] M. Albrecht, C. Cid, L. Grassi, D. Khovratovich, R. Lüftenegger, C. Rechberger, and M. Schofnegger, Algebraic cryptanalysis of STARK-friendly designs: Application to MARVELlous and MiMC, in: Proc. Advances in Cryptology (ASIACRYPT 2019), Kobe 2019, LNCS 11923, Springer Int. Publ., Cham 2019, pp. 371–397.
[5] B. Aspvall, M. F. Plass, and R. E. Tarjan, A linear-time algorithm for testing the truth of certain quantified boolean formulas, Inform. Process. Lett. 8 (1979), 121–123.
[6] J. Baudrin, A. Canteaut, and L. Perrin, Practical cube attack against nonce-misused Ascon, IACR Transactions on Symmetric Cryptology 4 (2022), 120–144.
[7] A. Biere, T. Faller, K. Fazekas, M. Fleury, N. Froleyks, and F. Pollitt, CaDiCaL 2.0, in: Proc. Computer Aided Verification (CAV 2024), Montreal 2024, LNCS 14681, Springer Nature Switzerland, Cham 2024, pp. 133-152.
[8] M. Brickenstein, Boolean Gröbner Bases: Theory, Algorithms and Applications, Springer-Verlag, Berlin 2010.
[9] M. Brickenstein and A. Dreyer, PolyBoRi: A framework for Gröbner-basis computations with Boolean polynomials, J. Symbolic Comput. 44 (2009), 1326–1345.
[10] W. Castryck and T. Decru, An efficient key recovery attack on SIDH, in: Proc. Advances in Cryptology (EUROCRYPT 2023); Lyon 2023, LNCS 14008, Springer Int. Publ., Cham 2023, pp. 423–447.
[11] D. Choo, M. Soos, K. M. A. Chai, and K. S. Meel, Bosphorus: Bridging ANF and CNF solvers, in: Proc. Design, Automation, and Test in Europe (DATE), Florence 2019, IEEE Xplore, pp. 468-473.
[12] N. Courtois, A. Klimov, J. Patarin, and A. Shamir, Efficient algorithms for solving overdefined systems of multivariate polynomial equations, in: Proc. Advances in Cryptology (EUROCRYPT 2000), Brugge 2000, LNCS 1807, Springer-Verlag, Berlin 2000, pp. 392–407.
[13] N. Courtois, P. Sepehrdad, P. Sušil, and S. Vaudenay, The ElimLin algorithm revisited, in: Proc. Fast Software Encryption (FSE 2012), Washington 2012, LNCS 7549, Springer-Verlag, Berlin 2012, pp. 306–325.
[14] J. Danner and M. Kreuzer, A fault attack on KCipher-2, Int. J. Comput. Math. Comput. Syst. Theory 6 (2021), 281–312.
[15] S. K. Dash, S.-B. Scholz, S. Herhut, and B. Christianson, A scalable approach to computing representative lowest common ancestor in directed acyclic graphs, Theoret. Comput. Sci. 513 (2013), 25–37.
[16] J. Davies, Solving MAXSAT by decoupling optimization and satisfaction, dissertation, University of Toronto, Toronto 2013.
[17] M. Davis, G. Logemann, and D. Loveland, A machine program for theorem proving, Commun. ACM 5 (1962), 394–397.
[18] C. Dobraunig, M. Eichlseder, F. Mendel, and M. Schläffer, Ascon v1.2: Technical report, National Institute of Standards and Technology, 2019.
[19] J. M. Dudek, K. S. Meel, and M. Y. Vardi, The hard problems are almost everywhere for random CNF-XOR formulas. in: Proc. Int. Joint Conference on Artificial Intelligence (IJCAI’17), Melbourne, 2017; pp. 600–606.
[20] A. D. Dwivedi, M. Klouček, P. Morawiecki, I. Nikolić, J. Pieprzyk, and S. Wójtowicz, SAT-based cryptanalysis of authenticated ciphers from the CAESAR competition, in: Proc. Int. Joint Conference on e-Business and Telecommunications (ICETE 2017), SECRYPT, Madrid, 2017; pp. 237–246.
[21] G. Emdin, A. S. Kulikov, I. Mihajlin, and N. Slezkin, CNF Encodings of Symmetric Functions, Theory Comput. Sys. (2024).
[22] A. Haberlandt, H. Green, and M. J. H. Heule, Effective Auxiliary Variables via Structured Reencoding, in: Proc. Theory and Applications of Satisfiability Testing (SAT 2023), Alghero 2023, LIPIcs 271, Leibniz-Zentrum für Informatik, Dagstuhl 2023, pp. 11:1-11:19.
[23] H. Hadipour and M. Eichlseder, Autoguess: a tool for finding guess-and-determine attacks and key bridges, in: Proc. Applied Cryptography and Network Security (ACNS 2022), Rome 2022, LNCS 13269, Springer Nature Switzerland, Cham 2022, pp. 230–250.
[24] C. S. Han and J-H. R. Jiang, When Boolean satisfiability meets Gaussian elimination in a simplex way, in: Proc. Computer Aided Verification (CAV 2012), Berkeley 2012, LNCS 7358, Springer-Verlag, Berlin 2012, pp. 410–426.
[25] M. J. H. Heule, J. Matti, and A. Biere, Revisiting hyper binary resolution, in: Integration of AI and OR Techniques in Constraint Programming for Combinatorial Optimization Problems (CPAIOR 2013), LNCS 7874, Springer-Verlag, Berlin 2013, pp. 77–93.
[26] J. Horáček, Algebraic and logic solving methods for cryptanalysis, dissertation, Universität Passau, Passau 2020.
[27] J. Horáček and M. Kreuzer, Refutation of products of linear polynomials, in: Proc. Third Int. Workshop on Satisfiability Checking and Symbolic Computation (SC^2), Oxford 2018, available at http://ceur-ws.org/Vol-2189/.
[28] J. Horáček and M. Kreuzer, On conversions from CNF to ANF, J. Symbolic Comput. 100 (2020), 164–186.
[29] P. Jovanovic and M. Kreuzer, Algebraic attacks using SAT-solvers, Groups Complexity Cryptology 2 (2010), 247–259.
[30] M. Kreuzer and L. Robbiano, Computational Commutative Algebra 1, Springer-Verlag, Berlin 2000.
[31] F. Lafitte, J. Nakahara, and D. Van Heule, Applications of SAT solvers in cryptanalysis: finding weak keys and preimages, J. Satisf. Boolean Model. Comput. 9 (2014), 1–25.
[32] T. Laitinen, T. Junttila, and I. Niemelä, Conflict-Driven XOR-Clause Learning. in: Proc. Theory and Applications of Satisfiability Testing (SAT 2012), Trento 2012, LNCS 7317, Springer-Verlag, Berlin 2012, pp. 383–396.
[33] A. Leventi-Peetz, O. Zendel, W. Lennartz, and K. Weber, CryptoMiniSat switches-optimization for solving cryptographic instances, in: Proc. Pragmatics of SAT 2015 and 2018, EPiC Series in Computing 59, EasyChair 2019, pp. 79-93.
[34] I. Mironov and L. Zhang, Applications of SAT solvers to cryptanalysis of hash functions, in: Proc. Theory and Applications of Satisfiability Testing (SAT 2006), Seattle 2006, LNCS 4121, Springer-Verlag, Berlin 2006, pp. 102-115.
[35] M. W. Moskewicz, C. F. Madigan, Y. Zhao, L. Zhang, and S. Malik, Chaff: engineering an efficient SAT solver, in: Proc. Design Automation Conference (DAC), Las Vegas 2001, ACM, New York 2001, pp. 530-535.
[36] W. Nawrocki, Z. Liu, A. Fröhlich, M. J. H. Heule, and A. Biere, XOR local search for Boolean brent equations, in: Theory and Applications of Satisfiability Testing (SAT 2021), LNCS 12831, Springer Nature Switzerland, Cham 2021, pp. 417–435.
[37] R. Sebastiani and P. Trentin, OptiMathSAT: a tool for optimization modulo theories, J. Automat. Reason. 64 (2020), 423–460.
[38] M. Soos and K. S. Meel, BIRD: Engineering an efficient CNF-XOR SAT solver and its applications to approximate model counting, in: Proc. AIII Conference on Artificial Intelligence 2019, vol. 33, AIII Press, Palo Alto 2019, pp. 1592–1599.
[39] M. Soos, K. Nohl, and C. Castelluccia, Extending SAT solvers to cryptographic problems, in: Theory and Applications of Satisfiability Testing (SAT 2009), LNCS 5584, Springer-Verlag, Berlin 2009, pp. 244–257.
[40] R. Tarjan, Depth-first search and linear graph algorithms, SIAM J. Comput. 1 (1972), 146–160.
[41] M. Trimoska, S. Ionica, and G. Dequen, Parity (XOR) reasoning for the index calculus attack, in: Proc. Principles and Practice of Constraint Programming (CP 2020), Louvain-la-Neuve 2020, Springer Int. Publ., Cham 2020, pp. 774-790.