a comparison of reductions from fact to cnf-sat721407/fulltext01.pdf · a comparison of reductions...
TRANSCRIPT
A comparison of reductions from FACT to CNF-SAT
JOHN ERIKSSONJONAS HÖGLUND
Bachelors’s Thesis at CSCSupervisor: Per Austrin
Examiner: Örjan Ekeberg
AbstractThe integer factorisation problem (FACT) is a well-known number-theoreticproblem, with many applications in areas such as cryptography. An instanceof a FACT problem (a number n such that n = p× q) can be reduced to aninstance of the conjunctive normal form boolean satisfiability problem (CNF-SAT), a well-known NP-complete problem. Some applications of this is toutilize advances in SAT solving for solving FACT, and for creating difficultCNF-SAT instances.
This report compares four different reductions from FACT to CNF-SAT,based on the full adder, array multiplier and Wallace tree multiplier circuits.The comparisons were done by reducing a set of FACT instances to CNF-SATinstances with the different reductions. The resulting CNF-SAT instanceswere then compared with respect to the number of clauses and variables, aswell as the time taken to solve the instances with the SAT solver MiniSat.
Contents
1 Introduction 1
2 Background 32.1 Binary adders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1 Half adders and full adders . . . . . . . . . . . . . . . . . . . . . . 32.1.2 Adder circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Binary multipliers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2.1 Array multiplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2.2 Wallace tree multipliers . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Binary circuits and Tseitin transformation . . . . . . . . . . . . . . . . . . 8
3 Method 93.1 Reductions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4 Results 11
5 Discussion 155.1 Size of reduction instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 155.2 Solving time for reduction instances . . . . . . . . . . . . . . . . . . . . . 155.3 Possible future directions for this study . . . . . . . . . . . . . . . . . . . 16
CONTENTS
Bibliography 17
Chapter 1
Introduction
The integer factorisation problem (FACT) is a well-known number-theoretic problem.The objective is to determine for a given integer the set of prime numbers whose prod-uct is the given number. The precise computational class of the factorisation problemremains unknown, and no polynomial-time algorithm for solving this on classical comput-ers are known. Note, however, that the problem has been solved for quantum computers[Sho99], although treatment of this is outside the scope of this report.
In particular, instances of FACT that arise in practice are often of a particular form,consisting of the product of precisely two prime numbers (semiprimes)[ARS83]. Onesuch case is in RSA-based encryption. The interest in studying the integer factorisa-tion problem primarily stems from its relevance to modern cryptography. RSA-basedencryption is based on the assumption that prime factorisation is a difficult problem tosolve, and thus an efficient algorithm for solving FACT would compromise the securityof systems based on such encryption.
The boolean satisfiability problem (SAT) is known to be NP-complete. Means ofsolving SAT has been studied in-depth, with yearly competitions between programsaccomplishing this (SAT solvers) to encourage and stimulate further research in this area[Sat11, Sat10]. Even though SAT may well be a theoretically more difficult problem thanFACT, extensive research has been done in this area. It is possible that the advancesin SAT solving can be used to quickly factorise numbers, given a suitable reduction toSAT. For the purposes of this article, we only consider the construction variant of theSAT problem, yielding a satisfying assignment as its output.
Another benefit of reducing FACT to SAT, apart from the cryptographic perspectivegiven above, is to produce test cases for SAT solvers by reducing a factorisation instanceconsisting of the product of two large prime numbers. It is easy to vary the difficulty ofthe SAT instance by selecting appropriate prime factors.
A common method of structuring such reductions is by constructing a boolean circuitfor computing the product of two binary integers. This circuit is then reduced to a SATinstance. In circuit design, an important goal is to minimize propagation delay throughgates [Par09][p.111,177]. For example, a basic ripple carry adder is very simple, but takeslinear time because the computation of each bit depends on the previous one. A carry-
1
CHAPTER 1. INTRODUCTION
lookahead adder can be much faster, but is also more complex with its carry-lookaheadlogic.
In the context of using boolean circuits in SAT solvers, rather than computing theoutput quickly given known input the task is instead the opposite: find a given inputthat yields the output. It is no longer clear whether propagation delay is an importantconsideration, or if other aspects of the circuit are more important to minimize.
This report compares a set of different reductions from FACT to SAT via suchboolean circuits, with the goal of finding whether there is a connection between thecomplexity of the formula yielded by each reduction (in terms of number of variablesand clauses) and the runtime performance of a SAT solver on the same formula.
2
Chapter 2
Background
2.1 Binary adders
Binary adders are circuits that take two binary numbers and outputs the sum of thesenumbers. Binary adders can be implemented in many different ways. This sectiondescribes the implementations used in this report.
2.1.1 Half adders and full adders
The basic building blocks of adders are the half adder and the full adder. A half adderhas two input bits, A and B, and outputs two bits, S and Cout, which are the leastsignificant and most significant bit of the sum of the input bits. Cout is the carryoutput of this calculation, and is required when building adders for n-bit numbers. Theequations describing a half adder are shown in figure 2.1.
A full adder adds three input bits together, A, B and Cin, and outputs two bits, Sand Cout, just like the half adder. Full adders have a carry-in output unlike half adders,which is also required for building adders. A full adder can be designed in many differentways, and this report implements 2 different full adder designs.
Full adder 1 (see figure 2.2) uses 2 OR gates and 3 AND gates for its Cout, and atotal of 7 gates including 2 XOR gates. Full adder 2 (see figure 2.3) is essentially twohalf adders chained together and an OR gate, and so uses a total of 5 gates. This meansthat full adder 1 uses two gates more than full adder 2, but it should also be fasterwhen used as a circuit, as Cout only needs to pass through 2 gates while Cout has to passthrough three gates.
S = A⊕BCout = A ∧B
Figure 2.1. Binary equations for half adder.
3
CHAPTER 2. BACKGROUND
S = A⊕B ⊕ Cin
Cout = (A ∨B) ∧ (A ∨ Cin) ∧ (B ∨ Cin)
Figure 2.2. Binary equations for full adder 1.
S1 = A⊕BC1 = A ∧BC2 = S1 ∧ Cin
S = S1 ⊕ Cin
C = C1 ∨ C2
Figure 2.3. Binary equations for full adder 2.
function RippleAdder(a[1..i], b[1..i])Input: Two non-negative i-bit numbers a and b, least significant bit
first.Output: An i + 1-bit non-negative number which is the sum of a and
b, least significant bit first.
output[1..i + 1]output[1], carry ← HalfAdder(a[1], b[1])for i← 2..i do
output[i], carry ← FullAdder(a[i], b[i], carry)end for
output[i + 1]← carry . Last carry is also savedreturn outputs
end function
Figure 2.4. Pseudo-code for the ripple-carry adder algorithm.
2.1.2 Adder circuits
The simplest adder implementation is the ripple-carry adder. This adder works bychaining full adders together sequentially, such that the least significant bit is computedbefore the second least significant bit, and so on. This is done by feeding the carry bitof one adder to the carry-in input of the next adder. This dependency leads to an adderalgorithm with linear runtime [Toh]. Pseudo-code for the algorithm is included in figure2.4.
In this report, two variants of the ripple-carry adder have been implemented. Theonly difference is the full adder design used for building the adder.
4
2.2. BINARY MULTIPLIERS
function ArrayMultiplier(a[1..i], b[1..j])Input: Two non-negative binary numbers a and b, which are i and
j bits in lengths respectively.Output: An (i + j)-bit non-negative number which is the product of
a and b, least significant bit first.
allocate output[1..i + j]line← a ∧ b[1]
for x← 2..j dopartialProduct← 0 concat (a ∧ b[x]) . Partial product is shifted 1 stepline← adder(line, partialProduct)output[x− 1]← line[1]
end for
output[j..j + i]← remaining bits of linereturn output
end function
Figure 2.5. Pseudo-code for the array multiplier algorithm.
2.2 Binary multipliers
Binary multipliers are circuits that multiply 2 binary numbers. A binary multiplier takestwo binary numbers a and b, of length i and j, in binary form, and outputs the productof those numbers as a (i + j)-bit binary number.
2.2.1 Array multiplier
Binary multipliers can be created in many different ways, and much research has beendone on efficient binary arithmetic circuits. The simplest multiplier is an array multiplier.It is very similar to the standard long multiplication algorithm for multiplication, exceptwith binary numbers.
When multiplying numbers a and b, the array multiplier first calculates partial prod-ucts by multiplying a with each bit in b. Since a bit can be only 0 or 1, each partialproduct will either be exactly a or exactly 0, and this can be calculated easily with ANDgates.
The partial products are then added. In the array multiplier, this is done very simply.First, an adder adds the first two partial products, then an another adder adds the sumof the first adder with the third adder, etc. until all the partial products have beenadded (figure 2.6, pseudo-code in figure 2.5). [Par09, p. 226ff]
5
CHAPTER 2. BACKGROUND
1 0 1 1× 1 1 0 1
1 0 1 10 0 0 0
1 0 1 1+ 1 0 1 11 0 0 0 1 1 1 1 1
Figure 2.6. Array multiplier summation example.
2.2.2 Wallace tree multipliersA standard array multiplier requires many adders to add all the partial products. Ifnumbers a and b are of length i and j respectively, the algorithm calculates j− 1 binaryproducts, each with a length of i. The number of full or half adders required are thenproportional to ij. Many gates are therefore required to build an array multiplier. AWallace tree reduces the number of gates needed for adding many numbers together.
When the partial products are collected, the circuit ends up with many bits of dif-ferent weights to handle. The purpose of a wallace tree is to reduce these bits so thatthere will be at most two bits for each weight. These weights can then be added withone adder circuit.
This reduction is done with trees of full adders and half adders. As mentioned earlier,a full adder takes three input bits and outputs 2 bits S and Cout, which are the leastsignificant and most significant bit respectively. A full adder can be used to reduce threebits of the same weight to 1 bit of the same weight and 1 bit of a higher weight. A halfadder can be used in the same way to reduce two bits of the same weight.
For each bit weight, if there are three or more bits, group the bits into groups ofthree and reduce them with the full adders as described earlier. If there are two bits leftafter the grouping, use a half adder to reduce these bits two. If there are 1 bit left, leaveit as it is. The old reduced bits are removed, the S output bits are added to this weight,and Cout are added to next weight. Figure 2.7 describes this algorithm in pseudo-code.
This reduction is repeated until no weight has three or more bits. When there areone or two bits per weight, the multiplication has been reduced to an addition of twonumbers, which are added together with a regular adder [Par09, p. 158ff].
6
2.2. BINARY MULTIPLIERS
function WallaceMultiplier(a[1..i], b[1..j])Input: Two non-negative binary numbers a and b, which are i and
j bits in lengths respectively.Output: An (i + j)-bit non-negative number which is the product of
a and b, least significant bit first.
Let m be a map of lists, mapping each bit weight to all current bits with thatweight
for x← 1..i dofor y ← 1..j do
Add a[i] ∧ b[j] to m, bit weight i + jend for
end for
while ∃ bit weight ∈ m with 3 or more bits dofor z[1..k]← each bit weight w ∈ m do
Group as many bits in z as possible into groups of three
for g ← each group of 3 bits dos, c← FullAdder(g1, g2, g3)Remove group g from m[w]Add s to m[w]Add c to m[w + 1]
end for
if there is a remaining group g of 2 bits thens, c← HalfAdder(g1, g2)Remove group g from m[w]Add s to m[w]Add c to m[w + 1]
end ifend for
end while
. Each bit weight has only 1 or 2 bits now, so two long numbers are remainingnum1← first numbernum2← second numberoutput← AnyAdder(num1, num2)return output
end function
Figure 2.7. Pseudo-code for the Wallace tree multiplier algorithm.
7
CHAPTER 2. BACKGROUND
2.3 Binary circuits and Tseitin transformationOne way of creating reductions to SAT is to create a circuit Cn(a1a2 · · · amb1b2 · · · bn)with one output, where a and b are potential factors of n, and m and m are the bit lengthsof a and b respectively. The circuit is construted so that Cn(a1a2 · · · amb1b2 · · · bn) = 1if and only if a× b = n. The factorization problem then is simply about finding a and bsuch that a× b = n.
Typical SAT solvers can not solve actual circuits directly. Instead, they operateon conjunctive normal form formulas (CNF). CNF is a conjunction of disjunctions ofliterals. A literal can be either a variable or the negation of a variable. Each disjunctionis known as a clause. The CNF formula is then true if and only if every clause is true.
The circuit must then be reduced to CNF-SAT. Tseitin transformation is an efficientalgorithm for reducing a circuit problem to a CNF-SAT problem. The number of clausesin the resulting CNF-SAT formula is linear to the number of gates in the circuit [Tse83].
The principle of the Tseitin transformation is that each gate has 1 output, and foreach gate, we add a new variable to the formula which will represent the output value.Each gate has 1 or 2 inputs and 1 output. For each gate input, we find the correspondingvariable, which may be either a variable of the original circuit or an output variable ofa gate, whose output is feeded to this gate. Clauses are then added to force the outputvariable of this gate to match the gate according to the patterns in table 2.1.
Gate CNF clausesC = A ∧B (A ∨B ∨ C) ∧ (A ∨ C) ∧ (B ∨ C)C = A ∨B (A ∨B ∨ C) ∧ (A ∨ C) ∧ (B ∨ C)C = A⊕B (A ∨B ∨ C) ∧ (A ∨B ∨ C) ∧ (A ∨B ∨ C) ∧ (A ∨B ∨ C)C = A (A ∨ C) ∧ (A ∨ C)
Table 2.1. Tseitin transformation substitution rules. Each gate given to the left istranslated into the corresponding CNF clause to the right.
8
Chapter 3
Method
As mentioned in the introduction, we have studied a set of reductions from FACT toSAT. These reductions are all done constructing boolean circuits for calculating theproduct of two factors. These circuits are then reduced to CNF-SAT with the Tseitintransformation.
For every reduction, the bit length of the two input numbers can be varied to fit thecurrent problem instance. One requirement is that if we are trying factorise the numbern = p × q, a number with bit length b the circuit has to be large enough to output atleast b bits, and the inputs must not be shorter than the bit lengths of p and q (whichare unknown so far). The terms p and q can’t be longer than the number n itself.
Since there will always be a trivial solution n = 1× n, the circuit must disallow thistrivial solution. The bit length of the input numbers must therefore bit restricted sothat they are at least 1 bit shorter than the bit length b of n [HW98, p. 3ff]. Since atleast 1 of the factors must be less than or equal to
√n, the bit length of the second input
number can be restricted even further, to db/2e. We therefore chose the input numberlengths b− 1 and db/2e for the two input numbers.
A SAT solver will attempt to find a truth assignment to the CNF instance whichmakes all clauses true. The clauses must then be true if and only if the multiplieroutputs the number n that the we are trying to factorise. This is enforced by addingunit clauses. The multiplier circuit outputs the result as a sequence of bits. Once thecircuit is reduced to CNF-SAT, unit clauses are added to force each output bit to beeither true or false, so that the output must be equal to the bit sequence of n.
3.1 Reductions
The reductions differ only in how they choose to express the multiplication circuit, byvarying the adder and multiplier circuits. In this report, we have implemented the twofull adder algorithm variations mentioned above, as well as two multiplier algorithms,array multiplier and wallace tree multiplier. Each pair of adder and multiplier algorithmyields a different reduction. Thus, the four reductions compared are:
9
CHAPTER 3. METHOD
• Array multiplier with full adder 1
• Array multiplier with full adder 2
• Wallace tree multiplier with full adder 1
• Wallace tree multiplier with full adder 2
For each testcase and circuit, the circuit is constructed, reduced to CNF-SAT, and theoutput unit clauses are added. The CNF-SAT instance is then tested with a CNF-SATsolver, which will try to solve the instance as fast as possible.
For comparing SAT solver performance, we have chosen the MiniSat SAT solver[Min14],as it has performed well in multiple SAT competitions. We do not vary properties amongthe hardware on which the SAT solver is run.
The test cases studied are semiprimes whose factors are given below.
• 17977× 10619863
• 16769023× 1073676287
• 2147483647× 2147483647
• 1073676287× 68718952447
The source code for the implementation used for this report can be found at https://bitbucket.org/migomipo/kexjobb. The reductions are implemented in Python.
10
Chapter 4
Results
We compared the 4 different reductions detailed above. Table 4.1 presents the test runsfor each test case (factoring the product p × q) together with the reduction used, thestatistics about this instance of the reduction (number of variables and clauses in CNFform) as well as SAT solver performance using MiniSat. The last two lines of the tableare incomplete, as the SAT solver did not finish within feasible time (13000 seconds).
We have also presented the same data in bar plot form for each test case, in orderto faciliate visual comparison between the different reductions. The plots present thedifferent statistics for each test case with each statistic scaled independently of the rest,so that e.g. the execution time could be compared with the clause count.
p q full adder multiplier #vars #clauses dur (s) mem (MB)17977 10619863 full1 array 5326 17123 82.3 30
full2 array 4032 13241 16.7 22full1 wallace 5372 17288 141 38full2 wallace 4082 13418 115 37
16769023 1073676287 full1 array 11022 35555 9.20 30full2 array 8320 27449 78.6 42full1 wallace 11174 36091 2331 136full2 wallace 8476 27997 113 67
2147483647 2147483647 full1 array 14638 47267 8.71 30full2 array 11040 36437 24.4 46full1 wallace 14894 48167 10.2 26full2 wallace 11300 36375 47.1 51
1073676287 68718952447 full1 array 16638 53747 107 78full2 array 12544 41465 4343 229full1 wallace 16848 54486 — —full2 wallace 12758 42216 — —
Table 4.1. The statistics and performance of each test run.
11
CHAPTER 4. RESULTS
Full adder 2 uses fewer gates than full adder 1, as is clearly shown in table 4.1. Thereductions with full adder 2 result in CNF instances with about 25% fewer variablesand about 23% fewer clauses. Both the array multiplier and Wallace tree reductions usefull adders heavily, so the gate saving are multiplied in the large circuits created by thereductions.
Figure 4.1. Test case 1: 17977 × 10619863
Our first tests were with the number 17977 × 10619863, and the result can be seenin figure 4.1. The array multiplier was reduced faster than the Wallace multiplier withboth full adder designs. With both multiplier, reductions with full adder 2 were alsoreduced faster than those with full adder 1. This difference was very big in the arraymultiplier case, more than 5 times faster.
Figure 4.2. Test case 2: 16769023 × 1073676287
For the second testcase, shown in figure 4.2, it is clear that the combination of thefirst adder and wallace multiplier was by far the reduction that took the longest forMiniSat to solve. The fastest reduction in terms of execution time for this test case was
12
full adder 1 + array multiplier. Considering memory consumption, the combination offull adder 2 and wallace multiplier is worse by a considerable margin. Full adder 2 +array multiplier is best in this sense as well.
Figure 4.3. Test case 3: 2147483647 × 2147483647
In third testcase, shown in figure 4.3, it is very clear that the reductions with fulladder 1 were solved significantly faster than the reduction with full adder 2. The arraymultiplier reductions were also faster than the Wallace tree reductions. This differencewas more significant when full adder 2 was used, where the Wallace tree reduction tookalmost twice as long to solve.
Figure 4.4. Test case 4: 1073676287 × 68718952447
In the final testcase (figure 4.4), the combination of full adder 1 + array multiplieris both the fastest reduction in terms of execution time, as well as the leanest in termsof memory consumption. The two reductions involving Wallace tree multipliers wereaborted after 13 000 seconds of execution time.
13
Chapter 5
Discussion
This report contains two significantly different reductions: the array multiplier and theWallace tree multiplier. We also implemented two full adder algorithms as detailedabove.
Each testcase was a factor of two prime numbers, and the task for the SAT solveris to find these numbers. It should be noted that the different between generated CNFinstances with different test cases are fairly small. Since the instances are essentiallymultiplier circuits with an output, the only differences are the size (which is only affectedby the size of the input factors), and the unit clauses for checking whether the outputis correct. Thus, the size of the CNF instances are a function of the size of the inputfactors.
5.1 Size of reduction instancesIn all cases, the Wallace tree multiplier circuits were very close in size to the arraymultiplier, measured in both the number of clauses and variables. This is expected,since they are both different algorithms for reducing a set of partial products bits to asum, using full adders and half adders.
The full adder design had a major impact on the size of the reduction instances. Re-ductions with full adder 2 generated CNF-SAT instance with about 25% fewer variablesand about 23% fewer clauses. This is also expected, as the array multiplier and Wallacetree reductions use full adders heavily.
5.2 Solving time for reduction instancesIn all the test cases, the array multiplier circuits were solved faster than the correspond-ing Wallace tree multipliers, in several cases a lot faster. We speculate that this could bebecause the circuits yielded by the array multiplier design is has a lot of symmetry, as itis simply a chain of adders for adding the partial products together, whereas the Wallacetree multiplier uses a more complicated tree structure. The difference were often verylarge, in the test case 1073676287× 68718952447, the array multiplier with full adder 1
15
CHAPTER 5. DISCUSSION
was solved in less than 2 minutes. With the Wallace tree multiplier reduction, MiniSathad to be interrupted after more than 3 hours without finding a solution.
Another interesting observation is that simply changing the full adder implementa-tion made a huge difference. In all cases, full adder 2 resulted in a lot smaller circuitsthan full adder 1. The difference in SAT solving time varied a lot. In test case 1, fulladder 2 was faster with both multiplier types. In test case 2, full adder 2 was faster withthe Wallace tree multiplier but slower with the array multiplier, and with the 2 last testcases, full adder 2 seemed to be slower than full adder 1 for all cases. Since the resultsvaried so much, it is difficult to draw any conclusion about which full adder is best forSAT solving. However, it should be noted that small details such as full adder layoutscan affect SAT solving time significantly.
We have not compared the general concept of solving FACT via reduction to SATwith other approaches for solving FACT (such as naive brute-force), but we can stillmake an observation that the runtime of even relatively small semiprimes (such as ourbiggest test case) ran for a considerable amount of time.
5.3 Possible future directions for this studyThis report only studies two fundamentally different FACT-to-CNF-SAT reductions.Future studies of reductions would benefit of implementing more reductions that wedidn’t have the time to study here. For example, reductions could be implementedwith carry-lookahead adders instead of simple ripple-carry adders. Carry-lookaheadadders reduce the carry propagation delay significantly compared to a ripple-carry adder,but also adds a lot of circuit complexity. More multiplier circuit designs could alsobe implemented. All these proposed ideas result in different multiplier circuits, butreductions that are fundamentally different from multiplier circuit reductions shouldalso be studied.
Another area in which this study is lacking is in the number of test cases. A studyof bigger scope would benefit from testing against a bigger set of test cases, to minimizethe impact that the choice of particular primes has on the execution time. One couldalso study whether different classes of primes favour different reductions.
16
Bibliography
[ARS83] L.M. Adleman, R.L. Rivest, and A. Shamir. Cryptographic communicationssystem and method, September 20 1983. US Patent 4,405,829.
[HW98] Satoshi Horie and Osamu Watanabe. Hard instance generation for SAT. CoRR,cs.CC/9809117, 1998.
[Min14] Minisat page. http://minisat.se/, April 2014.
[Par09] Behrooz Parhami. Computer Arithmetic: Algorithms and Hardware Designs.Oxford University Press, Inc., New York, NY, USA, 2nd edition, 2009.
[Sat10] Sat-race 2010. http://baldur.iti.uka.de/sat-race-2010/, July 2010.
[Sat11] Sat competition 2011. http://www.satcompetition.org/2011/, June 2011.
[Sho99] P. W. Shor. Polynomial-Time Algorithms for Prime Factorization and DiscreteLogarithms on a Quantum Computer. SIAM Review, 41:303–332, January 1999.
[Toh] Hardware algorithms for arithmetic modules. http://www.aoki.ecei.tohoku.ac.jp/arith/mg/algorithm.html.
[Tse83] G. S. Tseitin. On the complexity of derivation in propositional calculus. InJ. Siekmann and G. Wrightson, editors, Automation of Reasoning 2: ClassicalPapers on Computational Logic 1967-1970, pages 466–483. Springer, Berlin,Heidelberg, 1983.
17