28

斯科特·亚伦森（Scott Aaronson）今天的博客文章列出了有趣的，复杂的未解决问题/任务。特别引起我注意的是：

建立一个包含3SAT实例的公共库，其中包含尽可能少的变量和子句，如果解决，将产生值得注意的后果。（例如，对RSA分解挑战进行编码的实例。）研究此库上当前最佳的SAT解算器的性能。

这引发了我的问题：将RSA /分解问题减少到SAT的标准技术是什么？速度有多快？是否有这样的标准削减？

只是为了清楚起见，“快速”并不是指多项式时间。我想知道我们是否对缩减的复杂性有更严格的上限。例如，是否存在已知的立方还原？

— 哈克·贝内特
source

26

One approach to encode Factoring (RSA) to SAT is to use multiplicator circuits (Every circuit can be encoded as CNF).

$C$ $2n$ $C=(c_1,c_2,\cdots,c_{2n})_2$ $n$ $A=(a_1,\cdots,a_n)$ $A=(b_1,\cdots,b_n)$ $C=A*B$ .

The most naive encoding can be something like this: We know that

c_{2 n} = a_{n} \land b_{n}

$c_{2n}= a_n \land b_n$

c_{2 n - 1} = (a_{n} \land b_{n - 1}) x o r (a_{n - 1} \land b_{n})

$c_{2n-1}= (a_n\land b_{n-1}) xor (a_{n-1}\land b_n)$

C a r r y : d_{2 n - 1} = (a_{n} \land b_{n - 1}) \land (a_{n - 1} \land b_{n})

$Carry:d_{2n-1}= (a_n\land b_{n-1}) \land (a_{n-1}\land b_n)$

c_{2 n - 2} = (a_{n} \land b_{n - 2}) x o r (a_{n - 1} \land b_{n - 1}) x o r (a_{n - 2} \land b_{n}) x o r d_{2 n - 1}

$c_{2n-2}= (a_n\land b_{n-2}) xor (a_{n-1}\land b_{n-1}) xor (a_{n-2}\land b_{n}) xor d_{2n-1}$ ...

Then using Tseitin transformation, the above encoding can be translated into CNF.

This approach produces a relatively small CNF. But this encoding does not support "Unit Propagation" and so, the performance of SAT Solvers are really bad.

There are other circuit for multiplication which can be used for this purpose, but they produce a larger CNF.

— Amir
source

10

In section 6.1 of "Finding Hard Instances of the Satisfiability problem: A survey", by Cook and Mitchell, they use this problem as a challenge.

— Amir

How do you know that A and B must be n bits length, couldn't it be n - 1 and and n bits. For sure it can be 2n bits and 1 bit.

— Ilya Gazman

1

@Babibu: If we are talking about general factorization, you are right. But for case of RSA, we know that each of the two primes has

n

$n$ bits.

— Amir

I understand you answer but I don't know how to continue it. Can you please show

c_{2 n - 2}

$c_{2n−2}$ .

— Ilya Gazman

What about RSA-129

— Ilya Gazman

18

Extending what @Amir wrote, I came across the following nice web page which hosts a CNF generator for factoring circuits that one could e.g. run on some of the (now inactive) RSA Factoring Challenge numbers. The generated instances are in DIMACS format that can directly be fed to any one of the current competitors in the annual SAT solver competition. Regarding hard SAT instances in general, the benchmark problems given at the SAT competition site appear to be quite useful, also the classification into random/crafted/industrial is nice.

— Martin Schwarz
source

1

That link is very cool!

— Huck Bennett

If you actually try inputting one of those numbers you'll find their source code uses the int datatype and therefore can only hold 32-bit numbers, while the unfactored RSA numbers start at hundreds of bits.

— Elliot Gorokhovsky

11

Here's a paper on generating SAT instances from factoring:

Horie, S. & Watanabe, O. [1997] "Hard instance generation for SAT" Algorithms and Computation 1350:22-31 (pdf)

It's worse than linear, but better than $n^2$ . A 512-bit RSA challenge type number generates an instance with 63,652 variables and 406,860 clauses.

— Lou Scheffer
source

9

ToughSat by Henry Yuen and Joseph Bebel is another tool similar to the one linked by @Martin, which generates CNF formulas that encode instances of factoring and other hard problems.

— Alessandro Cosentino
source

1

Scott blogged about this too: scottaaronson.com/blog/?p=676

— Alessandro Cosentino

0

See satfactor:

Convert Integer Factorization into a boolean SATISFIABILITY problem

Shane Neph

Overview

Determining factors of a large integer number has been of interest to Man since at least Euclid's time. There is no known general algorithm for this problem that scales in less than exponential time with respect to the number of bits needed to represent the integer.

What this code does

Converts an integer factorization problem into a boolean SATISFIABILITY problem. If the problem is solved by a SAT solver, it then extracts the integer factors.

Boolen satisfiability solvers improve every year. Every 2 years, an international competition between solvers takes place (see http://www.satcompetition.org/ and http://www.satlive.org/). How well can these state-of-the-art solvers do against one of the oldest open math problems in existence?

This project has 2 main purposes:
1) Convert the problem and factor an integer of interest!
2) Quickly create either a solvable or an unsolvable SATISFIABILITY problem, whose difficulty is easily controlled by the creater.
- To create an unsolvable SATISFIABILITY problem, simply encode a prime number.
- To create more difficult but solvable problems, choose larger composite numbers with fewer factors.

The number of interest may be any size!

There are some open-source SATISFIABILITY solvers. See http://www.satlive.org/ for some of these.

Build

make -C src/

How-To

Input a number of interest in its binary form:

bin/iencode 10101 > composite.21
// solve with your favorite solver and put results in solution.txt
bin/extract-sat composite.21 solution.txt

The output would be:
00011
00111

which are binary representations for decimal integers 3 and 7, the factors of 21.

If an input integer has more than 2 factors, and the SAT problem is solved, the output will be two of the factors only. These may not be prime numbers (you could test for that easily in Maxima, Maple, or Mathematica).

Not all SAT solvers output results in the same format. You may need to doctor those results slightly. extract-sat requires a solution file containing a list of integers (on any number of lines). For example,

1 -2 3 4 -5 ...

— Geremia
source

1

Can you summarize the techniques used by this software? On this site we are more interested in algorithms and techniques, rather than an advertisement of a software tool. For example, the questions for the complexity of the reduction. I don't see how you've addressed the question; on Stack Exchange sites, you should only answer if you can answer the specific question that was asked. Also, do you have any relationship with the tool or its authors?

— D.W.

从RSA快速还原为SAT

Convert Integer Factorization into a boolean SATISFIABILITY problem

Overview

What this code does

Build

How-To