Attacking RSA moduli with SAT solvers769846/FULLTEXT01.pdf · 2014. 12. 9. · The RSA cryptosystem...
53
KTH Computer Science and Communication Attacking RSA moduli with SAT solvers Jonatan Asketorp Degree Project in Computer Science, DD143X Handledare: Per Austrin Examinator: Örjan Ekeberg CSC, KTH, 2014-04-29
Transcript of Attacking RSA moduli with SAT solvers769846/FULLTEXT01.pdf · 2014. 12. 9. · The RSA cryptosystem...
KTH Computer Scienceand Communication
Attacking RSA moduli with SAT solvers
Jonatan Asketorp
Degree Project in Computer Science, DD143XHandledare: Per Austrin
Examinator: Örjan Ekeberg
CSC, KTH, 2014-04-29
Abstract
This thesis aimed to explore how sequential boolean satisfiability solvers canbe used on the integer factorisation problem. The integer factorisation prob-lem is believed to be hard and modern public key cryptography relies on that,noteworthily SSL/TSL and SSH support the use of RSA. However, it is notproven that integer factorisation is hard and therefore it is of great importanceto explore different attack avenues. The modulus in RSA is a semiprime, e.g.an integer that is the product of two primes. Hence, in this thesis an empiricalstudy of the factorisation of semiprimes with a bit-length of up to 32 bits iscarried out. Randomly selected semiprimes are factorized through six differentreductions using three different solvers (Glucose, Lingeling and PicoSAT) andthe result are compared to that of MSieve, an open-source integer factorisationprogram. As seen in the comparison boolean satisfiability solvers cannot beused as a replacement of an integer factorisation solver. Additionally compar-isons between the different reductions and boolean satisfiability solvers showthat the combination of solver and reduction greatly affects performance. Theimplication is that further explorations of the integer factorisation problem withboolean satisfiability solvers can greatly benefit from either avoiding a inade-quate solver and reduction pair or from attempting to identify the outliers thatsignify a inadequate coupling.
Contents
1 Introduction 91.1 Thesis goals and motivation . . . . . . . . . . . . . . . . . . . . . 101.2 Limitation of scope . . . . . . . . . . . . . . . . . . . . . . . . . . 101.3 Hypothesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2 Background 122.1 Integer factorisation . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.1 The fundamental theorem of arithmetics . . . . . . . . . . 122.1.2 Semiprimes and RSA . . . . . . . . . . . . . . . . . . . . . 122.1.3 Solving integer factorisation . . . . . . . . . . . . . . . . . 12
2.2 Boolean satisfiability problem . . . . . . . . . . . . . . . . . . . . 132.2.1 Propositional logic and CNF . . . . . . . . . . . . . . . . 142.2.2 DIMACS format for CNF . . . . . . . . . . . . . . . . . . 15
2.3 Reducing FACT to SAT . . . . . . . . . . . . . . . . . . . . . . . 152.3.1 Circuits as SAT . . . . . . . . . . . . . . . . . . . . . . . . 152.3.2 Reductions in this thesis . . . . . . . . . . . . . . . . . . . 16
2.4 SAT solvers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.4.1 Non-chronological backtracking . . . . . . . . . . . . . . . 172.4.2 Conflict Driven Clause . . . . . . . . . . . . . . . . . . . . 182.4.3 Clause deletion . . . . . . . . . . . . . . . . . . . . . . . . 182.4.4 Restarts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.4.5 Conflict Driven Clause Learning . . . . . . . . . . . . . . 182.4.6 Simplifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3 Method 203.1 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.2 Instance generation . . . . . . . . . . . . . . . . . . . . . . . . . . 203.3 Solvers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.3.1 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.4 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.5 Running the experiment . . . . . . . . . . . . . . . . . . . . . . . 21
3.5.1 CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.5.2 RAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.6 Handling the results . . . . . . . . . . . . . . . . . . . . . . . . . 22
1
3.7 Analyzing the results . . . . . . . . . . . . . . . . . . . . . . . . . 223.7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 223.7.2 Moduli . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4 Experiment 234.1 Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.1.1 Instance generation . . . . . . . . . . . . . . . . . . . . . . 234.1.2 Reductions . . . . . . . . . . . . . . . . . . . . . . . . . . 244.1.3 SAT solvers . . . . . . . . . . . . . . . . . . . . . . . . . . 244.1.4 Running the experiment . . . . . . . . . . . . . . . . . . . 244.1.5 Verification of the results . . . . . . . . . . . . . . . . . . 244.1.6 Gathering the results . . . . . . . . . . . . . . . . . . . . . 24
4.2 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254.3 Reproducibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.3.1 Information needed to reproduce this experiment . . . . . 25
5 Results 265.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.1.1 SAT solvers . . . . . . . . . . . . . . . . . . . . . . . . . . 275.1.2 Integer factorisation solver . . . . . . . . . . . . . . . . . . 29
5.2 Asymptotic behaviour . . . . . . . . . . . . . . . . . . . . . . . . 295.2.1 Glucose . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.2.2 Glucose with simplifier . . . . . . . . . . . . . . . . . . . . 315.2.3 Lingeling . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.2.4 PicoSAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.3 Extras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375.3.1 CPU time for difficult integer factorisations . . . . . . . . 375.3.2 Wallace vs. recursive multiplier . . . . . . . . . . . . . . . 385.3.3 Wallace and recursive multiplier . . . . . . . . . . . . . . 38
6 Discussion 406.1 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.1.1 Uniformity of the computer environment . . . . . . . . . . 406.1.2 Benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . 41
6.2 The experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416.2.1 Scripts and programs . . . . . . . . . . . . . . . . . . . . 41
6.3 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416.3.1 Selection of SAT solvers . . . . . . . . . . . . . . . . . . . 416.3.2 Problems with circuits as SAT . . . . . . . . . . . . . . . 41
6.4 Discussions of the results . . . . . . . . . . . . . . . . . . . . . . 426.4.1 SAT solvers and reductions . . . . . . . . . . . . . . . . . 426.4.2 Asymptotic results . . . . . . . . . . . . . . . . . . . . . . 426.4.3 Wallace and recursive reductions . . . . . . . . . . . . . . 436.4.4 FACT solvers . . . . . . . . . . . . . . . . . . . . . . . . . 436.4.5 About the CPU measurements . . . . . . . . . . . . . . . 436.4.6 About the RAM measurements . . . . . . . . . . . . . . . 43
2
7 Conclusion 447.1 Asymptotic behaviour . . . . . . . . . . . . . . . . . . . . . . . . 44
7.1.1 SAT solvers . . . . . . . . . . . . . . . . . . . . . . . . . . 447.1.2 Reductions . . . . . . . . . . . . . . . . . . . . . . . . . . 447.1.3 Conclusions about asymptotic behaviour . . . . . . . . . . 44
7.2 Comparing SAT solvers with FACT solvers . . . . . . . . . . . . 447.2.1 Conclusions about SAT solvers . . . . . . . . . . . . . . . 447.2.2 Conclusions about MSieve . . . . . . . . . . . . . . . . . . 457.2.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 45
7.3 Further research . . . . . . . . . . . . . . . . . . . . . . . . . . . 457.3.1 Other solvers . . . . . . . . . . . . . . . . . . . . . . . . . 457.3.2 Other reductions or simplifiers . . . . . . . . . . . . . . . 457.3.3 Finding weak semiprimes . . . . . . . . . . . . . . . . . . 45
A Hardware 48A.1 Full hardware listing . . . . . . . . . . . . . . . . . . . . . . . . . 48
B Software 49B.1 Libraries and compilers . . . . . . . . . . . . . . . . . . . . . . . 49
B.1.1 GCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49B.1.2 GMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49B.1.3 GHC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49B.1.4 Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49B.1.5 Javac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49B.1.6 Valgrind . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
C Problems and results 50
D Source-code 51
3
List of Tables
5.1 SAT solvers mean times. . . . . . . . . . . . . . . . . . . . . . . . 275.2 Variance and standard deviation split by solvers and reductions. 285.3 MSieve mean CPU time and RAM usage. . . . . . . . . . . . . . 295.4 Wallace and recursive multipliers comparison. . . . . . . . . . . . 38
4
List of Figures
2.1 AND gate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.2 NOT gate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.3 OR gate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.4 Decision tree chronological backtracker. . . . . . . . . . . . . . . 18
5.1 Glucose n-bit carry-save CPU and RAM growth with bit-length . 295.2 Glucose n-bit wallace CPU and RAM growth with bit-length . . 295.3 Glucose n-bit recursive CPU and RAM growth with bit-length . 305.4 Glucose fast carry-save CPU and RAM growth with bit-length . 305.5 Glucose fast wallace CPU and RAM growth with bit-length . . . 305.6 Glucose fast recursive CPU and RAM growth with bit-length . . 315.7 Simplified Glucose n-bit carry-save CPU and RAM growth with
bit-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.8 Simplified Glucose n-bit wallace CPU and RAM growth with bit-
length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.9 Simplified Glucose n-bit recursive CPU and RAM growth with
bit-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.10 Simplified Glucose fast carry-save CPU and RAM growth with
bit-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.11 Simplified Glucose fast wallace CPU and RAM growth with bit-
length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.12 Simplified Glucose fast recursive CPU and RAM growth with
bit-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.13 Lingeling n-bit carry-save CPU and RAM growth with bit-length 335.14 Lingeling n-bit wallace CPU and RAM growth with bit-length . 335.15 Lingeling n-bit recursive CPU and RAM growth with bit-length . 345.16 Lingeling fast carry-save CPU and RAM growth with bit-length 345.17 Lingeling fast wallace CPU and RAM growth with bit-length . . 345.18 Lingeling fast recursive CPU and RAM growth with bit-length . 355.19 PicoSAT n-bit carry-save CPU and RAM growth with bit-length 355.20 PicoSAT n-bit wallace CPU and RAM growth with bit-length . . 355.21 PicoSAT n-bit recursive CPU and RAM growth with bit-length . 365.22 PicoSAT fast carry-save CPU and RAM growth with bit-length . 365.23 PicoSAT fast wallace CPU and RAM growth with bit-length . . 365.24 PicoSAT fast recursive CPU and RAM growth with bit-length . 37
5
5.25 All reductions’ CPU time for all solvers on instances sorted bytime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.26 Wallace vs. Recursive lower . . . . . . . . . . . . . . . . . . . . . 385.27 Wallace vs. Recursive higher . . . . . . . . . . . . . . . . . . . . 39
6
Abbreviations
CDC Conflict Driven Clause. 13
CDCL Conflict Driven Clause Learning. 12, 13
CNF Conjunctive Normal Form. 10, 11, 19, 36
FACT Integer Factorisation Problem. 4–7, 21, 32, 36, 40
GNFS General Number Field Sieve. 8
SAT Boolean Satisfiability Problem. 4–6, 8, 10, 12–16, 21, 36, 39, 40
7
Nomenclature
semiprime A semiprime is a composite number that is the product of twoprimes.. 5, 7, 15, 17, 18, 36, 37, 39, 40
8
Chapter 1
Introduction
It’s not worth doing somethingunless someone, somewhere,would much rather you weren’tdoing it.
Terry Pratchet
The RSA cryptosystem is widely used and relies on the fact that the IntegerFactorisation Problem (FACT) cannot be solved in polynomial time. If FACTcould be solved in polynomial time it would create a weakness in commonlyused protocols, such as SSL/TLS, SSH and PGP.
FACT is an old mathematical problem and it bases itself on the fundamentaltheorem of arithmetics. Outside the realm of quantum computing there is noknown method of solving FACT in polynomial time and it is assumed to behard. However, it has only been a field of active research since the appearanceof computers capable of performing large calculations [14].
Herein lies part of the problem. Agents that have an interest in decryptingsensitive information seldom have an interest in revealing weaknesses in theencryption. If they can read their opponents communication while keepingtheir own secret they will enjoy a huge advantage. For such an agent revealingan exploitable weakness publicly would be equivalent to throwing away thatadvantage since the weakness would quickly be patched or avoided.
This is even more relevant in the wake of the exposures from Edward Snow-den that among other things cast suspicions of the existence of backdoors [18]in current protocols. This means that there is both a possibility that FACT isnot as hard as it is assumed and that there might exist intentional backdoors.Therefore there is an interest into performing attacks from many different di-rections aimed at finding weaknesses in the FACT and publish those findingspublicly (even if negative).
Modern Boolean Satisfiability Problem (SAT) solvers utilise a ”smart” bruteforce search (more details can be found in section 2.4). This means that SATsolvers can find ”smart” solutions to SAT problems. Hence, any problem that
9
can be converted into a SAT problem can be solved in an unexpected mannerby a SAT solver.
Circuits used to perform calculations on electronical computers can be con-verted into SAT problems [1] and solved in such a manner. Therefore, FACTcan be posed as a problem to SAT solvers and it is very difficult to predict howthey will solve the problem and hence if they will manage to find and exploitknown and unknown weaknesses.
1.1 Thesis goals and motivation
This thesis aims to explore the following goals.
1. The difference in asymptotic behaviour of SAT solvers discovering theprime factors of RSA moduli.
SAT solvers might be able to find not known easily factored semiprimes.However, for a SAT solver to be used in this way it is important to know ifthere are differences between different reductions and solvers. While thisthesis will not attempt to find easily factored semiprimes the results canhopefully be used in further pursuit of that goal. Additionally this willprovide knowledge of FACT posed as a SAT problem for other purposes.
(a) Are there any differences between different solvers?
(b) Are there any differences between different reductions?
2. Do SAT solvers pose a greater risk than modern FACT solvers?
Several commonly used protocols utilise encryptions based on RSA forsensitive information. Hence, if SAT solvers can solve FACT in such away that it can be applied to in-use moduli that weakness would have tobe addressed quickly.
1.2 Limitation of scope
Certain limitations are forced due to time limitations, noteworthy restrictionsstated below.
1. No in-depth look at solvers.
Instead of delving deep into the advantages and differences between thedifferent solvers they were picked as described in section 3.3 instead ofbasing the decision on their theoretical advantage with the FACT problem.
• No analysis of solver parameters.
• No analysis of solver heuristics.
• No analysis or usage of the random seed.
10
2. No in-depth analysis of the different reductions.
While analysis of different reductions can be made on different abstrac-tion levels the question in this thesis is if it is relevant at all. Since theperformance of a SAT solver is difficult to predict it would be incorrect toassume that there is a relevant difference solving the different reductions.
1.3 Hypothesis
Are there differences in the asymptotic behaviour of SAT solvers dis-covering the prime factors of RSA moduli? The author’s expectationswere that there would only be minor differences in the asymptotic behaviourof the different reductions but that the major difference would depend on thesolvers.
Can SAT solvers be used instead of FACT solvers? The author’s ex-pectations of the results were that SAT solvers would not be able to performas well as FACT solver. It is not reasonable to suppose that a general solvingmethod can outperform a specific solving method with over 30 years researchbehind itself.
11
Chapter 2
Background
Note that this section is not supposed to give a complete understanding of thefactorisation algorithms nor of SAT solvers.
2.1 Integer factorisation
This section provides an overview of the fundamentals of FACT. For additionaldetails and proofs refer to [14].
2.1.1 The fundamental theorem of arithmetics
Every positive integer n can be uniquely written as the product of primes
n = pα11 pα2
2 ...pαss =
s∏i=1
pαii
where pα11 < pα2
2 < ... < pαss and αi is a positive integer.
Proof of this is not included in this thesis, it can be found in [14]. However,the importance of knowing that every positive integer can be decomposed intoa product of primes is the very basis of integer factorisation.
2.1.2 Semiprimes and RSA
A semiprime is an integer that is the product of two primes which is one founda-tion in the RSA cryptosystem. Without going into too much detail, if FACT canbe solved for a semiprime it would be a exploitable weakness in RSA. Thereforeit is essential to choose a semiprime that is difficult to factorize as a modulus.
2.1.3 Solving integer factorisation
There are several algorithms to solve FACT of special characteristics. Oneexample of a FACT of a special characteristic is any even number. By definition
12
a even integer is divisible by two and if the integer is a semiprime the secondfactor is easily calculated. However, this thesis will only consider general integerfactorisation methods. In this subsection a short summary of two general integerfactorisation methods is given.
1. Division by trial, which shows why small factors are vulnerable.
2. The General Number Field Sieve which was used [11] to factor the so farlargest factored integer from the RSA challenge [15].
The purpose is to give the reader an understanding that all integer factorisationsare not equally hard and that even the best known method for general factori-sations cannot be applied to large integers without the time needed increasingbeyond practicality.
Trial division
No description of integer factorisation is complete without a mention of divisionby trial, which additionally is one of the easiest method to understand. Itconsists of attempting to find xi for a known integer n such that
n mod xi = 0
It is preferable to start looking for xs among the smallest primes and never above√n. Trial division is very efficient for small factors and is therefore sometimes
used to rule out the possibility of small factors before continuing with othermethods. The method can either be used as a brute force search testing eachinteger or by testing primes. In the case in which only primes are being testedthere is a need for either a big prime list or an efficient mean for finding primes.
The General Number Field Sieve
Explaining the Number Field Sieve and the General Number Field Sieve (GNFS)is outside the scope of this thesis. Again the interested reader can find moredetails in [14]. What is of relevance to this thesis is that the GNFS is cur-rently the most popular algorithm for solving large integer factorisation prob-lems without special properties. It was used [11] in solving the largest of theRSA Challenge [15] integers to this date. However, the complexity of GNFS
is e(c(logn)13 (log logn)
23 ), where c < 2 and n is the bit-length [12]. Hence it still
requires a lot of computation power for large n.
2.2 Boolean satisfiability problem
The SAT is a well-known NP-complete problem. This section will cover theparts related to SAT as they are utilised in this thesis. This is by no means acomplete description of the state of the art in SAT or SAT solving but the verysmall subset used in this thesis. To find out more details about this topic referto [8].
13
2.2.1 Propositional logic and CNF
Propositional logic
In natural language we can form declarative sentences that can be seen as eitherfalse or true. Inspiration for this example is taken from [8].
1. Martians like pepperoni.
While the existence of Martians is beyond the scope of this thesis, what can besaid about this sentence is that it can be given a true value or a false value.Either Martians like pepperoni on or they do not. This is a short declarativesentence and it is also an atom since we cannot split the sentence into smallerparts that likewise can be assigned either a true or false value. In propositionallogic this sentence is a literal and it will be referred to as a. A literal is a booleanvariable that can either have the value true or false. However, we can add moreto the sentence.
1. Martians like pepperoni and they are hungry.
While this is still a declarative sentence it is not a single literal anymore. We canhowever very easily see it as two literals a and b conjugated through the logicfunction AND, in this thesis represented by ∧. Therefore we can now writeit as a ∧ b, if Martians like pepperoni and they are hungry the whole sentenceevaluates as true, e.g. it is satisfied. But as everyone know Martians are ficklewhich might be why it is difficult to find evidence of their existence, and couldbe a subject of further research, so we can continue
1. Martians like pepperoni and they are hungry or it is not Monday.
In this sentence we now have three literals, two positive and one negative (de-noted by ¬), the logic function OR (∨) and the logic function and (∧). Hencewe have a declarative sentence a ∧ b ∨ ¬c. The sentence is satisfied if Martianslike pepperoni and they are hungry or if it is not Monday. It will be unsatisfiedif Martians do not like pepperoni, if they are not hungry and if it is Monday.By now it is time to add a mention about associativity. In propositional logiccertain binding priorities are commonly used.
1. ¬ will bind first,
2. then ∧
3. and lastly ∨
Which means that while the previous sentence is correct it can also be writtenas (a∧ b)∨ (¬c) to avoid ambiguity. A important part to note is that ¬, ∨ and∧ is a complete set, e.g. that any boolean function can be expressed using onlythese functions [1].
14
CNF
Conjunctive Normal Form (CNF) is written in a specific format. It consists of
1. A literal l that is either an atom or its negation, i.e. l or ¬l.
2. A clause c that contains disjunct literals, e.g. literals separated by ∨.
i.e. c can contain (l1 ∨ l2 ∨ ¬l3).
3. A formula f that contains conjunctions of clauses, e.g. clauses bound by∧.
i.e. f can contain c1∧c2 where c1 and c2 are clauses similar to c describedabove.
By coincidence the Martian sentence is not in CNF, which is unfortunate sincethat is what is used in this thesis. However, the sentence can now be rewritten as(a∨¬c)∧(b∨¬c) which is in CNF. A important part of CNF is that every formulain propositional logic can be written in CNF form. A more detailed descriptionof this can be found in [8]. That means that everything in propositional logiccan be written in one standard way.
2.2.2 DIMACS format for CNF
The Center for Discrete Mathematics and Theoretical Computer Science (DI-MACS) proposed a standard format [6] for CNF that are now commonly used.DIMACS supports two different formats CNF and SAT however in this thesisonly CNF were used. All SAT solvers used in the SAT Competition [3] supportsCNF in the DIMACS format as input which is what makes it possible to easilyuse different solvers on the same problems.
2.3 Reducing FACT to SAT
2.3.1 Circuits as SAT
For more information [1] is being used as foundation to this part. Digital circuitsuses a high and low voltage to signify the values 1 or 0. These can be seen asequivalent to the TRUE and FALSE of propositional logic. One of the reasonthat much of the focus of the section 2.2 were aimed at AND, OR and NOTis because they are easy to implement electronically as gates.
Gates
A gate takes one or more binary inputs i ∈ 0, 1. Usually it has one binaryoutput o. Likewise a declarative sentence have one or more literals l with aboolean value and the sentence evaluates to TRUE or FALSE.
15
Figure 2.1: AND gate.
The gate shown above can be represented as a ∧ b in CNF.
Figure 2.2: NOT gate.
The gate shown above can be represented as ¬a.
Figure 2.3: OR gate.
The gate shown above can be represented as a ∨ b.Each of the gates below have one output that is either high voltage or low
voltage, 1 or 0. Equivalently the CNF sentence can evaluate to TRUE orFALSE.
Circuits
The gates described above can be combined into circuits, i.e. a half adderconsists of one XOR gate and one AND gate. A XOR gate can be written inCNF as (a ∧ ¬b) ∨ (¬a ∧ b). Therefore using a and b as input a half adder canbe written as two clauses.
(a ∧ ¬b) ∨ (¬a ∧ b)
a ∧ b
Where the first clause is the sum and the second is the carry. Extendingupon this concept both multiplication and addition as used by computers canbe translated into CNF.
2.3.2 Reductions in this thesis
The reductions used in this thesis are implemented by Paul Purdom and AmrSabry [13]. This section will only list the names of the reductions and the type of
16
circuit, additional information about the methods and implementations pleaserefer to [13].
The goal of this thesis is to find out if the different reductions makes adifference to the SAT solver. Therefore the characteristics of the different addersand multipliers are excluded.
The adders using the same naming schedule as Purdom and Sabry [13].
• N-bit
• Fast
The naming schedule of the multipliers.
• Carry-save
• Wallace
• Recursive
2.4 SAT solvers
This section will describe some of the commonly used techniques in modernSAT solvers. The implementation of these technique forms the foundation ofConflict Driven Clause Learning (CDCL). For additional details refer to [4].
2.4.1 Non-chronological backtracking
Modern SAT solvers uses non-chronological backtracking to speed up the back-tracking procedure once a conflict is reached. A conflict happens when decisionsthat results in a clause having a FALSE value are taken. In a normal back-tracking procedure the algorithm would back up one step in the decision treeand assign that literal a different value. However, the literal that causes a con-flict might have occurred earlier in the decision tree, e.g. that the value of everyliteral between the current decision level and the level where the literal thatcaused the conflict resides does not matter for the conflict. Instead of attempt-ing different values for all literals a modern SAT solver performs an analysis ofthe cause of the conflict and backtrack all the way to the literal that caused theconflict.
17
Figure 2.4: Decision tree showing all steps taken by a chronological backtrackerbefore trying A=TRUE.
2.4.2 Conflict Driven Clause
One of the implications of non-chronological backtracking is that if the solverhad known of that possible conflict, it never would have tried to assign the literalthat caused the conflict to that value. A modern SAT solver will therefore createa new clause that represents that conflict, i.e. (¬a ∨ ¬b) which means that ifa is false b has to be true to not create a conflict. This will prevent the SATsolver from performing the same mistake later on.
2.4.3 Clause deletion
As a direct consequence of the utilisation of Conflict Driven Clause (CDC)s thereis the very real possibility of additional complexity, i.e. that the new clauses willuse too much memory. Thus the occasional deletion of these clauses is necessary.The heuristics for clause deletions vary between solvers and problems.
2.4.4 Restarts
Restarts are used in an attempt to find more promising decision trees. CDCsare not discarded upon a restart but used to make better decisions. Heuristicsfor when to restart and how to start on a new decision tree varies.
2.4.5 Conflict Driven Clause Learning
CDCL SAT solvers implement some of these features which makes it difficult topredict the behaviour of a specific SAT solver.
18
2.4.6 Simplifiers
Without going into details it is important to note that most SAT solvers usepreprocessing that attempts to simplify the SAT problem before attempting tosolve it.
19
Chapter 3
Method
3.1 Approach
All the goals of this thesis aimed to explore how difficult it is for a SAT solverto solve the integer factorisation problem of a semiprime. Hence the questionthat needs to be answered is if it is possible to use this approach on increasinglylarge semiprimes.
As described in section 2.4 it is difficult to predict how a SAT solver will solvea problem. Therefore an empirical approach was applied. As a consequence itis also difficult to predict what the limiting factors will be, i.e. how much CPUtime and memory usage will be necessary to solve a given instance.
The limiting factors were considered to be CPU time and RAM usage. Whilehard drive storage can be used instead of RAM it was assumed to have sucha drawback on CPU time that a solution using the hard drive is no longerinteresting. Hence the measured variables in this thesis are CPU time andRAM usage.
3.2 Instance generation
As previously mentioned in section 2.4 it is difficult to estimate how difficulta SAT problem is. While there are known weak semiprimes it is not knownhow a SAT solver will behave while solving them. The semiprimes used aretherefore picked at random within a range deemed appropriate after preliminaryexperiments. The amount of semiprimes and their bit length was based on thatthe approximated runtime should be within the time of this thesis. A bit lengthfor a semiprime was randomly selected within the range and then two primeswere generated that multiplied would match the bit length. This procedure wasrepeated until the selected amount of semiprimes was reached.
20
3.3 Solvers
3.3.1 Approach
The SAT Competition [16] provides a ranking of modern SAT solvers. Thesolvers were picked among the sequential SAT solvers that have consecutivelyperformed well and their derivates. The amount selected was such that it wouldtake a reasonable time to compile and run them in the test environment.
3.4 Environment
Problems can easily occur and the results of programs running in different envi-ronment can be unreliable. Therefore the environment were chosen to be similarto the on used in the SAT Competition [16]. Since all of the SAT solvers hadsuccessfully participated in that environment it was an obvious choice. Ad-ditionally since all solvers are sequential they will only use one thread whichallows the experiment to run in a multi-processor environment with as littledisturbances as possible.
3.5 Running the experiment
The experiment was made to run in two different runs. One measuring CPUtime using the *nix time command and one measuring the heap and stack usagemeasured with Valgrind’s Massif tool.
3.5.1 CPU
The choice of time as measurement tool is based on that it is unobtrusive andgood enough for a wall time measurement. As long as the experiment does notget disturbed it will deliver a result that is accurate enough for the purposes ofthis thesis. Some drawbacks of time is that it cannot measure smaller intervalsthan one millisecond and at short intervals any disturbances can greatly affectthe results.
3.5.2 RAM
There are several different ways of measuring the RAM usage of a process andthe most common ones are using snapshots. However, setting up a non-obtrusivesystem that uses snapshots at the correct moments is not trivial and can beinaccurate. Since preliminary tests showed that several of the instances would besolved in a very short time they would have had to be excluded from the results.Instead Valgrind’s Massif were used. Valgrind’s Massif tool allows detailedmeasurement of the heap and the stack with the unfortunate drawback that ittakes a very long time to run. Additionally, with default settings Valgrind’sMassif only measures peak usage with an accuracy of 1%.
21
3.6 Handling the results
The results of the runs were all stored in their full form retaining as much dataas possible before being preprocessed in a way usable to the results section.
3.7 Analyzing the results
This section will describe the analysis performed and the motivation for these.Due to outliers and a small number of iterations the mean is estimated throughthe median.
3.7.1 Overview
The total time of a experiment is the time measured for factorizing all semiprimes.Due to time limitations the experiments were only run a few times and the meanwere estimated by the median. The total time is calculated with mean, varianceand standard deviation split by reductions and solvers.
3.7.2 Moduli
The mean time to solve a modulus is estimated using the median. This is dueto few instances and that preliminary runs showed outliers and median has tobe used to get as robust result as possible. Moduli is used to create the graphs.
22
Chapter 4
Experiment
This section gives a in-depth description of how the experiment was performed.Information about source-code can be found in Appendix D. First the programsused will be described in detail under section 4.1. The reason it is describedin detailed is that some of the implementations introduce a bias in the result.Further analysis of this will be done in chapter 6. Afterwards the variablesrelevant to the experiment are described.
4.1 Programs
This subsection will give an overview of the programs and scripts used, motivatetheir usage and highlight potential problems with them.
4.1.1 Instance generation
The generator was coded using Java. The reason behind it is the authors famil-iarity with the language and convenient methods in the BigInteger library.
The program accepts a range in which to generate semiprimes and howmany such semiprimes should be generated within that range. The generatorwill use the bit-length of the semiprime nbit to select the bit-length of the primesby setting pbit to a random integer between nbit − 2 and 2. Then the secondprime’s bit-length qbit is set to nbit − pbit. The static method probablePrime ofBigInteger is then used to generate two likely primes p and q with bit-lengthspbit and qbit. Afterwards the semiprime n is set to p ∗ q. Then n is checkedto verify that its bit-length is still nbit and if it is not two new primes will begenerated in the same manner.
The probability that probablePrime returns a composite number is less than2−100.The semiprimes together with the seed used to generate them will beprinted to standard output.
Details about the source-code for the instance generator can be found inAppendix D, javac and java version can be found in Appendix B.
23
4.1.2 Reductions
The reductions as mentioned in section 2.3 were created by Paul Purdom andAmr Sabry in Haskell. GHC version can be found in Appendix B.
4.1.3 SAT solvers
The SAT solvers used were
• Glucose version 3.0,
• Lingeling version ats1,
• and Picosat version 959.
Glucose and Lingeling were picked based on that they, or their derivates, con-tinuously performed well in SAT competitions [16]. Lingeling has its origin inthe C API of PicoSAT [10] which is why PicoSAT where included. Glucose isbased on MiniSAT 2.2 [2] and MiniSAT were included in the preliminary runsbut due to issues with a library and limited time it had to be excluded. Prelimi-nary plans included CryptominiSAT, specific support for xor [17], and portfoliobased solvers but unfortunately time restrictions excluded those.
Information about the compiler and external libraries can be found in Ap-pendix B.
4.1.4 Running the experiment
The experiments were ran using bash scripts that can be found in Appendix D.The script used find and xargs to locate and run the generated instances. Inthe case of the CPU measurements time was used. The results from time andthe SAT solver was piped into different files. In the case in which RAM usagewas measured Valgrinds Massif tool was used with the additional argument tooutput into a file. Results from the SAT solver was output to a separate fileand Valgrinds normal output was piped to /dev/null.
4.1.5 Verification of the results
The results were verified using a Java program found in Appendix D.The program locates all the result files and reads information about the
variables from the CNF instances generated by Purdom’s and Sabry’s reduc-tions. Then it puts the variables found in the test instances as a value into aBigInteger, multiplies them and verifies that it is the correct modulus.
4.1.6 Gathering the results
The data aggregator was made in Java. It only had the purpose of looking up,sorting and printing the output of the experiment. Since a program of thatcharacter is trivial there will not be any further description of it here but thesource-code can be found in Appendix D.
24
4.2 Environment
The experiment was run on a newly installed Scientific Linux version 6.5. Up-dates were made to install Java 1.7.
4.3 Reproducibility
In this section there will be information on how to reproduce the experiment,verify the data or attempt to extend it to other hardware platforms.
4.3.1 Information needed to reproduce this experiment
Appendix C contains additional information except the source-code needed toreproduce this experiment. Note that the random seed is also included in thedata that was generated by the experiment.
Data from this thesis
Information about where to get the data produced from this thesis can be foundin Appendix C.
25
Chapter 5
Results
This chapter consists of the results from
• 7,000 moduli
• 6 SAT CPU runs
• 3 SAT RAM runs
• 60 MSieve CPU and RAM runs
Additionally, all solvers managed to solve all moduli and no time limits wereenforced. More details about data related to the problems and results can befound in Appendix C.
5.1 Overview
This section contains information about the time measurements over all FACTproblems, i.e. all unique integer factorisations. Points of interest
• Glucose without simplifier is the slowest overall but with simplifier it isthe fastest.
• Simplified Glucose and PicoSAT are close overall but PicoSAT performsmost evenly on the different reductions, this can also be observed in Fig-ure 5.25.
• Lingeling has the fastest time of any reductions but among the solverswith preprocessor it is the overall slowest.
26
5.1.1 SAT solvers
Mean
Adder Multiplier Glucose Simp Glucose Lingeling PicoSATn-bit carry-save 9,656,533 3,946,558 3,592,700 6,447,962n-bit wallace 12,382,913 4,231,211 7,929,092 6,317,287n-bit recursive 9,741,008 5,453,399 8,949,923 5,928,991fast carry-save 9,831,290 7,967,769 5,440,898 6,588,437fast wallace 13,366,797 10,149,403 9,106,613 6,863,625fast recursive 10,607,812 8,386,022 25,499,315 8,444,359all all 65,586,536 40,135,829 60,515,541 40,591,495
Table 5.1: Solvers total mean time in msec and split by reduction, mean isestimated by median.
Variance and standard deviation
In Table 5.2 s is used for standard deviation and s2 for variance. Note the stan-dard deviation of Lingeling on the fast recursive reduction. Also, as previouslymentioned, the stable overall performance of PicoSAT.
27
Adder Multiplier Glucose Simp Glucose Lingeling PicoSATs2 s s2 s s2 s s2 s
N-bit Carry-save 191,913,275 13,853 226,819,376 15,061 212,438,688 14,575 129,481,732 11,379N-bit Wallace 268,123,843 16,374 227,867,386 15,095 193,426,677 13,908 142,579,170 11,941N-bit Recursive 238,094,217 15,430 237,556,563 15,413 184,102,718 13,568 176,726,368 13,294Fast Carry-save 230,960,288 15,197 264,239,906 16,255 221,345,366 14,878 128,921,959 11,354Fast Wallace 367,166,835 19,162 286,166,742 16,916 205,521,748 14,336 178,834,477 13,373Fast Recursive 318,517,339 17,847 356,402,511 18,879 1,759,502,930 41,946 326,279,686 18,063
All 9,470,773,001 97,318 9,471,155,550 97,320 10,806,004,766 103,952 6,201,047,293 78,747
Table 5.2: Variance and standard deviation split by solvers and reductions.
28
5.1.2 Integer factorisation solver
More will be said about MSieve in subsection 6.4.4. However, as presented in thistable, the RAM usage of MSieve did not vary during the integer factorisations.
Type of result ResultMean CPU time 11,034 msec
RAM usage 69,160 bytes
Table 5.3: MSieve mean CPU time and RAM usage.
5.2 Asymptotic behaviour
This section is meant to visualise the increase in solving time and memory usageas bit-lengths increase for all solvers and all reductions.
5.2.1 Glucose
0
2000
4000
6000
8000
10000
12000
14000
16000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Glucose n-bit carry-save
n-bit carry-save
4e+06
5e+06
6e+06
7e+06
8e+06
9e+06
1e+07
1.1e+07
1.2e+07
1.3e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Glucose n-bit carry-save
n-bit carry-save
Figure 5.1: Glucose n-bit carry-save CPU and RAM growth with bit-length
0
5000
10000
15000
20000
25000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Glucose n-bit wallace
n-bit wallace
4e+06
6e+06
8e+06
1e+07
1.2e+07
1.4e+07
1.6e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Glucose n-bit wallace
n-bit wallace
Figure 5.2: Glucose n-bit wallace CPU and RAM growth with bit-length
29
0
5000
10000
15000
20000
25000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Glucose n-bit recursive
n-bit recursive
4e+06
6e+06
8e+06
1e+07
1.2e+07
1.4e+07
1.6e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Glucose n-bit recursive
n-bit recursive
Figure 5.3: Glucose n-bit recursive CPU and RAM growth with bit-length
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Glucose fast carry-save
fast carry-save
4e+06
5e+06
6e+06
7e+06
8e+06
9e+06
1e+07
1.1e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Glucose fast carry-save
fast carry-save
Figure 5.4: Glucose fast carry-save CPU and RAM growth with bit-length
0
5000
10000
15000
20000
25000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Glucose fast wallace
fast wallace
4e+06
6e+06
8e+06
1e+07
1.2e+07
1.4e+07
1.6e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Glucose fast wallace
fast wallace
Figure 5.5: Glucose fast wallace CPU and RAM growth with bit-length
30
0
5000
10000
15000
20000
25000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Glucose fast recursive
fast recursive
4e+06
6e+06
8e+06
1e+07
1.2e+07
1.4e+07
1.6e+07
1.8e+07
2e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Glucose fast recursive
fast recursive
Figure 5.6: Glucose fast recursive CPU and RAM growth with bit-length
5.2.2 Glucose with simplifier
0
1000
2000
3000
4000
5000
6000
7000
8000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Simplified Glucose n-bit carry-save
n-bit carry-save
4e+06
5e+06
6e+06
7e+06
8e+06
9e+06
1e+07
1.1e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Simplified Glucose n-bit carry-save
n-bit carry-save
Figure 5.7: Simplified Glucose n-bit carry-save CPU and RAM growth withbit-length
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Simplified Glucose n-bit wallace
n-bit wallace
4e+06
5e+06
6e+06
7e+06
8e+06
9e+06
1e+07
1.1e+07
1.2e+07
1.3e+07
1.4e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Simplified Glucose n-bit wallace
n-bit wallace
Figure 5.8: Simplified Glucose n-bit wallace CPU and RAM growth with bit-length
31
0
2000
4000
6000
8000
10000
12000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Simplified Glucose n-bit recursive
n-bit recursive
4e+06
6e+06
8e+06
1e+07
1.2e+07
1.4e+07
1.6e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Simplified Glucose n-bit recursive
n-bit recursive
Figure 5.9: Simplified Glucose n-bit recursive CPU and RAM growth with bit-length
0
2000
4000
6000
8000
10000
12000
14000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Simplified Glucose fast carry-save
fast carry-save
4e+06
5e+06
6e+06
7e+06
8e+06
9e+06
1e+07
1.1e+07
1.2e+07
1.3e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Simplified Glucose fast carry-save
fast carry-save
Figure 5.10: Simplified Glucose fast carry-save CPU and RAM growth withbit-length
0
5000
10000
15000
20000
25000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Simplified Glucose fast wallace
fast wallace
4e+06
6e+06
8e+06
1e+07
1.2e+07
1.4e+07
1.6e+07
1.8e+07
2e+07
2.2e+07
2.4e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Simplified Glucose fast wallace
fast wallace
Figure 5.11: Simplified Glucose fast wallace CPU and RAM growth with bit-length
32
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
20000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Simplified Glucose fast recursive
fast recursive
4e+06
6e+06
8e+06
1e+07
1.2e+07
1.4e+07
1.6e+07
1.8e+07
2e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Simplified Glucose fast recursive
fast recursive
Figure 5.12: Simplified Glucose fast recursive CPU and RAM growth with bit-length
5.2.3 Lingeling
Note that integer 1,648,615,609 is an outlier and has been removed. Its meanCPU time is 1,132,240 milliseconds and RAM usage is 59,403,792 bytes.
0
1000
2000
3000
4000
5000
6000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Lingeling n-bit carry-save
n-bit carry-save
0
500000
1e+06
1.5e+06
2e+06
2.5e+06
3e+06
3.5e+06
4e+06
4.5e+06
5e+06
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Lingeling n-bit carry-save
n-bit carry-save
Figure 5.13: Lingeling n-bit carry-save CPU and RAM growth with bit-length
0
2000
4000
6000
8000
10000
12000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Lingeling n-bit wallace
n-bit wallace
0
1e+06
2e+06
3e+06
4e+06
5e+06
6e+06
7e+06
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Lingeling n-bit wallace
n-bit wallace
Figure 5.14: Lingeling n-bit wallace CPU and RAM growth with bit-length
33
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
50000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Lingeling n-bit recursive
n-bit recursive
0
2e+06
4e+06
6e+06
8e+06
1e+07
1.2e+07
1.4e+07
1.6e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Lingeling n-bit recursive
n-bit recursive
Figure 5.15: Lingeling n-bit recursive CPU and RAM growth with bit-length
0
1000
2000
3000
4000
5000
6000
7000
8000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Lingeling fast carry-save
fast carry-save
500000
1e+06
1.5e+06
2e+06
2.5e+06
3e+06
3.5e+06
4e+06
4.5e+06
5e+06
5.5e+06
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Lingeling fast carry-save
fast carry-save
Figure 5.16: Lingeling fast carry-save CPU and RAM growth with bit-length
0
2000
4000
6000
8000
10000
12000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Lingeling fast wallace
fast wallace
0
1e+06
2e+06
3e+06
4e+06
5e+06
6e+06
7e+06
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Lingeling fast wallace
fast wallace
Figure 5.17: Lingeling fast wallace CPU and RAM growth with bit-length
34
0
100000
200000
300000
400000
500000
600000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
Lingeling fast recursive
fast recursive
0
5e+06
1e+07
1.5e+07
2e+07
2.5e+07
3e+07
3.5e+07
4e+07
4.5e+07
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
Lingeling fast recursive
fast recursive
Figure 5.18: Lingeling fast recursive CPU and RAM growth with bit-length
5.2.4 PicoSAT
0
2000
4000
6000
8000
10000
12000
14000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
PicoSAT n-bit carry-save
n-bit carry-save
0
500000
1e+06
1.5e+06
2e+06
2.5e+06
3e+06
3.5e+06
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
PicoSAT n-bit carry-save
n-bit carry-save
Figure 5.19: PicoSAT n-bit carry-save CPU and RAM growth with bit-length
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
PicoSAT n-bit wallace
n-bit wallace
0
500000
1e+06
1.5e+06
2e+06
2.5e+06
3e+06
3.5e+06
4e+06
4.5e+06
5e+06
5.5e+06
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
PicoSAT n-bit wallace
n-bit wallace
Figure 5.20: PicoSAT n-bit wallace CPU and RAM growth with bit-length
35
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
PicoSAT n-bit recursive
n-bit recursive
0
500000
1e+06
1.5e+06
2e+06
2.5e+06
3e+06
3.5e+06
4e+06
4.5e+06
5e+06
5.5e+06
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
PicoSAT n-bit recursive
n-bit recursive
Figure 5.21: PicoSAT n-bit recursive CPU and RAM growth with bit-length
0
2000
4000
6000
8000
10000
12000
14000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
PicoSAT fast carry-save
fast carry-save
0
500000
1e+06
1.5e+06
2e+06
2.5e+06
3e+06
3.5e+06
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
PicoSAT fast carry-save
fast carry-save
Figure 5.22: PicoSAT fast carry-save CPU and RAM growth with bit-length
0
5000
10000
15000
20000
25000
30000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
PicoSAT fast wallace
fast wallace
0
1e+06
2e+06
3e+06
4e+06
5e+06
6e+06
7e+06
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
PicoSAT fast wallace
fast wallace
Figure 5.23: PicoSAT fast wallace CPU and RAM growth with bit-length
36
0
5000
10000
15000
20000
25000
30000
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Media
n t
ime in m
sec
Modulus bit-length
PicoSAT fast recursive
fast recursive
0
1e+06
2e+06
3e+06
4e+06
5e+06
6e+06
7e+06
8e+06
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Hig
hest
RA
M in b
yte
Modulus bit-length
PicoSAT fast recursive
fast recursive
Figure 5.24: PicoSAT fast recursive CPU and RAM growth with bit-length
5.3 Extras
This section contains the results that were not encompassed by the previoussections.
5.3.1 CPU time for difficult integer factorisations
The data in these graphs are sorted by time, e.g. the difficulty of the FACTwith the named reductions and solver.
0
2000
4000
6000
8000
10000
12000
14000
6000 6200 6400 6600 6800 7000
Media
n m
sec
Instance
Glucose all reductions
n-bit carry-saven-bit wallace
n-bit recursivefast carry-save
fast wallacefast recursive
0
2000
4000
6000
8000
10000
12000
14000
6000 6200 6400 6600 6800 7000
Media
n m
sec
Instance
Simplified Glucose all reductions
n-bit carry-saven-bit wallace
n-bit recursivefast carry-save
fast wallacefast recursive
0
2000
4000
6000
8000
10000
12000
14000
6000 6200 6400 6600 6800 7000
Media
n m
sec
Instance
Lingeling all reductions
n-bit carry-saven-bit wallace
n-bit recursivefast carry-save
fast wallacefast recursive
0
2000
4000
6000
8000
10000
12000
14000
6000 6200 6400 6600 6800 7000
Media
n m
sec
Instance
PicoSAT all reductions
n-bit carry-saven-bit wallace
n-bit recursivefast carry-save
fast wallacefast recursive
Figure 5.25: All reductions’ CPU time for all solvers on instances sorted bytime.
37
5.3.2 Wallace vs. recursive multiplier
Adder Multiplier Glucose Simp Glucose Lingeling PicoSATn-bit wallace 12,382,913 4,231,211 7,929,092 6,317,287n-bit recursive 9,741,008 5,453,399 8,949,923 5,928,991fast wallace 13,366,797 10,149,403 9,106,613 6,863,625fast recursive 10,607,812 8,386,022 25,499,315 8,444,359
Table 5.4: Wallace and recursive multipliers comparison.
5.3.3 Wallace and recursive multiplier
Here will be shown the previously mentioned 20 bit bound on the recursivemultiplier. If an integer is less than 20 bits the wallace multiplier should beused. Note that the bound is hard coded. The graphs in this part are only toillustrate that this does happen. Figure 5.26 shows that the wallace multiplieris used instead of the recursive multiplier for integers ≤ 20.
0
20
40
60
80
100
120
140
0 500 1000 1500 2000 2500 3000
Tim
e m
sec
Instances solved
Glucose ≤ 20 bit
n-bit wallacen-bit recursive
fast wallacefast recursive
0
20
40
60
80
100
120
140
0 500 1000 1500 2000 2500 3000
Tim
e m
sec
Instances solved
Simplified Glucose ≤ 20 bit
n-bit wallacen-bit recursive
fast wallacefast recursive
0
100
200
300
400
500
600
700
0 500 1000 1500 2000 2500 3000
Tim
e m
sec
Instances solved
Lingeling ≤ 20 bit
n-bit wallacen-bit recursive
fast wallacefast recursive
0
10
20
30
40
50
60
70
80
0 500 1000 1500 2000 2500 3000
Tim
e m
sec
Instances solved
PicoSAT ≤ 20 bit
n-bit wallacen-bit recursive
fast wallacefast recursive
Figure 5.26: The different solvers demonstrating that it is the wallace multiplierthat is used when the bit-length is less than 20.
For integers ≥ 20 the difference can be seen in Figure 5.27. As the recursivemultiplier is used instead of the wallace multiplier the solution time differs.
38
0
5000
10000
15000
20000
25000
0 500 1000 1500 2000 2500 3000 3500 4000 4500
Tim
e m
sec
Instances solved
Glucose ≥ 20 bit
n-bit wallacen-bit recursive
fast wallacefast recursive
0
5000
10000
15000
20000
25000
0 500 1000 1500 2000 2500 3000 3500 4000 4500
Tim
e m
sec
Instances solved
Simplified Glucose ≥ 20 bit
n-bit wallacen-bit recursive
fast wallacefast recursive
0
200000
400000
600000
800000
1e+06
1.2e+06
0 500 1000 1500 2000 2500 3000 3500 4000 4500
Tim
e m
sec
Instances solved
Lingeling ≥ 20 bit
n-bit wallacen-bit recursive
fast wallacefast recursive
0
5000
10000
15000
20000
25000
30000
0 500 1000 1500 2000 2500 3000 3500 4000 4500
Tim
e m
sec
Instances solved
PicoSAT ≥ 20 bit
n-bit wallacen-bit recursive
fast wallacefast recursive
Figure 5.27: The different solvers demonstrating that there is a difference be-tween the wallace multiplier and the recursive with integers above 20 bits.
39
Chapter 6
Discussion
While designing the experiment inspiration was taken from How not to do it [7]and the checklist used in A critical review of comparisons of mathematical pro-gramming algorithms [9].
6.1 Environment
Efforts were put in making the environment as stable as possible to attemptto produce as reliable results as possible. The computer was not used for anyother purpose than this experiment. The operating system was installed withthe purpose of running and collecting data on this experiment only, meaningthat no unnecessary software was installed. The machine was not used whilerunning experiments and the computer had no internet connectivity.
6.1.1 Uniformity of the computer environment
The purpose of attempting to keep a uniform computer environment is to makethe measurements reliable. Since no attempts were made to remove temporaryfiles or purge the memory in this experiment the accuracy of the experimentscan therefore be questioned. Hence critique of this kind needs to be addressed.
The CPU should be stable throughout the experiment since it was run on a6-core environment and sequential solvers only use one thread. If the operatingsystem performed system maintenance of some sort while the experiment wererunning there should have been plenty of CPU available without impacting theexperiment. As for processes created by the bash-script they should have adiscountable impact on the overall experiment.
While designing the experiment it was assumed that if the SAT solver re-quire more RAM than available the operating system will start swapping andit should show up in the resulting graphs. However, preliminary results showedthat it was unlikely that any modulus would require more than 100 MB out ofapproximately 15 GB available for the experiment.
40
6.1.2 Benchmarks
Benchmarks are run on the test environment to show how the SAT solversperform on the specific system. Benchmarks were picked from the SAT Compe-tition [16]. Unfortunately they turned out to be very hard and the SAT solversnever solved the first instance and therefore no benchmark results are availablefrom the test environment. This means that it is difficult to reliably extendresults from this thesis to other platforms.
6.2 The experiment
6.2.1 Scripts and programs
Instances should be solved in random order, which was not the case. Thereforeresults emerging from the non-uniformity of the environment might be hiddenwithin the experiment.
The initial instances were made to be 10 000 with the possibility that thesame moduli would overwrite each other in the same run instance. I.e. it wouldhave been impossible for the modulus 9 to exists more than 100 times in the samerun. As seen in the chapter 5 section there were only 7 000 unique semiprimes.
6.3 Method
6.3.1 Selection of SAT solvers
The purpose of the method for selecting SAT solvers was to get consistently wellperforming SAT solvers. However, one possible side effect is that these solversare to some extent aimed at specific categories within the SAT Competition [16],e.g. the solvers might have heuristics that are negative while attempting to solveFACT. However, any attempts at analysing specific SAT solver heuristics thatare suitable for FACT solving lies outside of the scope of this thesis.
6.3.2 Problems with circuits as SAT
While it is always possible to translate a circuit into CNF there are differentways of doing it. There are studies of CNF generation aimed at improving thespeed which SAT solvers solve the generated CNF [5]. A further extension ofthis thesis could study the relation between SAT preprocessing and improvedCNF generation for the same circuits.
41
6.4 Discussions of the results
6.4.1 SAT solvers and reductions
Overall
Table 5.1 shows an interesting picture when it comes to results. To start withGlucose is the slowest overall solver while not using a simplifier and the fastestoverall while using a simplifier. All the solvers that uses simplifiers have over-all results that are close to 40,000,000 milliseconds excluding the fast recursivereduction for Lingeling which is discussed further in section 6.4.2. However,Lingeling’s performance with the n-bit carry-save reduction and simplified Glu-cose’s performance with both n-bit carry-save and n-bit wallace is outstanding.PicoSAT performs well compared to the other solvers overall but only has thebest overall time for the fast wallace reduction.
6.4.2 Asymptotic results
This section highlights and draws conclusions from section 5.2. Note that thegraphs only show bit lengths ≥ 16.
Outliers in Lingeling on reductions using recursive multiplier
That Lingeling is prone to outliers with the recursive multipliers is easy tosee in Figure 5.15 and Figure 5.18. However, the reason they exist requires atheoretical analysis and lies outside the scope of this thesis. It is worth notingthat no other solver and reduction coupling suffers from as much outliers. It isworth noting that even with outliers the n-bit recursive reduction performs wellin overall CPU time and the performance excluding the fast recursive reductionwould place Lingeling close to the other solvers that uses simplifiers in Table 5.1.As seen in Table 5.2 the standard deviation for the fast recursive reduction istwice as big as any other.
CPU usage
While some graphs are distorted by outliers, most have a graph characteristicfor exponential time algorithms. Figure 5.25 shows how the different solvershandles hard semiprimes with different reductions. As can be seen most ofthe difficult semiprimes at this bit-length are still handled best by the n-bitcarry-save.
RAM usage
As can be seen in section 5.2 the graphs showing RAM usage for all solvers andreductions show a constant increase in the minimum RAM usage. While not sur-prising an important thing to note is that the highest RAM usage shown is lessthan 43 megabytes. Note that the removed outlier from subsection 5.2.3 used
42
almost 57 megabytes. The highest RAM usage excluding Lingeling’s recursivemultiplier reductions is less than 23 megabytes as seen in Figure 5.11.
6.4.3 Wallace and recursive reductions
It is important to note that the recursive multiplier had a restriction that whilelower than 20 bits the wallace multiplier should be used as seen in Figure 5.26.However, as shown in Table 5.4 and visualised in Figure 5.27 what is fastest inthe last 12 bits still varies between the different solvers and reductions.
6.4.4 FACT solvers
6.4.5 About the CPU measurements
Analysis of the data showed that no single integer were solved in more than 4milliseconds. This creates a problem since the usage of time is fairly inaccuratefor that low intervals. Additionally the overall time will be extremely inaccuratesince time does not measure intervals lower than 1 milliseconds but rounds upthe results. Hence the total time for MSieve should be much lower.
6.4.6 About the RAM measurements
As seen in Table 5.3 the RAM usage is the quite modest 69,160 bytes with 1%inaccuracy due to Valgrind’s Massif’s settings. As the RAM usage did not varyeither
43
Chapter 7
Conclusion
7.1 Asymptotic behaviour
7.1.1 SAT solvers
As mentioned in section 6.4.1 Glucose with simplifier performs the best overallwhile Lingeling has the single best overall time with the n-bit carry-save reduc-tion. However, as discussed in section 6.4.2 Lingeling should not be used incombination with the recursive multiplier.
7.1.2 Reductions
As stated in section 6.4.2, for the bit lengths and semiprimes used in this thesisthe n-bit carry-save performs well, though it still should be used in conjugationwith simplified Glucose or Lingeling.
7.1.3 Conclusions about asymptotic behaviour
Both simplified Glucose and Lingeling performs well in conjugation with specificreductions. However, as mentioned in section 6.4.2 the asymptotic behaviourfor the CPU time is consistent with that of an exponential time algorithm.
7.2 Comparing SAT solvers with FACT solvers
7.2.1 Conclusions about SAT solvers
The results from the SAT solvers show that the fastest factorisation of allsemiprimes were performed by Lingeling with the n-bit carry-save reductionin 3,592,700 milliseconds.
44
7.2.2 Conclusions about MSieve
The results from MSieve are quite disappointing since almost nothing can besaid about its asymptotic behaviour. However, even if the results from the CPUmeasurements are not accurate, as mentioned in subsection 6.4.5, it does notmatter as they should be even lower than 11,034 as a result of time roundingup to whole milliseconds.
7.2.3 Conclusion
As can be seen above, there is no competition between the SAT solvers andthe FACT solver when it comes to solving a integer factorisation. SAT solversmight serve a use in finding unknown weaknesses in FACT but that was notthe goal of this thesis. SAT solvers cannot replace FACT solvers and should beavoided for generalised integer factorisations.
7.3 Further research
7.3.1 Other solvers
While SAT solvers cannot compare to FACT solver it would be interesting tosee how other solvers handles integer factorisation. The outliers mentioned insection 6.4.2 could be the result of a heuristic that is wrong for the problem.Neither Glucose nor Lingeling has placed themselves in the random category ofthe SAT Competition [16] and it could be that those solvers perform better onthe problem.
7.3.2 Other reductions or simplifiers
More modern reductions or a simplifier more adapted to the problem could bothmost likely be used advantageously on the problem. On a side note the SATCompetition [16] is always looking for more benchmark generators and solvers.
7.3.3 Finding weak semiprimes
This thesis has shown that in general integer factorisations SAT solvers do notperform particularly well. However, it would be of interest to see if a SATsolver can find semiprimes with special characteristics such as those used byFACT solvers. They might even find more than what is used by FACT solvers.
45
Bibliography
[1] Alfred V Aho and Jeffrey D Ullman. Foundations of computer science,volume 2. Computer Science Press New York, 1992.
[2] Gilles Audemard and Laurent Simon. Glucose’s home page. http://www.labri.fr/perso/lsimon/glucose/, 2013. Accessed: 2014-04-20.
[3] Adrian Balint, Anton Belov, Marijn J.H. Heule, and Matti Jarvisalo, ed-itors. Proceedings of SAT Competition 2013, Solver and Benchmark De-scriptions, Department of Computer Science Series of Publications B. Uni-versity of Helsinki, Helsinki Institute for Information Technology HIIT,University of Helsinki, 2013.
[4] Armin Biere. Handbook of satisfiability, volume 185. IOS Press, 2009.
[5] Benjamin Chambers, Panagiotis Manolios, and Daron Vroon. Faster satsolving with better cnf generation. In Proceedings of the Conference on De-sign, Automation and Test in Europe, pages 1590–1595. European Designand Automation Association, 2009.
[6] DIMACS Challenge. Satisfiability: Suggested format. DIMACS Challenge.DIMACS, 1993.
[7] Ian P Gent, Stuart A Grant, Ewen MacIntyre, Patrick Prosser, Paul Shaw,Barbara M Smith, and Toby Walsh. How not to do it. RESEARCH RE-PORT SERIES-UNIVERSITY OF LEEDS SCHOOL OF COMPUTERSTUDIES LU SCS RR, 1997.
[8] Michael Huth and Mark Ryan. Logic in Computer Science: Modelling andreasoning about systems. Cambridge University Press, 2004.
[9] Richard HF Jackson and John M Mulvey. A critical review of comparisonsof mathematical programming algorithms and software/1953-1977. Journalof Research, 83:563–584, 1978.
[10] Johannes Kepler University Linz, Institute for Formal Models and Ver-ifications. Lingeling, plingeling and treengeling. http://fmv.jku.at/
lingeling/. Accessed: 2014-04-20.
46
[11] Thorsten Kleinjung, Kazumaro Aoki, Jens Franke, Arjen K Lenstra, Em-manuel Thome, Joppe W Bos, Pierrick Gaudry, Alexander Kruppa, Peter LMontgomery, Dag Arne Osvik, et al. Factorization of a 768-bit rsa modulus.Advances in Cryptology–CRYPTO 2010, pages 333–350, 2010.
[12] Carl Pomerance. A tale of two sieves. In Notices Amer. Math. Soc. Citeseer,1996.
[13] Paul Purdom and Amr Sabry. Cnf generator for factoring problems. http://www.cs.indiana.edu/cgi-pub/sabry/cnf.html. Accessed: 2014-04-13.
[14] Hans Riesel. Prime numbers and computer methods for factorization, vol-ume 126. Springer, 1994.
[15] RSA Laboratories. The rsa factoring challenge. http://www.emc.com/
emc-plus/rsa-labs/historical/the-rsa-factoring-challenge.htm,04 2014. Accessed: 2014-04-09.
[16] SATComp Organizing committee. Sat competitions. http://www.
satcompetition.org/. Accessed: 2014-04-20.
[17] Mate Soos. Cryptominisat 4 released. http://www.msoos.org/2014/04/
cryptominisat-4-released/, 4 2014. Accessed: 2014-04-20.
[18] Tech Times. Did nsa bribe security industry pioneer? http://goo.gl/
Sa2Vqs, 12 2013. Accessed: 2014-04-13.
47
Appendix A
Hardware
A.1 Full hardware listing
This is a complete listing of all parts connected during the experiment.
Hardware type ModelCPU AMD FX-6200 X6 3.8 GHz Black EditionRAM 2xCorsair 8GB CL9 1866 MHzHD 1TB WD Green 5400 RPM 64MB
Motherboard Asus CROSSHAIR V FORMULA 990FXPSU Cooler Master Silent Pro 800W 80+
Others internalGPU MSI Radeon HD 7870 2048 MB Twin FrozrDVD DVD±RW Samsung 22X DL
Others externalMouse Mionix Naos 5000 Gaming Mouse
Keyboard SteelSeries 6G v2 REDDVI Philips
48
Appendix B
Software
B.1 Libraries and compilers
B.1.1 GCC
gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)Target: x86 64-redhat-linux
B.1.2 GMP
5.1.3
B.1.3 GHC
The Glorious Glasgow Haskell Compilation System, version 7.6.3
B.1.4 Java
1.7.0 51OpenJDK Runtime Environment (rhel-2.4.4.1.el6 5-x86 64 u51-b02)OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)
B.1.5 Javac
javac 1.7.0 51 on Mac OS X 10.8.5.
B.1.6 Valgrind
valgrind-3.8.1
49
Appendix C
Problems and results
Due to the size of the results they are primarily available as .zip files throughBitTorrent Sync and the author cannot guarantee that the results will alwaysbe available. Presented below is read-only keys used by BitTorrentSync for theproblems and results. Upon request the data can be provided through differentmeans.
• All files:
BEBGWPYBNGWTZKZ77KEHX4DXY6GWY5ZXF
• SAT solvers CPU measurements:
B7M3DY6EVRZ274WRU2LPJRJ5UYA2KIBRN
• SAT solvers Massif measurements:
BC76N57GHVJ67VQKHTM247C2AQZFTOFU2
• MSieve CPU and Massif measurements:
BXOZ5PUH4MTMECKA5RYH735UAXZVGSZPS
• SAT problems:
BSNU4DZ54I2F3QLDGZF72N5WEKDC7BJ2O
• Semiprime lists:
BOGTBF2ILJKCUBVETXLWXUUODD7K4QG3K
Note that the MSieve results contains certain errors. The first run wasremoved since the log file from the preliminary tests were included. Since Massifwas run without removing the log file, each log file contains two results, the firstone from Massif, the second one is the correct factorisation result. Additionallya setup error made MSieve run 60 times instead of the planned 6.
50
Appendix D
Source-code
The applications were only written to get the work done and are therefore notefficient nor easy to read. Information about the source-code can be requested bythe author or accessed through BitTorrent Sync with the key B77PR3J7PVTXIZFFCY4SMMOTOWKDXHUSE.
51
