[Rule] MultivariateQuadratic to Satisfiability #132
Description
Source: MultivariateQuadratic (over F₂)
Target: Satisfiability (SAT)
Motivation: Enables solving MQ instances over F₂ using highly optimized SAT solvers (MiniSat, CryptoMiniSat, etc.). This is the reverse of SAT→MQ and demonstrates the polynomial-time equivalence between boolean MQ and SAT.
Reference:
- Courtois, N., & Meier, W. (2003). "Algebraic attacks on stream ciphers with linear feedback." In Advances in Cryptology — EUROCRYPT 2003.
- Bard, G. V. (2009). Algebraic Cryptanalysis. Springer.
- Tseitin, G. S. (1983). "On the complexity of derivation in propositional calculus."
Reduction Algorithm
Notation:
- Source: MQ instance over F₂ with n variables x₁, ..., xₙ and m polynomial equations
- Let P be the number of distinct quadratic product terms xᵢxⱼ used by the system (P ≤ n(n-1)/2)
- Let T be the total number of terms across all transformed equations after replacing products by auxiliary variables
- Target: SAT instance with polynomial size (variables O(n + P + T), clauses O(P + T))
Variable mapping:
- Original variables: Each MQ variable xᵢ ∈ F₂ maps directly to SAT variable xᵢ
- Product variables (Tseitin transformation): For each product term xᵢxⱼ appearing in the polynomials, introduce auxiliary SAT variable yᵢⱼ representing xᵢ ∧ xⱼ
Constraint transformation:
For each MQ equation fₖ(x) = Σᵢⱼ aᵢⱼ xᵢxⱼ + Σᵢ bᵢ xᵢ + c = 0 (mod 2):
Step 1: Convert to XOR-SAT form
- The equation is already in XOR form over F₂
- Example: x₁x₂ + x₁ + x₃ = 0 means (x₁ ∧ x₂) ⊕ x₁ ⊕ x₃ = 0
Step 2: Introduce auxiliary variables for products
- For each product xᵢxⱼ, introduce yᵢⱼ with Tseitin clauses:
Encoded as CNF clauses:
yᵢⱼ ↔ (xᵢ ∧ xⱼ)(¬yᵢⱼ ∨ xᵢ) ∧ (¬yᵢⱼ ∨ xⱼ) ∧ (yᵢⱼ ∨ ¬xᵢ ∨ ¬xⱼ)
Step 3: Convert XOR to CNF (polynomial-size encoding)
- Base case (k=2): u ⊕ v = 0 can be encoded directly as 2 clauses without any auxiliary variables:
(u ∨ ¬v) ∧ (¬u ∨ v) - General case (k≥3): For ℓ₁ ⊕ ℓ₂ ⊕ ... ⊕ ℓₖ = 0, introduce chaining variables s₂, ..., s_{k-1}:
- s₂ ↔ (ℓ₁ ⊕ ℓ₂)
- s₃ ↔ (s₂ ⊕ ℓ₃)
- ...
- s_{k-1} ↔ (s_{k-2} ⊕ ℓ_{k-1})
- enforce s_{k-1} = ℓₖ
- Each equivalence u ↔ (v ⊕ w) is encoded by 4 CNF clauses:
(¬u ∨ ¬v ∨ ¬w) (¬u ∨ v ∨ w) (u ∨ ¬v ∨ w) (u ∨ v ∨ ¬w) - Constant term c=1: If the equation includes a constant term c=1 (i.e., ℓ₁ ⊕ ... ⊕ ℓₖ = 1), change the final enforcement from s_{k-1} = ℓₖ to s_{k-1} = ¬ℓₖ. For the k=2 base case, u ⊕ v = 1 becomes (u ∨ v) ∧ (¬u ∨ ¬v).
- Therefore a k-literal XOR uses O(k) auxiliary variables and O(k) clauses.
Alternative (more efficient): Use XOR-SAT solver
- Many modern SAT solvers support XOR clauses natively (CryptoMiniSat)
- Can keep XOR constraints without CNF conversion
Solution extraction:
- Extract values of original variables x₁, ..., xₙ from SAT solution
- Auxiliary variables yᵢⱼ are automatically consistent due to Tseitin clauses
Size Overhead
| Target metric (code name) | Polynomial (using symbols above) |
|---|---|
| num_variables | n + P + O(T) (original + products + XOR chain variables) |
| num_clauses | 3P + O(T) (Tseitin for products + linear-size XOR encoding) |
Detailed breakdown:
- Original variables: n
- Product auxiliary variables: P ≤ n(n-1)/2
- Tseitin clauses: 3 per product variable = 3P
- XOR-chain auxiliary variables/clauses: linear in total XOR length T
- Total variables: n + P + O(T)
- Total clauses: 3P + O(T)
Note: This encoding is polynomial even for long equations; in practice, native XOR support (e.g., CryptoMiniSat) is often faster.
Validation Method
- Cross-check with MQ solvers (PolyBoRi) on same instances
- Verify on small hand-crafted instances (2-3 variables)
- Test on cryptographic benchmarks (stream cipher algebraic attacks)
- Compare with direct SAT encoding of the same problem
Example
Source MQ instance (F₂):
Field: F₂ = {0, 1}
Variables: x₁, x₂, x₃
Equations:
f₁: x₁·x₂ + x₃ = 0
f₂: x₂·x₃ + x₁ = 0
Target SAT instance:
Variables:
- Original: x₁, x₂, x₃
- Auxiliary: y₁₂ (for x₁x₂), y₂₃ (for x₂x₃)
Clauses:
- Tseitin clauses for y₁₂ ↔ (x₁ ∧ x₂):
(¬y₁₂ ∨ x₁)
(¬y₁₂ ∨ x₂)
(y₁₂ ∨ ¬x₁ ∨ ¬x₂)
- Tseitin clauses for y₂₃ ↔ (x₂ ∧ x₃):
(¬y₂₃ ∨ x₂)
(¬y₂₃ ∨ x₃)
(y₂₃ ∨ ¬x₂ ∨ ¬x₃)
- XOR clause for f₁: y₁₂ ⊕ x₃ = 0 (2 literals → 2 clauses):
(y₁₂ ∨ ¬x₃)
(¬y₁₂ ∨ x₃)
- XOR clause for f₂: y₂₃ ⊕ x₁ = 0 (2 literals → 2 clauses):
(y₂₃ ∨ ¬x₁)
(¬y₂₃ ∨ x₁)
Total: 5 variables, 10 clauses
Solution:
- MQ solution: x₁=0, x₂=0, x₃=0 (satisfies both equations)
- SAT solution: x₁=0, x₂=0, x₃=0, y₁₂=0, y₂₃=0 (satisfies all clauses)
Overhead verification:
- Source: n=3 variables, m=2 equations, P=2 products
- Target:
- Variables: n + P = 3 + 2 = 5 ✓
- Clauses: 3P + 2·m = 6 + 4 = 10 ✓
Notes
Efficiency considerations:
- For sparse systems (few terms per equation): CNF conversion is efficient
- For dense systems (many terms per equation): Use XOR-SAT solvers (CryptoMiniSat)
- Chain-based XOR encoding keeps CNF size linear in k
Alternative: Direct XOR-SAT
- Modern SAT solvers support XOR clauses:
x₁ ⊕ x₂ ⊕ x₃ = 0 - No CNF conversion needed, much more efficient
- Recommended for cryptographic applications
Complexity:
- Both MQ(F₂) and SAT are NP-complete
- This reduction is polynomial-time using Tseitin + chain XOR encoding