Abstract. Bit-precise reasoning is important for many practical applications of Satisfiability Modulo Theories (SMT). In recent years, efficient approaches for solving fixed-size bit-vector formulas have been developed. From the theoretical point of view, only few results on the complexity of fixed-size bit-vector logics have been published. Most of these results only hold if unary encoding on the bit-width of bit-vectors is used. In previous work [1], we showed that binary encoding adds more expressiveness to bit-vector logics, e.g. it makes fixed-size bit-vector logic without uninterpreted functions nor quantification NExpTime-complete. In this paper, we look at the quantifier-free case again and propose two new results. While it is enough to consider logics with bitwise operations, equality, and shift by constant to derive NExpTime-completeness, we show that the logic becomes PSpace-complete if, instead of shift by constant, only shift by 1 is permitted, and even NP-complete if no shifts are allowed at all.
Introduction
Bit-precise reasoning over bit-vector logics is important for many practical applications of Satisfiability Modulo Theories (SMT), particularly for hardware and software verification. Examples of state-of-the-art SMT solvers with support for bit-precise reasoning are Boolector, MathSAT, STP, Z3, and Yices.
Syntax and semantics of fixed-size bit-vector logics do not differ much in the literature [2, 3, 4, 5, 6] . Concrete formats for specifying bit-vector problems also exist, e.g. the SMT-LIB format [7] or the BTOR format [8] .
Working with non-fixed-size bit-vectors has been considered for instance in [4, 9] , and more recently in [10] , but is not the focus of this paper. Most industrial applications (and examples in the SMT-LIB) have fixed bit-width.
We investigate the complexity of solving fixed-size bit-vector formulas. Some papers propose such complexity results, e.g. in [3] the authors consider quantifierfree bit-vector logic and give an argument for the NP-hardness of its satisfiability problem. In [5] , a sublogic of the previous one is claimed to be NP-complete. Interestingly, in [11] there is a claim about the full quantifier-free bit-vector Supported by FWF, NFN Grant S11408-N23 (RiSE).
logic without uninterpreted functions (QF BV) being NP-complete, however, the proposed decision procedure confirms this claim only if the bit-widths of the bit-vectors in the input formula are written/encoded in unary form. In [12, 13] , the quantified case is addressed, and the satisfiability problem of this logic with uninterpreted functions (UFBV) is proved to be NExpTime-complete. Again, the proof only holds if we assume unary encoded bit-widths. In practice, a more natural and exponentially more succinct logarithmic encoding is used, such as in the SMT-LIB, the BTOR, and the Z3 format.
In previous work [1] , we already investigated how complexity varies if we consider either a unary or a logarithmic, actually without loss of generality, binary encoding. Apart from this, we are not aware of any work that investigates how the particular encoding of the bit-widths in the input affects complexity (as an exception, see [14, Page 239, Footnote 3] In this paper, we revisit QF BV2, the quantifier-free case with binary encoding and without uninterpreted functions. We then put certain restrictions on the operations we use (in particular on the shift operation). As a result, we obtain two new sublogics which we show to be PSpace-complete resp. NP-complete.
Motivation
In practice, state-of-the-art bit-vector solvers rely on rewriting and bit-blasting. The latter is defined as the process of translating a bit-vector resp. word-level description into a bit-level circuit, as in hardware synthesis. The result can then be checked by a (propositional) SAT solver. In [1] , we gave the following example (in SMT2 syntax) to point out that bit-blasting is not polynomial in general. It checks commutativity of adding two bit-vectors of bit-width 1000000:
(set-logic QF_BV) (declare-fun x () (_ BitVec 1000000)) (declare-fun y () (_ BitVec 1000000)) (assert (distinct (bvadd x y) (bvadd y x)))
Bit-blasting such formulas generates huge circuits, which shows that checking bit-vector logics through bit-blasting cannot be considered to be a polynomial reduction. This also disqualifies bit-blasting as a sound way to argue that the decision problem for (quantifier-free) bit-vector logics is in NP. We actually proved in [1] , that deciding bit-vector logics, even without quantifiers, is much harder. It turned out to be NExpTime-complete in the general case.
However, in [1] we then also defined a class of bit-width bounded problems and showed that under certain restrictions on the bit-widths this growth in complexity can be avoided and the problem remains in NP.
In this paper, we give a more detailed classification of quantifier-free fixedsize bit-vector logics by investigating how complexity varies when we restrict the operations that can be used in a bit-vector formula. We establish two new complexity results for restricted bit-vector logics and bring together our previous results in [1] with work on linear arithmetic on non-fixed-size bit-vectors [10, 15] and work on the reduction of bit-widths [16, 17] . The formula in the given example only contains bitwise operations, equality, and addition. Solving this kind of formulas turns out to be PSpace-complete.
Definitions
We assume the usual syntax for (quantifier-free) bit-vector logics, with a restricted set of bit-vector operations: bitwise operations, equality, and (left) shift by constant. A bit-vector term t r1s is also called a bit-vector formula. We say that a bitvector formula is in flat form if it does not contain nested equalities. It is easy to see that any bit-vector formula can be translated to this form with only linear growth in the number of variables. In the rest of the paper, we may omit parentheses in a formula for the sake of readability.
Definition 1 (Term
Let Φ be a bit-vector formula and α an assignment to the variables in Φ. We use the notation αpΦq to denote the evaluation of Φ under α, with αpΦq t0, 1u. α satisfies Φ if and only if αpΦq 1. We define three different bit-vector logics:
-QF BV2 3c : bitwise operations, equality, and shift by any constant are allowed -QF BV2 31 : bitwise operations, equality, and shift by only c 1 are allowed -QF BV2 bw : only bitwise operations and equality are allowed
Obviously, QF BV2 bw QF BV2 31 QF BV2 3c . In Sec. 4, we investigate the complexity of the satisfiability problem for these logics:
-QF BV2 3c is NExpTime-complete.
-QF BV2 31 is PSpace-complete.
-QF BV2 bw is NP-complete.
Adding uninterpreted functions does not change expressiveness of these logics, since in the quantifier-free case, uninterpreted functions can always be replaced by new variables. To guarantee functional consistency, Ackermann constraints have to be added to the formula. However, even in the worst case, the number of Ackermann constraints is only quadratic in the number of function instances. Without loss of generality, we therefore do not explicitly deal with uninterpreted functions.
Complexity Results
Proof. The claim directly follows from our previous work in [1] . We informally defined QF BV2 as the quantifier-free bit-vector logic that uses the common bit-vector operations as defined for example in SMT-LIB, including bitwise operations, equality, shifts, addition, multiplication, concatenation, slicing, etc., and then showed that QF BV2 is NExpTime-complete.
Obviously, QF BV2 3c QF BV2 and therefore, QF BV2 3c NExpTime.
To show the NExpTime-hardness of QF BV2, we gave a (polynomial) reduction from DQBF (which is NExpTime-complete [18] ) to QF BV2. Since we only used bitwise operations, equality, and shift 1 by constant in our reduction, we also immediately get the NExpTime-hardness of QF BV2 3c . Note that in [1] , we used shift by constant to construct the binary magic numbers, as done in the literature [20] . This is not permitted in QF BV2 31 . We therefore give an alternative construction using only bitwise operations, equality, and shift by 1 : Together with the previous n equations, those n constraints force the rows of B to represent an enumeration of all binary numbers 0 ¤ c 2 n . Therefore, the columns of B 1] ), we know that Q defines a total order on the universal variables. We now assume the universal variables u 0 , . . . , u n¡1 of φ are ordered according to their appearance in Q, with u 0 (resp. u n¡1 ) being the innermost (resp. outermost) variable.
Translate φ to a QF BV2 31 formula Φ by eliminating the quantifier prefix and translating the matrix as follows:
Step 1. Replace Boolean constants 0 and 1 with 0 r2 n s resp. 0 r2 n s and logical connectives with corresponding bitwise bit-vector operations (e.g. with &). Let Φ I denote the formula generated so far. Extend it to the formula
Step 2. For each universal variable u m tu 0 , . . . , u n¡1 u, 
Note that we omitted the bit-widths in the last equations to improve readability. Each bit position of Φ corresponds to the evaluation of φ under a specific assignment to the universal variables u 0 , . . . , u n¡1 , and, by construction of (3) simplifies to true. Because of this no constraints need to be added for m 0. A similar approach used for translating QBF to Symbolic Model Verification (SMV) can be found in [21] . See also [19] for a translation from QBF to Sequential Circuits. l Lemma 2. QF BV2 31 can be (polynomially) reduced to Sequential Circuits.
Proof. In [10, 15] , the authors give a translation from quantifier-free Presburger arithmetic with bitwise operations (QFPAbit) to Sequential Circuits. We can adopt their approach in order to construct a translation for QF BV2 31 . The main difference between QFPAbit and QF BV2 31 is the fact that bit-vectors of arbitrary, non-fixed, size are allowed in QFPAbit while all bit-vectors contained in QF BV2 31 have a fixed bit-width.
Given Φ QF BV2 31 in flat form. Let x rns , y rns denote bit-vector variables, c rns a bit-vector constant, and t 1 rns , t 2 rns bit-vector terms only containing bitvector variables and bitwise operations. Following [10, 15] we further assume w.l.o.g that Φ only consists of three types of expressions: t 1 rns t 2 rns , x rns c rns , and x rns y rns 3 1 rns , since any QF BV2 31 formula can be written like this with only a linear growth in the number of original variables.
We encode each equality in Φ separately into an atomic Sequential Circuit. Compared to [10, 15] , two modifications are needed. First, we need to give a translation for x y 3 1 to Sequential Circuits. This can be done for example by using the Sequential Circuit for x 2 ¤ y in QFPAbit. However, a direct translation can also easily be constructed.
The second modification relates to dealing with fixed-size bit-vectors. Let n be the bit-width of all bit-vectors in a given equality. We extend each atomic Sequential Circuit to include a counter (circuit). The counter initially is set to 0 and is incremented by 1 in each clock cycle up to a value of n.
When the counter reaches a value of n, it does not change anymore and the output of the atomic Sequential Circuit is set to the same value as the output in the previous cycle. A counter like this can be realized with rlog 2 pnqs gates, i.e. polynomially in the size of Φ. In contrast to the implementation described in [15] , we assume that the input streams for all variables start with the least significant bit. However, as already pointed out by the authors in [15] , their choice was arbitrary and it is no more complicated to construct the circuits the other way round.
Finally, after constructing atomic circuits, their outputs are combined by logical gates following the Boolean structure of Φ, in the same way as for unbounded bit-width in [10, 15] . Due to adding counters, we ensure that for every input stream x i , only the first n i bits of x i influence the result of the whole circuit. In a similar way, if m ¡ k, pt 1,hi rm¡ks t 2,hi rm¡ks q represents the remaining pm¡kq rows of the original equality corresponding to the most significant bits. All occurrences of a variable x rms are replaced with a new variable x hi rm¡ks and all occurrences of a constant c rms are replaced with 0 rm¡ks . Since this pre-processing step is logarithmic in the value of c max , it is polynomial in |Φ|. Without loss of generality, we now assume that Φ does not contain any bit-vector constants different from 0 rns .
We now construct a formula Φ I by reducing the bit-widths of all bit-vector terms in Φ. Each term t rns in Φ with bit-width n is replaced with a term t rn 1 s , with n I : mintn, |Φ|u. Apart from this, Φ I is exactly the same as Φ. As a consequence, max bw pΦ I q ¤ |Φ|. The set of formulas constructed in this way is bit-width bounded according to Def. 3.
To complete our proof, we now have to show that the proposed reduction is sound, i.e. out of every satisfying assignment to the bit-vector variables x 1 rn1s , . . . , x k rn k s for Φ we can also construct a satisfying assignment to It is easy to see that whenever we have a satisfying assignment α I for Φ I , we can construct a satisfying assignment α for Φ. This can be done by simply setting all additional bits of all bit-vector variables to the same value as the most significant bit of the corresponding original vector, i.e. by performing a signed extension. Since all equalities still evaluate to the same value under the extended assignment, αpF q α I pF I q for all equalities F (resp. F I ) of Φ (resp. Φ I ). As a direct consequence, αpΦq α I pΦq 1.
The other direction needs slightly more reasoning. Given α, with αpΦq 1, we need to construct α I , with α I pΦ I q 1. Again, we want to ensure that α I pF I q αpF q for all equalities F (resp. F I ) in Φ (resp. Φ I ).
In each variable x i rnis , i t1, . . . , ku, we are going to select some of the bits. For each equality F with αpF q 0, we select a bit-index as a witness for its evaluation. If αpF q 1, we select an arbitrary bit-index. We then mark the selected bit-index in all bit-vector variables contained in F , as well as in all other bit-vector variables of the same bit-width. Having done this for all equalities, we end up with sets M i of selected bit-indices, for all i t1, . . . , ku, where
The selected indices contain a witness for the evaluation of each equality. We now add arbitrary further bit-indices, again selecting the same indices in bit-vector variables of the same bit-width, until |M i | mintn i , |Φ|u di t1, . . . , ku. Finally, we can directly construct α I using the selected indices and get α I pΦ I q αpΦq 1 because of the fact that we included a witness for every equality in our index-selection process. Note, that we only had to choose a specific witness for the case that αpF q 0. For αpF q 1, we were able to choose an arbitrary bit-index because every satisfied equality will trivially still be satisfied when only a subset of all bit-indices is considered. l Remark 1. A similar proof can be found in [16, 17] . While the focus of [16, 17] lies on improving the practical efficiency of SMT-solvers by reducing the bitwidth of a given formula before bit-blasting, the author does not investigate its influence on the complexity of a given problem class. In fact, the author claims that bit-vector theories with common operators are NP-complete. As we have already shown in [1] , this only holds if unary encoding on the bit-widths is used. However, unary encoding leads to the fact that the given class of formulas remains NP-complete, independent of whether a reduction of the bit-width is possible. While the arguments on bit-width reduction given in [16, 17] still hold for binary encoded bit-vector formulas when only bitwise operators are used, our proof considers the complexity of the problem class.
In this paper, we discussed the complexity of fixed-size bit-vector logics with binary encoding on numbers. In contrast to existing literature, except for [1] , where usually it is not distinguished between unary or binary encoding, we argued that it is important to make this distinction. Our results apply to the actually much more natural binary encoding as it is also used in standard formats, e.g. in the SMT-LIB format. In previous work [1] , we already showed the quantifier-free case of those bit-vector logics to be NExpTime-complete. We now extended our previous work by analyzing the quantifier-free case in more detail and gave two new complexity results.
In particular, we showed that the complexity of deciding quantifier-free bitvector logics with bitwise operations and equality depends on whether we allow shift by constant (QF BV2 3c ), shift by 1 (QF BV2 31 ), or no shifts at all (QF BV2 bw ). While deciding QF BV2 3c remains NExpTime-complete, we proved that QF BV2 31 is PSpace-complete, and QF BV2 bw even becomes NP-complete.
In addition to the already previously proposed concept of bit-width boundedness, this gives an alternative way to avoid the increase in complexity that comes with binary encoding in the general case. To be more specific for practical logics, we then looked at the effect some other common operations have on this complexity results. We discussed why logics with addition, multiplication by constant, indexing, and relational operations still can be decided in PSpace, and showed that allowing general multiplication or slicing already leads to NExpTime-completeness.
On the one hand, our theoretical results give an argument for using more powerful solving techniques when dealing with bit-vector logics. Currently the most common approach used in state-of-the-art SMT solvers for bit-vectors is based on simple rewriting, bit-blasting, and SAT solving. We have shown this can possibly produce exponentially larger formulas when a logarithmic encoding is used in the input. As already argued in [1] , possible candidates for the general case are techniques used in EPR and/or DQBF solvers (see e.g. [23, 24] ).
On the other hand, we described various logics that remain in lower complexity classes. For QF BV2 bw this shows the importance of bit-width reduction as proposed in [16, 17] before bit-blasting. For formulas in QF BV2 31 or one of the related classes, only using shift by 1, addition, multiplication by constant, and indexing, techniques used in state-of-the-art QBF solvers [25] or symbolic model checking on Sequential Circuits [19] might be of interest.
