Hard instance generation for SAT by Horie, Satoshi & Watanabe, Osamu
ar
X
iv
:c
s/9
80
91
17
v2
  [
cs
.C
C]
  2
9 S
ep
 19
98
Dept. of Computer Science, Tokyo Institute of Technology
Technical Report 97TR0007
Title: Hard Instance Generation for SAT
Author: Satoshi Horie and Osamu Watanabe
Affiliation: Department of Computer Science, Tokyo Institute of Technology
(watanabe@titech.ac.jp)
Abstract. We consider the problem of generating hard instances for the Satisfying As-
signment Search Problem (in short, SAT). It is not known whether SAT is difficult on
average, while it has been believed that the Factorization Problem (in short, FACT) is
hard on average. Thus, one can expect to generate hard-on-average instances by using
a reduction from FACT to SAT. Although the asymptotically best reduction is obtained
by using the Fast Fourier Transform [SS71] (in short, FFT), its constant factor is too big
in practice. Here we propose to use the Chinese Remainder Theorem for constructing
efficient yet simple reductions from FACT to SAT. First by using the Chinese Remainder
Theorem recursively, we define a reduction that produces, from n bit FACT instances,
SAT instances in the conjunctive normal form with O(n1+ǫ) variables, where ǫ > 0 is any
fixed constant. (Cf. The reduction using FFT yields instances with O(n logn log logn)
variables.) Next we demonstrate the efficiency of our approach with some concrete exam-
ples; we define a reduction that produces relatively small SAT instances. For example,
it is possible to construct SAT instances with about 5,600 variables that is as hard as
factorizing 100 bit integers. (Cf. The straightforward reduction yields SAT instances
with 7,600 variables.)
1. Introduction
The satisfiability problem (SAT) is a central problem in various fields of computer science.
Precisely speaking, we consider the following “search problem”: For a given propositional
Boolean formula, find an assignment of values to the propositional variables so that the
formula evaluates to true. This paper investigates the way of generating hard SAT in-
stances. (In this paper, we consider only “positive” instances, namely, satisfiable Boolean
formulas. Also we consider only conjunctive formulas; a formula may be a k-conjunctive
normal form formula, i.e., a conjunction of disjunctions of k (or less) literals, or it may
be an k-extended conjunctive form formula, i.e., a conjunction of finite functions on k (or
less) variables.)
While it has been known that SAT is NP-hard, we do not know1 so much about its
1 There have been quite a lot investigations for solving SAT, and we have made important observations
on the hardness of SAT (see, e.g., [Joh96]) Nevertheless, our knowledge is far from satisfiable one.
1
concrete hardness. This contrasts to the factorization problem (FACT), i.e., the problem
of computing the prime factorization of a given number. While we do not know whether
FACT is NP-hard, we have developed some knowledge on its concrete hardness through
the development of algorithms and various experimental attacks to the problem (see,
e.g., [LL90]). Here we propose an approach for measuring concrete hardness of SAT that
uses an efficient reduction from FACT to SAT. Theoretically, it is clear that FACT is
polynomial-time reducible to SAT, and that a SAT instance F generated from a FACT
instance x is as hard as factorizing x. The goal of this paper is to design efficient reductions
so that we can generate SAT instances with smaller size and higher hardness.
There are two somewhat different motivations for designing efficient reductions.
First, with such efficient reductions, we can generate hard SAT instances that could
be used to test the performance of various heuristics for SAT. In general, it is not so easy
to generate good test instances. On the other hand, it is easy to generate hard instances
for FACT; just generate two large prime numbers and multiply them. Thus, with an
efficient reduction from FACT to SAT, we can generate hard SAT instances easily. Also,
from FACT instances, it is easy to generate SAT instances with a unique solution; thus,
by negating the unique solution, we can easily generate “negative” SAT instances. (In
general, “negative” instance generation is difficult [AIM96].)
Secondly, with efficient reductions, we can analyze the concrete hardness of SAT. For
example, it has been widely believed that factorizing the product of two 256 bit prime
numbers is intractable. (In fact, even the degree of intractability has been discussed; see,
e.g., [Sch94].) Thus, by reducing such hard FACT instances, we can estimate the concrete
hardness of SAT.
Because of these motivations, reductions we define must be efficient on a certain
interval of size that we are interested in. Thus, a simple method is more appropriate
than efficient but complicated methods. For example, by using the Fast Fourier Trans-
form ([SS71]; see also [Knu81]), one can define a reduction that yields formulas with
O(ℓ log ℓ log log ℓ) variables from products of two ℓ bit prime numbers, which is asymptot-
ically the best (so far). Unfortunately, however, this reduction is almost useless for our
purpose due to its large constant factor.
In this paper, we propose one method of defining reductions, which is based on the
Chinese Remainder Theorem. Though simple, we show that this method gives us efficient
reductions. First, we define a reduction that uses the Chinese Remainder Theorem recur-
sively and yields formulas with O(ℓ1+ε) from products of two ℓ bit prime numbers, where
ε is any small constant. Clearly, this is not the best compared with the one defined by
using FFT. But because of its small constant factor, we may be able to use this reduction
(or, the idea of the reduction) for generating relatively large instances, say, formulas with
2
100,000 variables. Next, we define a reduction that works for the case ℓ ≤ 500. For
example, with this reduction, we can construct SAT instances with 5,600 variables that
are as hard as factorizing products of two 50 bit prime numbers, which can be used as
test instances [Joh96]. (Cf. A naive reduction yields instances with 7,600 variables.) The
same reduction also yields SAT instances with 63,000 variables that are as hard as factor-
izing products of two 256 bit prime numbers. Thus, we can conclude that SAT instances
with 63,000 variables contain some (in fact, many) intractable instances. (Cf. A naive
reduction yields instances with 197,000 variables.)
Notations
Throughout this paper, we consider, for FACT instances, a product of two prime numbers
of the same length, and we use ℓ to denote their length (i.e., the number of bits). For any
al−1, ..., a0 ∈ {0, 1}, we regard (al−1, ..., a0) as a binary representation of some number. In
general, for any al−1, ..., a0 ∈ [0, ..., b− 1], (al−1, ..., a0) is a base b representation of some
number. ’
2. Basic Idea and Asymptotic Analysis
Here we first explain the basic idea of our method, and then discuss the way to apply it
recursively to get an asymptotically better reduction.
Our goal is to generate, for a given integer x = p × q, where p and q are ℓ bit prime
numbers, a SAT instance Fx such that one can easily compute p and q from the satisfying
assignment of F . In the following, let us fix this x and thus, p and q. Note that Fx is
defined for each x, and x can be embedded in the definition of Fx as a constant. On the
other hand, our construction must be independent from p and q; in other words, Fx must
be constructed without knowing p or q. (Otherwise, one may extract information on p or
q from Fx without solving Fx.)
For our goal, consider, for example, F ex1x that satisfies the following:
[ (aℓ−1, ..., a0)× (bℓ−1, ..., b0) = x ] ⇔ [ F
ex1
x (aℓ−1, ..., a0, bℓ−1, ..., b0) = true ].
Here ai and bi are propositional variables, and we use them to represent nonnegative
integers. The satisfying assignment of this F ex1x is the binary representation of p and q,
and thus, one can compute the factorization of x by solving SAT on F ex1x .
Here we take the following approach to generate Fx: (i) First design a circuit Cx, which
we call a test circuit, such that Cx(aℓ−1, ..., a0, bℓ−1, ..., b0) checks whether aℓ−1, ..., a0 ×
bℓ−1, ..., b0 = x. (ii) Then convert it into a conjunctive form formula Fx. In fact, there is
a standard way to transform a circuit to a conjunctive form formula (see Lemma 3.1), by
which we can construct a conjunctive form formula Fx with the following property:
3
[ Cx(aℓ−1, ..., a0, bℓ−1, ..., b0) = 1 ] (⇔ [ (aℓ−1, ..., a0)× (bℓ−1, ..., b0) = x ])
⇔ ∃u1, ..., ut [ Fx(aℓ−1, ..., a0, bℓ−1, ..., b0, u1, ..., ut) = true ].
Clearly, this Fx is also good enough for our purpose. Furthermore, the size of Fx, i.e., the
number of variables and clauses, are closely related to the number of gates of the circuit
Cx. Thus, our goal is now to design a test circuit Cx with small number of gates.
We can easily think of O(ℓ2) size circuit that multiplies two ℓ bit numbers, which
gives a test circuit Cnaivex of almost the same size. For the multiplication, asymptotically
the best one (so far) is obtained by using the Fast Fourier Transform ([SS71]; see also
[Knu81]). By using this algorithm, we can design CFFTx with O(ℓ log ℓ log log ℓ) gates.
Unfortunately, though, due to its large constant factor, the size of circuits (and thus
formulas) obtained in this way become quite large in practice.
In this paper, we construct test circuits based on the Chinese Remainder Theorem.
Let m1, ..., mk be relatively prime numbers, and let m = m1 · m2 · · ·mk. The Chinese
Remainder Theorem claims that for any x1, ..., xk such that 0 ≤ xi < mi for each i, there
exists unique y, 0 ≤ x < m, such that xmodmi = xi for all i, 1 ≤ i ≤ k. The following
fact is immediate from this claim.
Fact 1. For any x ≥ 0 of 2ℓ bit number, let m1, ..., mk be relatively prime numbers such
that m = m1 · m2 · · ·mk ≥ 2
2ℓ. For any p, q of ℓ bit number, p × q = x if and only if
p× q ≡ x (modmi) for all i, 1 ≤ i ≤ k.
Let m1, ..., mk be relatively prime numbers such that m = m1 · m2 · · ·mk ≥ 2
2ℓ for
our x. (Recall x is the product of two ℓ bit prime numbers.) Then we may consider
the following circuit Cex2x that checks whether u × v = x, for given two numbers u =
(aℓ−1, ..., a0) and v = (bℓ−1, ..., b0).
(Step 1) For every i, 1 ≤ i ≤ k, compute ui = umodmi and vi = vmodmi. (Also for
every i, 1 ≤ i ≤ k, let xi = xmodmi. Note that these xi’s are constants and we do
not have to compute them.)
(Step 2) For every i, 1 ≤ i ≤ k, check whether ui× vi ≡ xi (modmi). If all of them hold,
then output 1; otherwise, output 0.
Since the length of each ui and vi is much smaller than that of u and v, we may expect to
reduce the complexity of checking. Note, however, it is now necessary to compute each
ui and vi, which is not so cheap in general. Also we need to compute ui · vi modulo mi.
Here we use integers of the form 2ei − 1 for each mi. Then we can reduce the cost of
computing ui, vi, and ui · vimodmi. As explained below (Claim 1), we can compute each
ui (resp., vi) by some O(ℓ)-size circuit. Also it will be shown later (Claim 6) that the cost
4
of computing ui · vimodmi is almost the same as that of ordinary multiplication; hence,
this task can be done by O(e2i )-size circuit because both ui and vi are ei bit integers.
Note also that the relative primality of 2e−1 and 2e
′
−1 is coincide with e and e′ (see
Fact 2 below). Thus, we can use e1 = ⌈ℓ/2⌉ and e2 = ⌈ℓ/2⌉+1. On the other hand, if we
want to divide the checking into small pieces, we may choose the first k prime numbers
for e1, e2, ..., ek such that e1+ e2+ · · ·+ ek > ℓ+k (where +k is for some margin). In this
case, we can bound k and ek by O(ek/ log ek) and O((ℓ log ℓ)
1/2) respectively, and thus,
the size of the test circuit Cex2x is bounded by O(ℓ
3/2(log ℓ)1/2) [Hor97].
Fact 2. For any e, e′ ≥ 1, 2e − 1 and 2e
′
− 1 are relatively prime if and only if so are e
and e′.
Now to get an asymptotically better bound, we consider applying the Chinese Re-
mainder Theorem recursively. That is, we break down the test of ui × vi ≡ xi (modmi)
yet further. Unfortunately, however, the characterization like Fact 1 does not hold in
general. For example, while we have 12× 12 ≡ 20 (mod 25− 1), 12 ≡ 5 (mod 23− 1), and
20 ≡ 6 (mod 23− 1), it does not hold that 5× 5 ≡ 6 (mod 23− 1). Here we extend Fact 1
as follows.
Fact 3. For any n ≥ 1 of e bit number, let m1, ..., mk be relatively prime numbers such
that m = m1 ·m2 · · ·mk ≥ 2
2e. Then for any u, v, and y, 0 ≤ u, v, y < n, we have u× v
≡ y (modn) if and only if
∃w : 0 ≤ w < 22e
 w ≡ y (modn) and ∧
1≤i≤k
u× v ≡ w (modmi).


For any number y, and for any e such that y < 2e, we define a circuit Crecy,e that
checks whether u × v ≡ y (mod 2e − 1). (We will see that Crecx,2ℓ can be used as a test
circuit.) Intuitively, for given u and v, we may consider that Crecy,e achieves the following
nondeterministic computation.
Let e1, ..., ek be relatively prime numbers such that (2
e1 − 1) · · · (2ek − 1) ≥ 22e.
(Step 1) Guess w, 0 ≤ w < 22e, and check whether w ≡ y (mod 2e − 1).
(Step 2) For every i, 1 ≤ i ≤ k, compute ui = umod (2
ei − 1), vi = vmod (2
ei − 1), and
wi = wmod (2
ei − 1).
(Step 3) For every i, 1 ≤ i ≤ k, check whether ui× vi ≡ wi (mod 2
ei − 1) by using Crecwi,ei.
If all of them hold, then output 1; otherwise, output 0.
We consider that Crecy,e accepts u and v if it outputs 1 on some guess w. Formally, C
rec
y,e
is a circuit with some additional input gates for w, and Crecy,e accepts u and v if and only
5
if Crecy,e(u, v, w, w
′) = 1 for some w and w′. (Input w′ is used for nondeterministic guesses
in the recursive computation.) Then, it follows from Fact 3 that u× v ≡ y (mod 2e − 1)
holds if and only if Crecy,e(u, v, w, w
′) = 1 for some w and w′.
In order to determine Crecy,e precisely, we need to define k and the way to select e1, ..., ek.
Here we define k = k(e) by using some unbounded but slowly increasing function k, e.g.,
k(e) = log e. For e1 < ... < ek, we choose the smallest k primes larger than (2e + k)/k.
Then we have (2e1 − 1) · · · (2ek − 1) ≥ 22e. It is easy to see that our choice of parameters
yields a circuit achieving the desired test.
Lemma 2.1. The size of Crecy,e is O(e
1+ε) for any ε > 0.
Proof. Here we fix any ε > 0, and show that there exists some constant c such that
size(Crecy,e ) ≤ c · e
1+ε for sufficiently large y and e. In the following discussion, let us also
fix y and e.
First we give an upper bound for computing umod (2f − 1) for a given u. Although
results are from 0 to 2f − 2, we allow to use 2f − 1, which is regarded as 0. Thus,
the binary representation of 0 is either (0, 0, ..., 0) or (1, 1, ..., 1). We call this slightly
relaxed way to represent numbers modulo 2f − 1 as an extended binary representation.
The notation umod′ (2f − 1) is used to denote umod (2f − 1) representing the extended
binary representation. In order to distinguish from (1, 1, ..., 1), we call (0, 0, ..., 0) as the
real 0 representation.
For our analysis, we need the following claims. (The claim proved as a special case of
the corresponding one in Section 3. Thus, we omit its proof.)
Claim 1. For any f ≥ 1, we can construct a circuit MODe,f with the following properties.
(1) MODe,f is an e input and f output circuit.
(2) On input u, 0 ≤ u ≤ 2e − 1, MODe,f(u) yields umod
′ (2f − 1). Also the output
becomes the real 0 representation if and only if u = 0.
(3) The size of MODe,f(u) is bounded by c1 · e for some constant c1.
Now we show, by induction on e, that size(Crecy,e) ≤ c · e
1+ε. From the outline of Crecy,e ,
we have the following bound.
size(Crecy,e) =
k∑
i=1
(
size(Crecyi,ei) + 2size(MODe,ei) + size(MOD2e,ei)
)
+ size(MOD2e,e) + k
≤
k∑
i=1
(
c · e1+εi + 2c1 · e+ c1 · 2e
)
+ c1 · 2e+ k ≤
k∑
i=1
c · e1+εi + c2 · ke.
Here the term +k is for the number of AND gates that summarize the check at (Step1)
and (Step3).
6
Recall that we assume that k is determined by a slowly growing function, and that
e1 < e2 < · · · < ek are the smallest k primes larger than (2e+ k)/k. Hence, by using the
Prime Number Theorem, we can bound ek by 3e/k (for sufficiently large e). Thus, we
have
size(Crecy,e) ≤ ck · e
1+ε
k + c2 · ke ≤ ck
(
3e
k
)1+ε
+ c2 · e
1+ε,
which is bounded by ce1+ε if k (i.e., k(e)) is large enough. ⊔⊓
Finally, we define a SAT instance F recx . Precisely speaking, C
rec
x,2ℓ is not a test circuit Cx;
but Cx(u, v) = 1 if and only if the partially assigned circuit C
rec
x,2ℓ(u, v,−,−) is satisfiable.
Hence, the standard transformation from circuits to conjunctive normal form formulas
(Lemma 3.1) yields a SAT instance F recx with the desired property. Furthermore, the size
of F recx is almost the same as that of C
rec
x,2ℓ. Therefore, the following theorem holds.
Theorem 2.2. For any ε > 0, we can construct SAT instances with O(ℓ1+ε) variables
and clauses (in the conjunctive normal form) that are as hard as factorizing the product
of two ℓ bit prime numbers.
3. Concrete Examples
Here we examine the applicability of our method with some concrete examples, i.e., the
cases where ℓ = 30, 40, ... . For such examples, to reduce the size of formulas, we need
some small techniques different from the previous section; in fact, the recursive application
of the Chinese Remainder Theorem does not work due to its large constant factor.
First we state our construction, and then estimate the size of obtained Boolean for-
mulas. Here we follow the same approach as Section 2; that is, for any x, a product of
two ℓ bit prime numbers p and q, we first define a test circuit and transform it to a SAT
instance. We fix x, p, and q in the following discussion.
The key task is to test whether u × v = x for given u and v. By using the Chinese
Remainder Theorem, we divide this test into small pieces of similar tests. Since we cannot
apply the Chinese Remainder Theorem recursively, we would like to divide the test as small
pieces as possible. For example, we may choose the smallest k prime numbers e1, ..., ek
such that e1 + · · · + ek ≥ 2ℓ + k and achieve the test by checking whether ui × vi ≡ xi
(modmi) for all i, 1 ≤ i ≤ k, where mi = 2
ei − 1, ui = umodmi, vi = vmodmi, and
xi = xmodmi. Our main idea here is to use m
′
i = 2
ei +1 as well as mi = 2
ei − 1. We also
use m0 = 2
e0 for some e0 ≥ 1. (In the following, we let u
′
i = umodm
′
i, v
′
i = vmodm
′
i,
x′i = xmodm
′
i, u0 = umodm0, v0 = vmodm0, and x0 = xmodm0.)
Note that for any e, one of 2e − 1 and 2e + 1 is divisible by 3; but 3 is the largest
common factor of 2e ± 1 and 2e
′
± 1 for any e and e′, e 6= e′. Also 2e is relatively prime
with any 2e
′
± 1.
7
Fact 4. For any relatively prime numbers e, e′ ≥ 2, gcd(2e±1, 2e
′
±1) = 1 or 3. (Clearly,
gcd(2e − 1, 2e + 1) = 1.)
We note that the Chinese Remainder Theorem (i.e., Fact 1) works if
gcd(m0, m1, ..., mk, m
′
1, ..., m
′
k) ≥ 2
ℓ. Hence, roughly speaking, it is enough to choose
relatively prime numbers e1, ..., ek and some e0 such that 2(e1 + · · ·+ ek) + e0 − k log 3 >
2ℓ. Clearly, this idea enables us to choose smaller modulos. Furthermore, there is another
advantage of using both mi = 2
ei − 1 and m′i = 2
ei + 1. As we see below (Claim 5), the
most of the computation of ui = umodmi and u
′
i = umodm
′
i can be shared, and u
′
i is
computable almost as a byproduct of ui. It is also shown (Claim 6) that the multiplication
cost modulo m′i is almost the same as the multiplication cost modulo mi.
To summarize, we choose e0, e1, ..., ek so that gcd(m0, m1, ..., mk, m
′
1, ..., m
′
k) ≥ 2
ℓ, and
construct Ccexx that tests whether u× v = x for given inputs u and v in the following way.
(Step 1) Compute ui, u
′
i, vi, and v
′
i for every i, 1 ≤ i ≤ k. (Note that u0 (resp., v0) is just
the last e0 bits of u (resp., v), and hence, we do not need to compute them.)
(Step 2) Check whether ui × vi ≡ xi (modmi) and u
′
i × v
′
i ≡ x
′
i (modm
′
i) for every i,
1 ≤ i ≤ k, and also check whether u0 × v0 ≡ x0 (modm0). If all of them hold, then
output 1; otherwise, output 0.
Now we estimate the size of Ccexx in detail. First we remark on the type of gates used
in circuits. Though it is standard to construct circuits by using 2-fan-in gates, here we also
use 3-fan-in gates, since 3-fan-in gates are useful for addition and subtraction. Clearly,
we can reduce circuit size by using k-fan-in gates for larger k; but the number of clauses
in the conjunctive form grows proportionally in 2k. Here by using 3-fan-in gates, we can
not only simplify our argument, but also we can reduce the total number of clauses in
the conjunctive form. In the following, in order to distinguish the number of 2-fan-in and
3-fan-in gates, we write, e.g., size(C) = 320 + 1500, by which we mean that C consists
of 320 3-fan-in gates and 1500 2-fan-in gates.
First we state a precise relationship between a circuit C and a SAT instance F trans-
formed from C by the standard reduction.
Lemma 3.1. Let C be a circuit with n inputs, s1 fan-in-2 gates, and s2 fan-in-3 gates;
let m = s1 + s2. From this C, we can construct a formula F in the extended conjunctive
form with n+m variables and m clauses that simulates C in the following sense:
[ C(a1, ..., an) = 1 ] ⇔ ∃u1, ..., um [ F (a1, ..., an, u1, ..., um) = true ].
The formula can be transformed into the 4-conjunctive normal form with at most 4s1+8s2
clauses.
8
Next we prepare circuits for some basic arithmetic operations.
Claim 2. The addition of one bit number to e bit number is computable by a circuit
INCe with size(INCe) = 2e. We use inc(e) to denote this circuit size.
Proof. The circuit INCe is defined as Figure 1 below. Here gates with label ⊕ are
exclusive-or gates. ⊔⊓
C
a0 a1 a2
Fig. 1: Circuit INCe
Claim 3. The addition of two e bit numbers is computable by a circuit ADDe with
size(ADDe) = 2e . We use add(e) to denote this circuit size.
Proof. The circuit ADDe is defined as Figure 2 below. Here gates with label C are gates
computing the current bit from two input bits and a carry. ⊔⊓
C
a0 b0 a1 b1 a2 b2
***
Fig. 2: Circuit ADDe
Claim 4. The subtraction of two e bit numbers is computable by a circuit SUBe with
size(SUBe) = 2e . More precisely, SUBe takes two e bit numbers u and v as input, and
outputs (u− v)mod 2e and c indicating whether u− v ≥ 0 (c = 0 if u− v ≥ 0, and c = 1
if otherwise). We use sub(e) to denote this circuit size.
9
Claim 5. We can construct a circuit MODe with the following properties.
(1) MODe is an ℓ input and 2e+ 1 output circuit.
(2) On input u, MODe(u) yields umod
′ (2e − 1) and umod (2e + 1) at the first e output
gates and the last e+ 1 gates respectively.
(3) The size of MODe is 2ℓ+ 2e + 4e+ 2ℓ
′, where ℓ′ = ℓ− (ℓmod e).
Proof. Let u be ℓ bit number, for which we want compute s = umod′ (2e − 1) and
t = umod (2e + 1). Let (u0, ..., uh−1) be its base 2
e representation. That is, u = u0 +
u12
e + u22
2e + · · ·+ uh−12
(h−1)e, where h = ⌈ℓ/e⌉. Here we assume that h− 1 is even and
h− 1 = 2h′ for some h. (The odd case is treated similarly.) Then we have
s = (u0 + u1 + u2 + u3 · · ·+ u2h′)mod
′ (2e − 1)
= ((u0 + u2 + · · ·+ u2h′) + (u1 + u3 + · · ·+ u2h′−1))mod
′ (2e − 1), and
t = (u0 − u1 + u2 − u3 + · · ·+ u2h′)mod (2
e + 1)
= ((u0 + u2 + · · ·+ u2h′)− (u1 + u3 + · · ·+ u2h′−1))mod
′ (2e + 1).
Note also that for any x, y, 0 ≤ x, y ≤ 2e, we have
(x+ y)mod′ (2e − 1) = (x+ y)mod2e + cx,y, and
(x+ y)mod′ (2e + 1) = (x+ y)mod2e − cx,y,
where cx,y is the (e+ 1)th bit of x+ y, or the eth carry of x+ y.
These observations suggests us to compute the following v+ and v−.
v+ = ((· · · ((u0 + u2)mod 2
e + u4 + c3)mod 2
e + · · ·) + u2h′ + c2h′−1)mod 2
e, and
v− = ((· · · ((u1 + u3 + c2)mod 2
e + u5 + c4)mod 2
e + · · ·) + u2h′ + c2h′−2)mod 2
e,
where ci is the eth carry of the addition of a partial sum αi−2 and ui+ ci−1. The following
figure illustrates this computation.
u0
+ u2
c2 α2
+ u4 ← c3
...
c2h′−2 α2h′−2
+ u2h′ ← c2h′−1
c2h′ v+
u1
+ u3 ← c2
c3 α3
+ u5 ← c4
...
c2h′−3 α2h′−3
+ u2h′−1 ← c2h′−2
c2h′−1 v−
Fig. 3: Computation of v+ and v−.
10
Then it is easy to see that s and t are obtained by
s = (s+ + s− + c2h′)mod 2
e + c+, and
t = (s+ − s− − c2h′)mod 2
e + c−,
where c+ and c− are respectively the eth carry of s++s−+c2h′ and the negative eth carry
of s+ − s− − c2h′.
Our circuit MODe is defined following this outline. Recall that ADDe can be modified
with no additional gate for adding two numbers with a carry (Claim 3); the same property
holds for SUBe. Thus, the size of MODe is estimated as follows.
size(MODe) = (2h
′ − 1)add(e) + add(ℓ′′) + add(e) + sub(e) + inc(ℓ′) + 2inc(e)
= (h− 2) 2e + 2ℓ′′ + 4e + 2ℓ′ + 4e = 2ℓ+ 2e + 4e+ 2ℓ′.
Here ℓ′′ = ℓmod e and ℓ′ = ℓ− ℓ′′. Note that adding u2h′ to the partial sum is computed
with two circuits ADDℓ′′ and INCℓ′. ⊔⊓
Claim 6. For any e ≥ 1, we can construct a circuit MULTe and MULT
′
e with the following
properties.
(1) MULTe is 2e input and e output circuit, and MULT
′
e is 2(e + 1) input and e + 1
output circuit.
(2) For any pair of input integers u and v, 0 ≤ u, v ≤ 2e − 1, MULTe computes
u · vmod′ (2e− 1). Similarly, for any pair of input integers u and v, 0 ≤ u, v ≤ 2e +1,
MULT′e computes u · umod (2
e + 1).
(3) The size of MULTe and MULT
′
e are bounded by 2(e− 1)e +e
2+2e and 2e2 + e+ 1 +
e2 + 4e respectively.
Proof. First we consider MULTe. Consider any
integers u, v, 0 ≤ u, v ≤ 2e − 1; let (ae−1, ..., a0)
and (be−1, ..., b0) be binary representations of u
and v respectively. Intuitively, w = u·vmod (2e−
1) is computed as in Figure 4. More specifi-
cally, it is computed as (1) below. Here ui =
(ae−i−1, ..., a0, a1, ..., ae−i)× bi; that is, each bit of
ui is computed as aj ∧ bi. Hence, for computing
w, we need e−1 ADDe circuits, one INCe circuit,
and e2 AND gates.
ae−1ae−2 · · ·a1a0
× be−1be−2 · · · b1b0
ae−1ae−2 · · ·a1a0 ×b0
ae−2 · · ·a1a0ae−1 ×b1
...
+ a0ae−1ae−2 · · ·a1 ×b1
w
* Carries are omitted here.
Fig. 4: u · vmod (2e − 1)
w = ((· · · (((u0 + u1)mod 2
e + u2 + c1)mod 2
e) · · ·) + ue−1 + ce−2)mod 2
e, (1)
11
Thus, the size of MULTe is estimated as follows.
size(MULTe) = (e− 1)add(e) + inc(e) + e
2 = 2(e− 1)e + e2 + 2e.
Next define circuit MULT′e. This time u and/or v can be 2
e. Hence, we need to
represent them as (ae, ..., a0) and (be, ..., b0); but let us also consider u
′ = (ae−1, ..., a0) and
v′ = (be−1, ..., b0). Then we have
w = u · vmod (2e + 1) = (u′ · v′mod (2e + 1)− (u′′ + v′′) + ae · be)mod (2
e + 1),
where u′′ = u′ · be and v
′′ = v′ · ae.
We first consider how to compute u′ · v′mod (2e + 1). Just compute u′ · v′ in the
standard way, which gives us 2e bit number. Let w− and w+ denote numbers at the
first e bits and the last e bits respectively. Then we have u′ · v′mod (2e + 1) = (w+ −
w−)mod 2
e + c, where c is the negative eth carry of w+ − w−. Thus, w is obtained by
(w+ − (w− + u
′′ + v′′))mod 2e + c + ae · be. Notice here that at most one of w−, u
′′, v′′
is nonzero. Hence, w− + u
′′ + v′′ is computable by bit-wise or, which can be done by e
3-fan-in OR gates. Similarly, if ae ·be = 1, then the other term for w is zero. Thus, the size
of our circuit MULT′e, which computes w following this outline, is estimated as follows.
size(MULT′e) = (# of gates for u
′ · v′) + (# of gates for u′′ and v′′)
+(# of gates for w− + u
′′ + v′′) + sub(e) + inc(e)
+(# of gates for +ae · be)
= 2(e− 1)e + e2 + 2e+ e + 2e + 2e+ 1
= 2e2 + e+ 1 + e2 + 4e.
⊔⊓
Now the size of our test circuit Ccexx , which uses these circuits, is estimated as follows.
Lemma 3.2. The circuit Ccexx outlined above tests whether u · v = x for given inputs u
and v, and we can bound its size as follows, where ℓ is the length of x’s prime factors,
e0, ..., ek are parameters defined above, and ℓ
′
i = ℓ− ℓmod ei, 1 ≤ i ≤ k.
size(Ccexx ) ≤
k∑
i=1
(4e2i + 3ei) + e
2
0 − e0 + 4kℓ+ k
+
k∑
i=1
(2e2i + 16ei + 2ℓ
′
i) + e
2
0/2 + e0/2− 2.
Proof. It follows from the above outline that Ccexx consists of, (i) for each i, 1 ≤ i ≤ k, two
MODei, one MULTei, and one MULT
′
ei
circuits, (ii) a circuit for computing u0×v0 mod2
e0,
12
and (iii) gates for checking every obtained product is equal to xi. It is not easy to see
that a circuit for u0 × v0 mod 2
e0 requires (e0 − 1)e0 + (e0 − 1)e0/2 gates, and that the
whole equality check can be done with e0− 1+
k∑
i=1
(2ei− 1)+ k− 1 gates. Hence, we have
size(Ccexx ) =
k∑
i=1
(
2size(MODei) + size(MULTei) + size(MULT
′
ei
)
)
+ (e0 − 1)e0 + (e0 − 1)e0/2 + e0 − 1 +
∑k
i=1(2ei − 1) + k − 1
=
k∑
i=1
(
4ℓ+ 4ei + 2(ei − 1)ei + 2e
2
i + ei + 1 + 8ei + 4ℓ
′
i + e
2
i + 2ei + e
2
i + 4ei
)
+ (e0 − 1)e0 + (e0 − 1)e0/2 + e0 − 1 +
k∑
i=1
(2ei − 1) + k − 1
=
k∑
i=1
(4e2i + 3ei) + e
2
0 − e0 + 4kℓ+ k +
k∑
i=1
(2e2i + 16ei + 2ℓ
′
i) + e
2
0/2 + e0/2− 2.
⊔⊓
Theorem 3.3. For a given x, a product of two ℓ bit prime numbers, we can construct
a SAT instance F cexx that is as hard as factorizing x, and that has at most the following
number of variables, where e0, ..., ek and ℓ
′
1, ..., ℓ
′
k are parameters defined above.
k∑
i=1
(6e2i + 19ei + 2ℓ
′
i) + 3e
2
0/2− e0/2 + 4kℓ+ k + 2ℓ− 2.
F cexx has at most this number of clauses in the extended 4-conjunctive form and at most∑k
i=1(40e
2
i + 88ei + 8ℓ
′
i) + 10e
2
0 − 6e0 + 32kℓ+ 8k − 8 clauses in the 4-conjunctive normal
form.
Now we estimate the size of formulas for several concrete cases. For comparison, let us
also estimate the size of the formula F naivex obtained from x by the straightforward reduc-
tion explained in Introduction. (For our concrete examples, formulas obtained by using
the FFT become much larger than the ones obtained by the straightforward reduction.)
Proposition 3.4. For a given x, a product of two ℓ bit prime numbers, the formula
F naivex has 3ℓ
2 + 2ℓ − 1 variables. It has about this number of clauses in the extended
4-conjunctive form and at most 20ℓ2 − 8ℓ− 4 clauses in the 4-conjunctive normal form.
Proof. It is easy to show that the size of the straightforward circuit multiplying two ℓ
bit numbers is (ℓ− 1) · add(ℓ) + ℓ2 = 2(ℓ− 1)ℓ + ℓ2. The test circuit needs 2ℓ− 1 more
gates for checking whether the obtained product is equal to x, and thus, its size becomes
2(ℓ− 1)ℓ + ℓ2 + 2ℓ− 1. Then the above bounds follow from Lemma 3.1. ⊔⊓
13
Table 1 below shows the size of F cexx and F
naive
x obtained from x, a product of two ℓ bit
prime numbers; that is, solving SAT problem for F cexx and F
naive
x is as hard as factorizing x.
The column “# of var.s” is for the number of variables of obtained formulas; hence, it also
bounds the number of clauses of the formulas in the extended 4-conjunctive form. On the
other hand, the column “# of clauses” is for the number of clauses of the formulas in the
4-conjunctive normal form. For these formulas, the number of clauses in the 4-conjunctive
normal form is approximately 6 times larger than the number of variables.
F naivex F
cex
x
ℓ # of var.s # of clauses # of var.s # of clauses e0, e1, ...
30 2,759 11,756 2,767 17,240 16, 4, 5, 7, 9
40 4,879 31,676 4,103 25,728 16, 7, 8, 9, 11
50 7,599 49,596 5,657 35,776 27, 5, 7, 8, 9, 11
60 10,919 71,516 7,315 46,328 23, 5, 7, 8, 9, 11, 13
70 14,839 97,436 9,347 59,448 27, 5, 7, 9, 11, 13, 16
128 49,407 326,652 22,165 142,344 27, 7, 11, 13, 15, 16,
17, 19, 23
256 197,119 1,308,668 63,652 406,860 62, 7, 11, 13, 17, 19,
23, 25, 27, 29, 31, 32
Table 1: The size of formulas
Consider first the task of generating test instances for a given SAT algorithm. From
the view point of the Factorization Problem (FACT), the case ℓ = 30, i.e., factorizing
a product of two 30 bit primes, is not so difficult. It is solvable in a few minutes by a
straightforward algorithm on a small workstation. But the problem suddenly becomes
difficult when ℓ > 40. Thus, those instances generated with ℓ = 40 or ℓ = 50 would
be quite good examples for testing the performance of SAT algorithms. Note that if we
use some advanced algorithm like the Quadratic Sieve, factorization up to ℓ = 100 is
computable in one to two hours on a mid size workstation [Kob97]. But it is hard to
think of a SAT algorithm incorporating such a specialized algorithm.
Next analyze the hardness of the SAT by using our knowledge on the hardness of the
FACT. It has been widely believed (see, e.g., [Sch94]) factorizing 512 bit numbers is hard
to solve, which is the case ℓ = 256. Now from Table 1, this corresponds via our reduction
to SAT instances with approximately 63,000 variables. That is, some (in fact many) SAT
instances with 63,000 variables are intractable. Notice that by the straightforward reduc-
tion, we cannot show the same hardness unless SAT instances have more than 190,000
variables. In Table 1, we also estimate the size of SAT instances generated from 256 bit
14
numbers (i.e., ℓ = 128), which are still quite difficult to factorize (i.e., one day task on a
mid size workstation [Kob97]) in practice.
References
[AIM96] Y. Asahiro, K. Iwama, and E. Miyano, Random generation of test instances
with controlled attributes, Clique, Coloring, and Satisfiability (D.S. Johnson,
ed.), DIMACS Series in Discrete Math. and Theoret. Comput. Sci., American
Mathematical Society (1996), 377−393.
[Dif92] W. Diffie, The first ten years of public-key cryptography, in Contemporary Cryp-
tology: The Science of Information Integrity (G.J. Simmons, ed.), IEEE Press
(1992), 65−134.
[Hor97] S. Horie, Hard instance generation for the satisfying assignment search problem,
SIGAL 55-4 (1997), 29−36.
[Joh96] D.S. Johnson, ed., Clique, Coloring, and Satisfiability, DIMACS Series in Dis-
crete Math. and Theoret. Comput. Sci., American Mathematical Society, 1996.
[Kob97] H. Kobayashi, personal communication.
[Knu81] D.E. Knuth, The Art of Computer Programming Vol.II (2nd ed.), Addison-
Wesley, 1981.
[LL90] A.K. Lenstra, H.W. Lenstra, Jr, Algorithms in number theory, Handbook of
Theoretical Computer Science Vol.A (J. Van Leeuwen, ed.), Elsevier (1990),
673−715.
[SS71] A. Scho¨nhage and V. Strassen, Schnelle multiplikation grosser zahlen, Comput-
ing 7 (1971), 281−292.
[Sch94] B. Schneier, Applied Cryptography, John Wiley & Sons, Inc., 1994.
15
