Parallel algorithms for SAT in application to inversion problems of some discrete functions

In this article we consider the inversion problem for polynomially computable discrete functions. These functions describe behavior of many discrete systems and are used in model checking, hardware verification, cryptanalysis, computer biology and other domains. Quite often it is necessary to invert these functions, i.e. to find an unknown preimage if an image and algorithm of function computation are given. In general case this problem is computationally intractable. However, many of it’s special cases are very important in practical applications. Thus development of algorithms that are applicable to these special cases is of importance. The practical applicability of such algorithms can be validated by their ability to solve the problems that are considered to be computationally hard (for example cryptanalysis problems). In this article we propose the technology of solving the inversion problem for polynomially computable discrete functions. This technology was implemented in distributed computing environments (parallel clusters and Grid-systems). It is based on reducing the inversion problem for the considered function to some SAT problem. We describe a general approach to coarse-grained parallelization for obtained SAT problems. Efficiency of each parallelization scheme is determined by the means of a special predictive function. The proposed technology was validated by successful solving of cryptanalysis problems for some keystream generators. The main practical result of this work is a complete cryptanalysis of keystream generator A5/1 which was performed in a Grid system specially built for this task.

💡 Research Summary

The paper addresses the inversion problem for polynomial‑time computable discrete functions, which asks for a pre‑image x given an output y and an algorithm that computes the function. The authors propose a systematic methodology that (i) reduces any such inversion problem to a Boolean satisfiability (SAT) instance in a parsimonious way, (ii) decomposes the resulting SAT instance into many smaller sub‑instances using a carefully chosen set of variables (the “decomposition set”), and (iii) solves the sub‑instances in parallel on large‑scale distributed platforms such as clusters and grid systems.

The reduction step relies on Cook’s simulation of Turing machines and Tseitin’s transformation. The original algorithm is expressed as a Boolean circuit; each gate introduces an auxiliary variable and a small set of clauses that encode the gate’s logical relation. Because the transformation is parsimonious, the number of satisfying assignments of the generated conjunctive normal form (CNF) equals the number of pre‑images of y, guaranteeing that any solution of the SAT instance can be mapped back to a valid input of the original function.

To make the SAT problem tractable on massive parallel hardware, the authors introduce a coarse‑grained parallelization scheme. A subset X′ of the CNF variables is selected; all 2^|X′| possible truth assignments to X′ are enumerated, and for each assignment the original CNF is simplified, producing a family ΔC(X′) of sub‑CNFs. The original SAT problem is satisfiable iff at least one sub‑CNF in ΔC(X′) is satisfiable. The key contribution is a predictive function that estimates the computational effort and communication overhead for a given choice of X′ and its size d. By minimizing this predictive cost, the method automatically selects an optimal decomposition set, balancing the number of sub‑tasks against the workload per task.

The parallel execution model assigns each sub‑CNF to an independent processor (or grid node). Processors run a modified SAT solver that is tuned for inversion problems: input variables are fixed early, clause sharing is limited to reduce network traffic, and unsatisfiable sub‑instances are recorded to avoid redundant work. The framework also includes fault‑tolerance mechanisms that resubmit failed tasks.

The authors validate the approach on two cryptographic case studies. First, they apply the technique to a simple stream cipher based on linear feedback shift registers (LFSRs) using a modest cluster, demonstrating that the method works even on low‑performance hardware. The main experimental result concerns the A5/1 stream cipher, used in GSM mobile communications. A5/1 consists of three LFSRs with irregular clocking; its secret key is the 64‑bit initial state of the registers. The authors model the cipher’s state update equations and output generation as a Boolean system, then convert it to a CNF using the parsimonious Tseitin transformation. By selecting a decomposition set of about 20 variables (primarily clocking bits and selected register bits), they generate roughly one million sub‑CNFs. Using a purpose‑built grid comprising thousands of nodes, they execute the sub‑tasks over a period of about two weeks. The grid successfully finds a satisfying assignment, which is then mapped back to the original 64‑bit secret key, achieving a complete cryptanalysis of A5/1.

The paper’s contributions are threefold: (1) a rigorous, parsimonious reduction from discrete‑function inversion to SAT, (2) a predictive‑function‑driven coarse‑grained parallelization strategy that optimally partitions the search space, and (3) a practical demonstration that large‑scale, commodity SAT solvers combined with distributed computing can solve cryptographically hard inversion problems without specialized hardware. The authors suggest that the same methodology can be applied to hardware verification, model checking, and computational biology, where similar inversion or search tasks arise. Future work includes refining the predictive model, dynamic load balancing, and extending the approach to other classes of discrete functions.