DES: a Challenge Problem for Nonmonotonic Reasoning Systems

by   Maarit Hietalahti, et al.
Università di Siena

The US Data Encryption Standard, DES for short, is put forward as an interesting benchmark problem for nonmonotonic reasoning systems because (i) it provides a set of test cases of industrial relevance which shares features of randomly generated problems and real-world problems, (ii) the representation of DES using normal logic programs with the stable model semantics is simple and easy to understand, and (iii) this subclass of logic programs can be seen as an interesting special case for many other formalizations of nonmonotonic reasoning. In this paper we present two encodings of DES as logic programs: a direct one out of the standard specifications and an optimized one extending the work of Massacci and Marraro. The computational properties of the encodings are studied by using them for DES key search with the Smodels system as the implementation of the stable model semantics. Results indicate that the encodings and Smodels are quite competitive: they outperform state-of-the-art SAT-checkers working with an optimized encoding of DES into SAT and are comparable with a SAT-checker that is customized and tuned for the optimized SAT encoding.


page 1

page 2

page 3

page 4


Transalg: a Tool for Translating Procedural Descriptions of Discrete Functions to SAT

In this paper we present the Transalg system, designed to produce SAT en...

Non Deterministic Logic Programs

Non deterministic applications arise in many domains, including, stochas...

Expressiveness of Logic Programs under General Stable Model Semantics

The stable model semantics had been recently generalized to non-Herbrand...

Extending the Stable Model Semantics with More Expressive Rules

The rules associated with propositional logic programs and the stable mo...

Thirty years of Epistemic Specifications

The language of epistemic specifications and epistemic logic programs ex...

A Short Remark on Analogical Reasoning

We discuss the problem of defining a logic for analogical reasoning, and...

iWarded: A System for Benchmarking Datalog+/- Reasoning (technical report)

Recent years have seen increasing popularity of logic-based reasoning sy...

1 Introduction

Efforts on developing implementations of nonmonotonic reasoning systems have intensified during the last years and, in particular, implementation techniques for declarative semantics of logic programs (e.g., stable model and well-founded semantics) have considerably advanced. With an increasing number of systems the question of suitable test suites arises. Typical benchmarks used for testing and comparing such systems include problems from graph theory, planning, and constraint satisfaction [Cholewiński et al.1995, Dimopoulos, Nebel, & Koehler1997, Niemelä1999]. However, it is still difficult to find benchmark suites of wide industrial relevance.

In this paper we advocate that logical cryptanalysis

is a good benchmark for nonmonotonic reasoning systems. Logical cryptanalysis has been introduced by Massacci and Marraro mass-marr-00-JAR as a framework for reasoning about cryptographic algorithms. They pointed out that encoding cryptographic problems as SAT problems might be beneficial for the automated reasoning community as it provides a set of problems of industrial relevance which optimally shares features of randomly generated problems and real-world problems. Indeed, the encoding of the US Data Encryption Standard (DES) into SAT proposed in

[Massacci & Marraro2000, Massacci1999] has a number of useful features:

  • it allows to generate random instances of similar structure in practically inexhaustible number;

  • it provides solved instances (for which one solution is known beforehand) which are very hard, for which we can change the value of the solution, and such that we can generate as many different (hard) instances as we want with the same solution;

  • it has a lot of structure, and the structure is very common to many similar problems in hardware verification, planning and constraint programming (all-diff constraints, defined variables, layered definitions etc.).

These considerations apply to the encoding of cryptographic problems for nonmonotonic reasoning systems with some further advantages:

  • the representation of cryptographic algorithms using normal logic programs with the stable model semantics is extremely simple and easy to understand;

  • normal logic programs with the stable model semantics can be seen as an interesting special case for many other more general formalizations of nonmonotonic reasoning.

Indeed, we can provide a natural encoding of DES out of the standard specifications [FIPS1997, Schneier1994, Stinson1998] as a logic program. Massacci and Marraro [Massacci & Marraro2000] have developed a SAT-encoding of DES where substantial amount of preprocessing and optimizations are employed. As an alternative encoding of DES using logic programs we have upgraded Massacci and Marraro’s optimized SAT-encoder to deal directly with logic programs. Using these encodings one can perform most111To be precise the verification of cryptographic properties proposed in [Massacci & Marraro2000] are expressed as quantified boolean formulae. These are out of our scope. of the reasoning tasks suggested in [Massacci & Marraro2000].

We examine the efficiency of the encodings by using an implementation of the stable model semantics, the Smodels system [Niemelä & Simons1997, Simons1998], for DES key search and by comparing the performance to that of SAT-solvers which use the optimized encoding of DES into SAT developed Massacci and Marraro.

The rest of the paper is organized as follows. We start by briefly introducing the stable model semantics and by discussing how to encode boolean expressions as logic programs. We first describe the direct encoding of DES to logic programs and then the optimized encoding. We finish with some experimental results.

2 Logic Programs and Stable Models

The stable model semantics [Gelfond & Lifschitz1988] generalizes the minimal model semantics of definite programs to normal logic program rules


where negative body literals () are allowed. For a ground (variable-free) program , the stable models are defined as follows. The reduct of a program with respect to a set of atoms is the program obtained from by deleting

  1. each rule that has a negative literal in its body with and

  2. all negative literals in the remaining rules.

The reduct can be seen as the set of potentially applicable rules given the stable model , i.e., as the rules where the negative body literals are satisfied by the model. Note that in the reduct the negative body literals of the potentially applicable rules are removed and, hence, the rules are definite. The idea is that a stable model should be grounded (or justified) in the sense that every atom in the model is a consequence of the potentially applicable rules and every consequence of the potentially applicable rules is included in the model. The atomic consequences of a set of definite rules can be captured by the unique minimal model, the least model, of the set seen as definite clauses. Hence, a set of atoms is a stable model of a program if it coincides with the least model of the reduct.

Definition 1

Let be a ground program. Then a set of ground atoms is a stable model of iff is the least model of .

Example 2


has a stable model because is the least model of .

In addition to this model, has another stable model which can be verified similarly by constructing the reduct and its least model.

The stable model semantics for programs with variables is obtained from the semantics of ground programs by employing the notion of Herbrand models. The stable models of a program with variables are the stable models of the ground instantiation of the program where variables are substituted by terms from the Herbrand universe of the program (the ground terms built from constants and functions in the program).

Integrity constraints, i.e., rules of the form


are often useful for saying that a stable model containing but none of is not acceptable. These rules can be encoded using ordinary rules222For example, by introducing two new atoms and and a new rule and finally replacing every rule of the form (2) with one having as its head..

Example 3

Consider program in Example 2 extended by two integrity constraints

This program has only one stable model as the other stable model of , , does not satisfy the first integrity constraint above.

Integrity constraints are a powerful and simple technique for pruning unwanted stable models as they cannot introduce new stable models but only can eliminate them. This means that for a program and a set of integrity constraints , if is a stable model of , then is a stable model of .

3 From Boolean Logic to Logic Programs

DES can be seen as a boolean function which takes as input a vector of bits consisting of the plaintext and key and outputting a vector of bits (the ciphertext). DES is specified using standard boolean operators (negation, disjunction, conjunction, XOR) as well as boolean functions given as truth tables.

In this section we discuss how to encode such boolean expressions using logic programs. Here the goal is to achieve a compact and potentially computationally efficient coding. We aim to exploit the special property of the stable model semantics that everything is false unless otherwise stated. This means that it is enough to consider only the conditions under which an expression is true and let the default negation to handle the other case when the expression is false.

Given a boolean expression we provide a logic program such that satisfying truth assignments of and stable models of coincide. This can be done by introducing a new atom for each subexpression of and, according the intuition mentioned above, by only giving rules stating all conditions on its subexpressions under which is true.

Table 1: Mapping boolean expression to rules

In Table 1 we give the corresponding rules for different kinds of subexpressions. We use the convention that we denote by the corresponding new atom of the subexpression in question and by the new atom introduced for any further subexpression .

As a further optimization, note that it is not necessary to introduce a new atom in the program for negated subexpressions ’’ as they can be represented as ’’ in the program, a positive literal can be represented as such, and an expression ’’ as ’’.

For the rest of the original propositional atoms, which are not introduced as abbreviations in the original boolean expression, the assumption about the default negation is false because they can have any of the two truth values. Therefore we encode this by introducing a new atom for each atomic subexpression and including two rules


stating that either is in the stable model or is in the model (when is not there).

Now the satisfying truth assignments of and the stable models correspond in the following sense:

  1. Each stable model of induces a truth assignment where an atom is true in iff and for each subexpression of , is true in iff the corresponding new atom is in .

  2. Each truth assignment induces a stable model of such that for each subexpression of , is true in iff the corresponding new atom is in .

In order to consider stable models corresponding to assignments where is true, one adds to a rule

Further constraints on boolean (sub)expressions can be encoded similarly. In order to ensure that a given (sub)expression is true (respectively false), it is enough to include to the rules

where is the new atom corresponding to . Notice that our translation can be seen as first breaking the boolean expression to a set of equivalences where new atoms are defined for each expression and then mapping these equivalence to rules.

Example 4

Consider an expression

It can be seen as a set of equivalences

Now the program is

For instance, the stable model of corresponds to the truth assignment where the atom is true but is false. If we want to have only models where true, it is enough to add to the rule

When this is done, the resulting program has two stable models: and .

A boolean function given as a truth table can be represented using rules by considering a disjunctive normal form representation of the function. This means that we give the conditions under which the function obtains the value true and provide for each such case a corresponding rule.

Example 5

The function given by the table on the left hand side can be encoded by the rules on its right.

4 The US Data Encryption Standard

For a complete description of DES see [FIPS1997], [Schneier1994, Chap.12], or [Stinson1998]. DES is a block-cipher and its input is a 64 bit block of plaintext and a 64 bit key, where every eighth bit is a parity check bit that is stripped off before the encryption. So, the actual key-size of DES is 56 bits. This key is used for generating the round-keys, 48 bit permuted subkeys of the key. The output is a 64 bit block of ciphertext.

Figure 1: The structure of DES

The high level structure of DES is presented in Figure 1(a). Following Figure 1(a) top-down we see that DES starts with an initial permutation IP of the 64 bit block of plaintext followed by a structure that is called a Feistel cipher [Feistel, Notz, & Smith1975].

The basic component of a Feistel cipher is called a round and is constituted by the following operations:

  1. the input of 64 bits is divided into left and right parts;

  2. the right half (32 bits), together with a round-key, is taken as input of a function (the round function), which is described below;

  3. the output of is XORed with the left half and the result is a new right half;

  4. the unaltered old right half becomes the new left half.

These rounds can now be chained together and the complete DES contains 16 rounds (Figure 1(a) illustrates three rounds). The strength of DES depends on the number of rounds: after 8 rounds a change in an input bit affects all output bits. In the end of DES, the switching of left and right sides is omitted and the bits are again permuted using the inversion of the initial permutation.

DES function .

Inside the function (see Figure 1

(b)) the 32 input bits are first expanded to 48 bits by duplicating some of them. The expanded bit string is XORed with the round-key given by the keyschedule described below. The resulting bits are input to 8 S-boxes, 6 bits for each box. The S-boxes are functions of six (binary) variables. The output of every S-box consists of 4 bits. The resulting 32 bits are finally permuted according to permutation P. The content of the boxes was decided at the time DES was developed and they are the only non-linear part of DES, hence the security of DES relies on them.


The keyschedule function takes as input the key and provides as out a 48 bit round-key for each round of the Feistel cipher. The DES key is a vector of 64 bits, where every 8th bit is a parity bit. First the parity bits are stripped off, then the keybits are permuted according to the permutation PC-1. The result is divided into two parts that are shifted to the left one or two positions recursively, see Figure 1(c). After each shift the bit string is again permuted (PC-2) in order to produce the round-key.

5 A Direct Encoding of DES

We develop first a direct encoding of DES as a logic program. It does not contain any optimization and the idea is to keep the code simple and readable. The code can be used for encryption or key search333We have been successful only for limited versions of DES where the number of rounds is less than 16 (the full version). with several plaintext-ciphertext pairs (the known plaintext attack).

The encoding is given as rules with variables. However, each variable has a domain predicate in the body of the rule so that a set of ground instances with exactly the same stable models is straightforward to determine. The predicates contain variables indicating a plaintext-ciphertext pair and for round. The corresponding domain predicates are and which specify the relevant rounds and pairs, respectively. The total number of rounds is denoted by a constant . For instance, if we are considering a three round version of DES with two plaintext-ciphertext pairs, these domain predicates would be defined using the facts:

We describe first DES as used for encryption and then indicate changes needed to be done, e.g., for key search. The plaintext is given as facts , where gives the number of the bit and indicates the pair in question. Note that only facts for true plaintext bits need to be written. For instance, a set of facts

specifies that in the first plaintext-ciphertext pair, the plaintext bits are true and all other false.

5.1 Round Operations

The rules which encode the round operations, i.e., the rules that join the previous round to the next, are summarized in Figure 2. They work as follows.

Figure 2: Round operations

For the first round, the 64-bit block of plaintext is first permuted according to the initial-permutation IP which is given as a set of facts

Using these facts the rule for (r.1) is easy to express.

For each pair , the bits are divided in two 32 bit parts and renumbered. The renumbering is used only to make the description of the function easier to write and understand and it is done by dividing both halves (32 bits) into 8 groups with each 4 bits. The bits are numbered so that the first digit represents the group and the second digit represents the bit. For example, bit 32, is the second bit in the third group. This renumbering is given as facts:

These facts are used in the rules r.2 and r.3 specifying the right and left parts where the predicate is defined using a set of facts giving the possible renumbered bits .

For each round and each plaintext-ciphertext pair , the left and right parts and can be defined in terms of the previous parts and the result of the function as follows. The right side is swapped to the left (r.4) and the left side is XORed with the output of to form the right side for the next round (r.5–r.6).

In the final round the switching of left and right halves is omitted (r.7–r.9) but the renumbering is undone and the final permutation (r.10–r.12) is applied.

5.2 Function

For each round and for each pair , the function takes as input the 32 bits of the right part of the previous round and a 48 bit round-key and works as follows. First every group of the right part is expanded from 4 to 6 bits. For example, the rule


means that the 4th bit in the 6th group becomes the 5th bit in the 6th group. The expanded bit string is XORed with the key bits:

where the predicate is defined using a set of facts giving the possible extended renumbered bits .

The resulting groups of 6 bits are the input of their respective S-boxes. The output of every S-box consists of 4 bits. If we consider the output one bit at the time, the S-boxes can be seen as truth tables. For example, if the input to the second S-box is 010101, it’s output is 0001. We can encode this behavior with the following rule:

Once again, with the stable models semantics only rules that imply true output bits are needed (see, Example 5). In this case, the output bits 1-3 are zeros, therefore no rules are needed for them. In the end of the DES function, the vector of bits is permuted according to the permutation P. The rules for permutation are similar to the ones in expansion.

For each round , the keyschedule is given as a set of rules using the key bit facts . For example, the rule

specifies that in the first round the (renumbered) bit 11 of the round-key is determined by the key bit 10. The stages presented in Figure 1(c) and the renumbering is calculated beforehand in order to avoid some modulo arithmetic. This can be done because the keyschedule is independent of the plaintext to be used.

5.3 Encryption and key search

The encoding can be easily modified to solve many kinds of computational problems related to DES by changing the way the plaintext, ciphertext and the key are encoded.


It is sufficient to give the true bits of the plaintext as facts for each pair and the true bits of the key as facts . Now for each pair , the true bits of the encrypted ciphertext can be recovered as ground facts in the unique stable model of the encoding with the plaintext and key facts.


The true bits of the key are specified as facts , the ciphertext is given in the form

and the plaintext by the rules of the form (3) saying that one can choose the truth values of the ground atoms . Then the decrypted plaintext is given by the stable model of the encoding: for each true bit of the plaintext a ground fact is in the model.

Actually, DES is symmetric. This means that decryption is usually done the same way as encryption, using the key schedule in reverse order and the ciphertext in place of the plaintext.

Known plaintext attack:

For this attack we assume that a certain number of pairs of plaintexts and the corresponding ciphertexts are available and that we want to recover the key. For each pair , the true bits of the plaintext are given as facts , the ciphertext is given in the form

and the key is given by rules of the form (3)

specifying that the truth values of the ground atoms corresponding to the key bits can be chosen. Then the stable models of the resulting encoding correspond to the possible keys yielding the ciphertext from the plaintext for each pair . A key is given as ground facts in the corresponding stable model for all true key bits.

6 An Optimized Encoding of DES

Massacci and Marraro [Massacci & Marraro2000] have devised an optimized encoding of DES to SAT which is particularly effective when the plaintext and the ciphertext are used in a known plaintext attack. We show how to modify this to work with logic programs. We sketch here just the main ideas to make the paper self-contained and refer to [Massacci & Marraro2000] for further details on the encoding.

The basic idea of the direct encoding is to represent each step of DES as a logic program, the more straightforward, the better. For the optimized encoding we start from a different direction and represent DES as a logical circuit in which each operation is represented as a boolean formula.

Then, for the operations that are repeated at each round (such as the round function ) we apply off-line some advanced CAD minimization techniques to squeeze their size as much as possible. In particular in [Massacci & Marraro2000] the CAD program Espresso [Rudell & Sangiovanni-Vincentelli1987] has been used for minimizing the representation of S-Boxes as Programmable Logic Arrays (PLAs). The PLA representation is just a representation of boolean functions with disjunctions of conjunctions.

This yields a notable squeeze in the size of the boolean formulae representing the corresponding operations of the S-Boxes but is not enough. The second important twist is that whenever possible, the program “executes” directly the DES operations on the propositional variables representing the input bits. For instance, a permutation is not encoded into a boolean formula, rather the program executes the permutation of the input bits and provides as output the permuted propositional variables.

The simplifying effect of this operation can be also explained as a form of partial evaluation in the direct encoding of DES. Consider, for instance, the logic program rule (4). The net effect of the “execution” step is that is replaced everywhere by .

At the end of this process the encoder program def2fml used in [Massacci & Marraro2000] could output a minimized logic program corresponding to DES w.r.t. the direct encoding that we have described in the previous section using the rules we have given in the section on coding boolean formulae.

We can do more when the plaintext and the ciphertext are known, i.e. when we want to perform a known plaintext attack. In particular, with a boolean representation we can perform a notable amount of linear reasoning (reasoning using formulae with exclusive or). In [Massacci1999] it is noted that the presence of exclusive or is what makes the problem hard for state-of-the-art SAT checkers and therefore its minimization is essential.

So, for the encoding we acquire the boolean values corresponding to plaintext and ciphertext and preprocess the formula by applying exhaustively a set of simplification rules aimed at eliminating redundancies:

  1. Variables defined by atomic equivalences444We define an atomic equivalence as a formula of the form where is a variable and is either another variable or a truth value. are replaced by the corresponding values to reduce the number of variables in other formulae, and to introduce the truth values.

  2. The propositional simplification rules listed in Figure 3 are applied.

The second step (propositional simplification) may introduce additional atomic equivalences and therefore the overall simplification phase is repeated until saturation is reached.

Formula Simplification
Formula Generated Equivalence
Figure 3: Simplification rules

Notice that such preprocessing, and in particular the operations involving exclusive or, cannot be performed with a logic program representation (at least with current technology).

The resulting formula is then translated into a logic program using a further optimized translation w.r.t. that presented in the section on boolean encoding. We can exploit the knowledge that the final formula we got has the form shown in Figure 4 (adapted from [Massacci & Marraro2000]) and translate it as shown in Figure 5. The variables and stand for the number of pair and rounds, according the format of the direct encoding. The letter corresponds to a suitable ground value of the bit number represented by the variable used in the direct encoding. Notice that the final output is a ground logic program so that and are appropriately instantiated by the optimizing encoder.

Figure 4: Simplified DES formulae for rounds with known plaintext and ciphertext

Figure 5: Optimized logic program for DES with rounds

Notice that the translation of the formula is done piecewise: each equivalence is translated in a suitable number of rules: we use one rule for conjunctions, two rules for XORs, and many rules of disjunctions (as many as there are disjuncts). The trick is that we only encode one direction of the the equivalence exploiting the property of logic programs that “everything is false by default”. In this way we have only to specify when a boolean formula may be true.

However, this is still not sufficient because the translation as sketched is not faithful: we might have more than one “definition” of the same atom, i.e. one or more formulae of the form for the same atom .

If we left it that way, there would not be a one-one correspondence between stable models and propositional truth assignments. We would have more models than due. So we need a further twist to cope with atoms that are defined (are on the left of the equivalence sign in Figure 4) two or more times. Suppose that we have a set of formulae of the form:

and that denotes the fragment of the logic program translating the boolean formula according the rules we have used in Table 1 and Figure 5.

We translate this set of formulae as follows:

One may check that this is a faithful translation of the corresponding boolean formulae. The intuitive explanation is simply that the boolean set of formulae, read conjunctively, just says that all must have the same value and this value must also be assigned to . The first rule chooses a value, say and assign it to as in the standard encoding. The rest of the construction assigns the value of to a new atom and then specifies that is true when is true and that cannot be false when is true.

Then we add the rules (3) saying that one can choose the truth values of the atoms corresponding to key bits, as we do for the direct encoding, and we are done.

7 Experiments

We study the computational properties of the two logic program encodings of DES by using them for key search in a known plaintext attack for a limited form of DES running a given number of rounds. For each number of rounds and pairs of plaintext-ciphertext blocks we perform 50 key searches using different randomly generated plaintexts and report the mean of the running time and of the size of the search tree. The tests were run under Linux 2.2.12 on 450 MHz Pentium III computers. The encodings and test cases are available at

Table 2 reports the data on Smodels’s performance. The running times do not include preprocessing. For the direct encoding (Dir.) preprocessing consists of parsing and grounding of the rules which is done by the standard Smodels parser lparse. This takes only few seconds even for the largest examples. For the optimized encoding (Opt.) preprocessing is more involved as explained in the previous section. It includes off-line minimization of boolean functions used in DES, partial evaluating the DES description, simplifying it using the known plaintexts-ciphertext pairs, transforming the resulting boolean formula to a set of ground logic program rules as well as parsing the rules into the internal format of smodels. Hence, in both cases preprocessing produces a ground program parsed into the internal format of smodels. Table 2 gives the average running time and search space size for smodels (version 2.25 with -backjump option) to find a stable model (a key) for such a ground program. Entries marked with ’—’ are cases where the set of 50 key searches could not be completed because the running time for each key search extended several CPU hours.

Both encodings have a reasonable performance (although it should be noted that special purpose methods and hardware are able to perform known plaintext attacks successfully even to the full DES). The direct encoding does not seem to be able to propagate the information from the known plaintext-ciphertext pairs as efficiently as the preprocessing techniques in the optimized encoding. The search heuristics of

smodels yields a rather stable performance on these DES examples except for the optimized encoding with three rounds and two blocks where there are three orders of magnitude differences in the minimal and maximal observed running times and search space sizes.

We compare the performance of Smodels to that of a SAT-checker which has been customized and tuned for the optimized SAT-encoding of DES described in [Massacci1999, Massacci & Marraro2000]. This SAT-checker, based on rel_sat by Bayardo and Schrag Baya-Schr-97, clearly outperforms state-of-the-art SAT-checkers on DES encodings [Massacci & Marraro2000].

Table 3 reports the data on rel_sat. The data does not include preprocessing which in this case is similar to that of the optimized logic program encoding with the addition that it includes also the transformation of the optimized DES description (a boolean formula) to a compact conjunctive normal form (CNF) representation. Table 3 presents the average running time and search space size for rel_sat to find a propositional model (a key) for this CNF formula.

From this preliminary analysis one can say that the usage of stable models as computational paradigm to be used in practice does not score at all badly for such an industrial application.

 Rounds Blocks Time (s) Branches
(Dir.) (Opt.) (Dir.) (Opt.)
 1 1 0.3 0.07 155 28
 1 2 1.6 0.06 372 18
 1 4 2.2 0.1 179 16
 1 8 5.8 0.2 200 16
 2 1 1.2 0.1 151 9
 2 2 1.7 0.1 98 8
 2 4 2.0 0.2 51 8
 2 8 3.6 0.4 39 8
 3 1 230 699
 3 2 640 8900 20672 6000
 3 4 1400 190 14709 29
 3 8 3500 48 18612 8
Table 2: Smodels on DES
rel_sat with learning factor 5
Rounds Blocks Time (s) Branches
1 1 0.02 32
1 2 0.1 100
1 4 0.2 107
1 8 0.4 87
2 1 0.2 283
2 2 0.2 106
2 4 0.3 70
2 8 0.7 56
3 1
3 2 920 141291
3 4 110 14419
3 8 100 5483
Table 3: rel_sat on DES

8 Conclusions

We believe that DES provides an interesting benchmark problem for nonmonotonic reasoning systems because (i) it supplies practically inexhaustible number of industrial relevant test cases, (ii) the encoding of DES using normal logic programs with the stable model semantics is easy to understand, and (iii) test cases are obtained for many nonmonotonic formalisms which contain this subclass of logic programs as a special case. We have developed a direct encoding and an optimized one extending the work of Massacci and Marraro. We have also tested the computational performance of the encodings using the Smodels system.

As DES is basically a boolean function, its encoding does not require any particular nonmonotonic constructs. In our encoding we have used default negation in a straightforward way (everything is false unless otherwise stated), to obtain a much leaner encoding than those obtained by encoding DES as a SAT formula (where both ways of the equivalence are needed). The resulting encodings are acyclic sets of rules which are compact but fairly simple to write and understand. It seems that they are more easier to understand than corresponding encodings of DES using CNF clauses which is the typical input format for current state-of-the-art SAT-checkers. Given that DES key search is a natural boolean satisfiability problem, it is somewhat surprising that our encodings are competitive when compared to state-of-the-art SAT-checkers and even to a tuned and customized SAT-checker working on an optimized SAT-encoding of DES. We think that the success can be accounted for by the compactness of the logic program encoding and the search methods and pruning techniques employed in the Smodels system.

In order to obtain a deeper understanding of the relative strengths of SAT-checkers and stable model implementations, an interesting comparison would be to map the stable model finding problem of DES key search directly to a satisfiability problem and use a state-of-the-art SAT-checker to solve the resulting problem. As our encodings are acyclic programs, the reduction could be done using, e.g., a completion approach [Fages1994].


  • [Bayardo & Schrag1997] Bayardo, R., and Schrag, R. 1997. Using CSP look-back techniques to solve real-world SAT instances. In

    Proc. of the 15th National Conference on Artificial Intelligence

    , 203–208.
  • [Cholewiński et al.1995] Cholewiński, P., Marek, V., Mikitiuk, A., and Truszczyński, M. 1995. Experimenting with nonmonotonic reasoning. In Proc. of the 12th International Conference on Logic Programming, 267–281.
  • [Dimopoulos, Nebel, & Koehler1997] Dimopoulos, Y.; Nebel, B.; and Koehler, J. 1997. Encoding planning problems in non-monotonic logic programs. In Proc. of the Fourth European Conference on Planning, 169–181. Springer-Verlag.
  • [Fages1994] Fages, F. 1994. Consistency of Clark’s completion and existence of stable models. Journal of Methods of Logic in Computer Science 1:51–60.
  • [Feistel, Notz, & Smith1975] Feistel, H.; Notz, W.; and Smith, L. 1975. Some cryptographic techniques for machine-to-machine data communication. Proc. of the IEEE 63(11):1545–1554.
  • [FIPS1997] FIPS. 1997. Data encryption standard. Federal Information Processing Standards Publications FIPS PUB 46-2, National (U.S.) Bureau of Standards. Supersedes FIPS PUB 46-1 of Jan. 1988.
  • [Gelfond & Lifschitz1988] Gelfond, M., and Lifschitz, V. 1988. The stable model semantics for logic programming. In Proc. of the 5th International Conference on Logic Programming, 1070–1080. The MIT Press.
  • [Massacci & Marraro2000] Massacci, F., and Marraro, L. 2000. Logical cryptanalysis as a SAT problem: Encoding and analysis of the U.S. Data Encryption Standard. Journal of Automated Reasoning. To appear in the special issue on SAT-2000.
  • [Massacci1999] Massacci, F. 1999. Using walk-SAT and look-back CSP for cryptographic key search. In Proc. of the 16th International Joint Conference on Artificial Intelligence, 290–295. Morgan Kaufmann Publishers.
  • [Niemelä & Simons1997] Niemelä, I., and Simons, P. 1997. Smodels – an implementation of the stable model and well-founded semantics for normal logic programs. In Proc. of the 4th International Conference on Logic Programming and Non-Monotonic Reasoning, 420–429. Dagstuhl, Germany: Springer-Verlag.
  • [Niemelä1999] Niemelä, I. 1999. Logic programming with stable model semantics as a constraint programming paradigm. Annals of Mathematics and Artificial Intelligence 25(3,4):241–273.
  • [Rudell & Sangiovanni-Vincentelli1987] Rudell, R., and Sangiovanni-Vincentelli, A. 1987. Multiple valued minimization for pla optimization. IEEE Trans. on Computer Aided Design 6(5):727–750.
  • [Schneier1994] Schneier, B. 1994. Applied Cryptography: Protocols, Algorithms, and Source Code in C. John Wiley&Sons.
  • [Simons1998] Simons, P. 1998. Smodels 2.x. A system for computing the stable models of logic programs.
  • [Stinson1998] Stinson, D. 1998. Cryptography: Theory and Practice. Boca Raton-London-Tokyo: CRC Press.