1 Introduction
Efforts on developing implementations of nonmonotonic reasoning systems have intensified during the last years and, in particular, implementation techniques for declarative semantics of logic programs (e.g., stable model and wellfounded semantics) have considerably advanced. With an increasing number of systems the question of suitable test suites arises. Typical benchmarks used for testing and comparing such systems include problems from graph theory, planning, and constraint satisfaction [Cholewiński et al.1995, Dimopoulos, Nebel, & Koehler1997, Niemelä1999]. However, it is still difficult to find benchmark suites of wide industrial relevance.
In this paper we advocate that logical cryptanalysis
is a good benchmark for nonmonotonic reasoning systems. Logical cryptanalysis has been introduced by Massacci and Marraro massmarr00JAR as a framework for reasoning about cryptographic algorithms. They pointed out that encoding cryptographic problems as SAT problems might be beneficial for the automated reasoning community as it provides a set of problems of industrial relevance which optimally shares features of randomly generated problems and realworld problems. Indeed, the encoding of the US Data Encryption Standard (DES) into SAT proposed in
[Massacci & Marraro2000, Massacci1999] has a number of useful features:
it allows to generate random instances of similar structure in practically inexhaustible number;

it provides solved instances (for which one solution is known beforehand) which are very hard, for which we can change the value of the solution, and such that we can generate as many different (hard) instances as we want with the same solution;

it has a lot of structure, and the structure is very common to many similar problems in hardware verification, planning and constraint programming (alldiff constraints, defined variables, layered definitions etc.).
These considerations apply to the encoding of cryptographic problems for nonmonotonic reasoning systems with some further advantages:

the representation of cryptographic algorithms using normal logic programs with the stable model semantics is extremely simple and easy to understand;

normal logic programs with the stable model semantics can be seen as an interesting special case for many other more general formalizations of nonmonotonic reasoning.
Indeed, we can provide a natural encoding of DES out of the standard specifications [FIPS1997, Schneier1994, Stinson1998] as a logic program. Massacci and Marraro [Massacci & Marraro2000] have developed a SATencoding of DES where substantial amount of preprocessing and optimizations are employed. As an alternative encoding of DES using logic programs we have upgraded Massacci and Marraro’s optimized SATencoder to deal directly with logic programs. Using these encodings one can perform most^{1}^{1}1To be precise the verification of cryptographic properties proposed in [Massacci & Marraro2000] are expressed as quantified boolean formulae. These are out of our scope. of the reasoning tasks suggested in [Massacci & Marraro2000].
We examine the efficiency of the encodings by using an implementation of the stable model semantics, the Smodels system [Niemelä & Simons1997, Simons1998], for DES key search and by comparing the performance to that of SATsolvers which use the optimized encoding of DES into SAT developed Massacci and Marraro.
The rest of the paper is organized as follows. We start by briefly introducing the stable model semantics and by discussing how to encode boolean expressions as logic programs. We first describe the direct encoding of DES to logic programs and then the optimized encoding. We finish with some experimental results.
2 Logic Programs and Stable Models
The stable model semantics [Gelfond & Lifschitz1988] generalizes the minimal model semantics of definite programs to normal logic program rules
(1) 
where negative body literals () are allowed. For a ground (variablefree) program , the stable models are defined as follows. The reduct of a program with respect to a set of atoms is the program obtained from by deleting

each rule that has a negative literal in its body with and

all negative literals in the remaining rules.
The reduct can be seen as the set of potentially applicable rules given the stable model , i.e., as the rules where the negative body literals are satisfied by the model. Note that in the reduct the negative body literals of the potentially applicable rules are removed and, hence, the rules are definite. The idea is that a stable model should be grounded (or justified) in the sense that every atom in the model is a consequence of the potentially applicable rules and every consequence of the potentially applicable rules is included in the model. The atomic consequences of a set of definite rules can be captured by the unique minimal model, the least model, of the set seen as definite clauses. Hence, a set of atoms is a stable model of a program if it coincides with the least model of the reduct.
Definition 1
Let be a ground program. Then a set of ground atoms is a stable model of iff is the least model of .
Example 2
Program
has a stable model because is the least model of .
In addition to this model, has another stable model which can be verified similarly by constructing the reduct and its least model.
The stable model semantics for programs with variables is obtained from the semantics of ground programs by employing the notion of Herbrand models. The stable models of a program with variables are the stable models of the ground instantiation of the program where variables are substituted by terms from the Herbrand universe of the program (the ground terms built from constants and functions in the program).
Integrity constraints, i.e., rules of the form
(2) 
are often useful for saying that a stable model containing but none of is not acceptable. These rules can be encoded using ordinary rules^{2}^{2}2For example, by introducing two new atoms and and a new rule and finally replacing every rule of the form (2) with one having as its head..
Example 3
Consider program in Example 2 extended by two integrity constraints
This program has only one stable model as the other stable model of , , does not satisfy the first integrity constraint above.
Integrity constraints are a powerful and simple technique for pruning unwanted stable models as they cannot introduce new stable models but only can eliminate them. This means that for a program and a set of integrity constraints , if is a stable model of , then is a stable model of .
3 From Boolean Logic to Logic Programs
DES can be seen as a boolean function which takes as input a vector of bits consisting of the plaintext and key and outputting a vector of bits (the ciphertext). DES is specified using standard boolean operators (negation, disjunction, conjunction, XOR) as well as boolean functions given as truth tables.
In this section we discuss how to encode such boolean expressions using logic programs. Here the goal is to achieve a compact and potentially computationally efficient coding. We aim to exploit the special property of the stable model semantics that everything is false unless otherwise stated. This means that it is enough to consider only the conditions under which an expression is true and let the default negation to handle the other case when the expression is false.
Given a boolean expression we provide a logic program such that satisfying truth assignments of and stable models of coincide. This can be done by introducing a new atom for each subexpression of and, according the intuition mentioned above, by only giving rules stating all conditions on its subexpressions under which is true.
In Table 1 we give the corresponding rules for different kinds of subexpressions. We use the convention that we denote by the corresponding new atom of the subexpression in question and by the new atom introduced for any further subexpression .
As a further optimization, note that it is not necessary to introduce a new atom in the program for negated subexpressions ’’ as they can be represented as ’’ in the program, a positive literal can be represented as such, and an expression ’’ as ’’.
For the rest of the original propositional atoms, which are not introduced as abbreviations in the original boolean expression, the assumption about the default negation is false because they can have any of the two truth values. Therefore we encode this by introducing a new atom for each atomic subexpression and including two rules
(3)  
stating that either is in the stable model or is in the model (when is not there).
Now the satisfying truth assignments of and the stable models correspond in the following sense:

Each stable model of induces a truth assignment where an atom is true in iff and for each subexpression of , is true in iff the corresponding new atom is in .

Each truth assignment induces a stable model of such that for each subexpression of , is true in iff the corresponding new atom is in .
In order to consider stable models corresponding to assignments where is true, one adds to a rule
Further constraints on boolean (sub)expressions can be encoded similarly. In order to ensure that a given (sub)expression is true (respectively false), it is enough to include to the rules
where is the new atom corresponding to . Notice that our translation can be seen as first breaking the boolean expression to a set of equivalences where new atoms are defined for each expression and then mapping these equivalence to rules.
Example 4
Consider an expression
It can be seen as a set of equivalences
Now the program is
For instance, the stable model of corresponds to the truth assignment where the atom is true but is false. If we want to have only models where true, it is enough to add to the rule
When this is done, the resulting program has two stable models: and .
A boolean function given as a truth table can be represented using rules by considering a disjunctive normal form representation of the function. This means that we give the conditions under which the function obtains the value true and provide for each such case a corresponding rule.
Example 5
The function given by the table on the left hand side can be encoded by the rules on its right.
4 The US Data Encryption Standard
For a complete description of DES see [FIPS1997], [Schneier1994, Chap.12], or [Stinson1998]. DES is a blockcipher and its input is a 64 bit block of plaintext and a 64 bit key, where every eighth bit is a parity check bit that is stripped off before the encryption. So, the actual keysize of DES is 56 bits. This key is used for generating the roundkeys, 48 bit permuted subkeys of the key. The output is a 64 bit block of ciphertext.
The high level structure of DES is presented in Figure 1(a). Following Figure 1(a) topdown we see that DES starts with an initial permutation IP of the 64 bit block of plaintext followed by a structure that is called a Feistel cipher [Feistel, Notz, & Smith1975].
The basic component of a Feistel cipher is called a round and is constituted by the following operations:

the input of 64 bits is divided into left and right parts;

the right half (32 bits), together with a roundkey, is taken as input of a function (the round function), which is described below;

the output of is XORed with the left half and the result is a new right half;

the unaltered old right half becomes the new left half.
These rounds can now be chained together and the complete DES contains 16 rounds (Figure 1(a) illustrates three rounds). The strength of DES depends on the number of rounds: after 8 rounds a change in an input bit affects all output bits. In the end of DES, the switching of left and right sides is omitted and the bits are again permuted using the inversion of the initial permutation.
DES function .
Inside the function (see Figure 1
(b)) the 32 input bits are first expanded to 48 bits by duplicating some of them. The expanded bit string is XORed with the roundkey given by the keyschedule described below. The resulting bits are input to 8 Sboxes, 6 bits for each box. The Sboxes are functions of six (binary) variables. The output of every Sbox consists of 4 bits. The resulting 32 bits are finally permuted according to permutation P. The content of the boxes was decided at the time DES was developed and they are the only nonlinear part of DES, hence the security of DES relies on them.
Keyschedule.
The keyschedule function takes as input the key and provides as out a 48 bit roundkey for each round of the Feistel cipher. The DES key is a vector of 64 bits, where every 8th bit is a parity bit. First the parity bits are stripped off, then the keybits are permuted according to the permutation PC1. The result is divided into two parts that are shifted to the left one or two positions recursively, see Figure 1(c). After each shift the bit string is again permuted (PC2) in order to produce the roundkey.
5 A Direct Encoding of DES
We develop first a direct encoding of DES as a logic program. It does not contain any optimization and the idea is to keep the code simple and readable. The code can be used for encryption or key search^{3}^{3}3We have been successful only for limited versions of DES where the number of rounds is less than 16 (the full version). with several plaintextciphertext pairs (the known plaintext attack).
The encoding is given as rules with variables. However, each variable has a domain predicate in the body of the rule so that a set of ground instances with exactly the same stable models is straightforward to determine. The predicates contain variables indicating a plaintextciphertext pair and for round. The corresponding domain predicates are and which specify the relevant rounds and pairs, respectively. The total number of rounds is denoted by a constant . For instance, if we are considering a three round version of DES with two plaintextciphertext pairs, these domain predicates would be defined using the facts:
We describe first DES as used for encryption and then indicate changes needed to be done, e.g., for key search. The plaintext is given as facts , where gives the number of the bit and indicates the pair in question. Note that only facts for true plaintext bits need to be written. For instance, a set of facts
specifies that in the first plaintextciphertext pair, the plaintext bits are true and all other false.
5.1 Round Operations
The rules which encode the round operations, i.e., the rules that join the previous round to the next, are summarized in Figure 2. They work as follows.
For the first round, the 64bit block of plaintext is first permuted according to the initialpermutation IP which is given as a set of facts
Using these facts the rule for (r.1) is easy to express.
For each pair , the bits are divided in two 32 bit parts and renumbered. The renumbering is used only to make the description of the function easier to write and understand and it is done by dividing both halves (32 bits) into 8 groups with each 4 bits. The bits are numbered so that the first digit represents the group and the second digit represents the bit. For example, bit 32, is the second bit in the third group. This renumbering is given as facts:
These facts are used in the rules r.2 and r.3 specifying the right and left parts where the predicate is defined using a set of facts giving the possible renumbered bits .
For each round and each plaintextciphertext pair , the left and right parts and can be defined in terms of the previous parts and the result of the function as follows. The right side is swapped to the left (r.4) and the left side is XORed with the output of to form the right side for the next round (r.5–r.6).
In the final round the switching of left and right halves is omitted (r.7–r.9) but the renumbering is undone and the final permutation (r.10–r.12) is applied.
5.2 Function
For each round and for each pair , the function takes as input the 32 bits of the right part of the previous round and a 48 bit roundkey and works as follows. First every group of the right part is expanded from 4 to 6 bits. For example, the rule
(4) 
means that the 4th bit in the 6th group becomes the 5th bit in the 6th group. The expanded bit string is XORed with the key bits:
where the predicate is defined using a set of facts giving the possible extended renumbered bits .
The resulting groups of 6 bits are the input of their respective Sboxes. The output of every Sbox consists of 4 bits. If we consider the output one bit at the time, the Sboxes can be seen as truth tables. For example, if the input to the second Sbox is 010101, it’s output is 0001. We can encode this behavior with the following rule:
Once again, with the stable models semantics only rules that imply true output bits are needed (see, Example 5). In this case, the output bits 13 are zeros, therefore no rules are needed for them. In the end of the DES function, the vector of bits is permuted according to the permutation P. The rules for permutation are similar to the ones in expansion.
For each round , the keyschedule is given as a set of rules using the key bit facts . For example, the rule
specifies that in the first round the (renumbered) bit 11 of the roundkey is determined by the key bit 10. The stages presented in Figure 1(c) and the renumbering is calculated beforehand in order to avoid some modulo arithmetic. This can be done because the keyschedule is independent of the plaintext to be used.
5.3 Encryption and key search
The encoding can be easily modified to solve many kinds of computational problems related to DES by changing the way the plaintext, ciphertext and the key are encoded.
 Encryption:

It is sufficient to give the true bits of the plaintext as facts for each pair and the true bits of the key as facts . Now for each pair , the true bits of the encrypted ciphertext can be recovered as ground facts in the unique stable model of the encoding with the plaintext and key facts.
 Decryption:

The true bits of the key are specified as facts , the ciphertext is given in the form
and the plaintext by the rules of the form (3) saying that one can choose the truth values of the ground atoms . Then the decrypted plaintext is given by the stable model of the encoding: for each true bit of the plaintext a ground fact is in the model.
Actually, DES is symmetric. This means that decryption is usually done the same way as encryption, using the key schedule in reverse order and the ciphertext in place of the plaintext.
 Known plaintext attack:

For this attack we assume that a certain number of pairs of plaintexts and the corresponding ciphertexts are available and that we want to recover the key. For each pair , the true bits of the plaintext are given as facts , the ciphertext is given in the form
and the key is given by rules of the form (3)
specifying that the truth values of the ground atoms corresponding to the key bits can be chosen. Then the stable models of the resulting encoding correspond to the possible keys yielding the ciphertext from the plaintext for each pair . A key is given as ground facts in the corresponding stable model for all true key bits.
6 An Optimized Encoding of DES
Massacci and Marraro [Massacci & Marraro2000] have devised an optimized encoding of DES to SAT which is particularly effective when the plaintext and the ciphertext are used in a known plaintext attack. We show how to modify this to work with logic programs. We sketch here just the main ideas to make the paper selfcontained and refer to [Massacci & Marraro2000] for further details on the encoding.
The basic idea of the direct encoding is to represent each step of DES as a logic program, the more straightforward, the better. For the optimized encoding we start from a different direction and represent DES as a logical circuit in which each operation is represented as a boolean formula.
Then, for the operations that are repeated at each round (such as the round function ) we apply offline some advanced CAD minimization techniques to squeeze their size as much as possible. In particular in [Massacci & Marraro2000] the CAD program Espresso [Rudell & SangiovanniVincentelli1987] has been used for minimizing the representation of SBoxes as Programmable Logic Arrays (PLAs). The PLA representation is just a representation of boolean functions with disjunctions of conjunctions.
This yields a notable squeeze in the size of the boolean formulae representing the corresponding operations of the SBoxes but is not enough. The second important twist is that whenever possible, the program “executes” directly the DES operations on the propositional variables representing the input bits. For instance, a permutation is not encoded into a boolean formula, rather the program executes the permutation of the input bits and provides as output the permuted propositional variables.
The simplifying effect of this operation can be also explained as a form of partial evaluation in the direct encoding of DES. Consider, for instance, the logic program rule (4). The net effect of the “execution” step is that is replaced everywhere by .
At the end of this process the encoder program def2fml used in [Massacci & Marraro2000] could output a minimized logic program corresponding to DES w.r.t. the direct encoding that we have described in the previous section using the rules we have given in the section on coding boolean formulae.
We can do more when the plaintext and the ciphertext are known, i.e. when we want to perform a known plaintext attack. In particular, with a boolean representation we can perform a notable amount of linear reasoning (reasoning using formulae with exclusive or). In [Massacci1999] it is noted that the presence of exclusive or is what makes the problem hard for stateoftheart SAT checkers and therefore its minimization is essential.
So, for the encoding we acquire the boolean values corresponding to plaintext and ciphertext and preprocess the formula by applying exhaustively a set of simplification rules aimed at eliminating redundancies:

Variables defined by atomic equivalences^{4}^{4}4We define an atomic equivalence as a formula of the form where is a variable and is either another variable or a truth value. are replaced by the corresponding values to reduce the number of variables in other formulae, and to introduce the truth values.

The propositional simplification rules listed in Figure 3 are applied.
The second step (propositional simplification) may introduce additional atomic equivalences and therefore the overall simplification phase is repeated until saturation is reached.



Notice that such preprocessing, and in particular the operations involving exclusive or, cannot be performed with a logic program representation (at least with current technology).
The resulting formula is then translated into a logic program using a further optimized translation w.r.t. that presented in the section on boolean encoding. We can exploit the knowledge that the final formula we got has the form shown in Figure 4 (adapted from [Massacci & Marraro2000]) and translate it as shown in Figure 5. The variables and stand for the number of pair and rounds, according the format of the direct encoding. The letter corresponds to a suitable ground value of the bit number represented by the variable used in the direct encoding. Notice that the final output is a ground logic program so that and are appropriately instantiated by the optimizing encoder.
Notice that the translation of the formula is done piecewise: each equivalence is translated in a suitable number of rules: we use one rule for conjunctions, two rules for XORs, and many rules of disjunctions (as many as there are disjuncts). The trick is that we only encode one direction of the the equivalence exploiting the property of logic programs that “everything is false by default”. In this way we have only to specify when a boolean formula may be true.
However, this is still not sufficient because the translation as sketched is not faithful: we might have more than one “definition” of the same atom, i.e. one or more formulae of the form for the same atom .
If we left it that way, there would not be a oneone correspondence between stable models and propositional truth assignments. We would have more models than due. So we need a further twist to cope with atoms that are defined (are on the left of the equivalence sign in Figure 4) two or more times. Suppose that we have a set of formulae of the form:
and that denotes the fragment of the logic program translating the boolean formula according the rules we have used in Table 1 and Figure 5.
We translate this set of formulae as follows:
One may check that this is a faithful translation of the corresponding boolean formulae. The intuitive explanation is simply that the boolean set of formulae, read conjunctively, just says that all must have the same value and this value must also be assigned to . The first rule chooses a value, say and assign it to as in the standard encoding. The rest of the construction assigns the value of to a new atom and then specifies that is true when is true and that cannot be false when is true.
Then we add the rules (3) saying that one can choose the truth values of the atoms corresponding to key bits, as we do for the direct encoding, and we are done.
7 Experiments
We study the computational properties of the two logic program encodings of DES by using them for key search in a known plaintext attack for a limited form of DES running a given number of rounds. For each number of rounds and pairs of plaintextciphertext blocks we perform 50 key searches using different randomly generated plaintexts and report the mean of the running time and of the size of the search tree. The tests were run under Linux 2.2.12 on 450 MHz Pentium III computers. The encodings and test cases are available at http://www.tcs.hut.fi/Software/smodels/tests/des.html.
Table 2 reports the data on Smodels’s performance. The running times do not include preprocessing. For the direct encoding (Dir.) preprocessing consists of parsing and grounding of the rules which is done by the standard Smodels parser lparse. This takes only few seconds even for the largest examples. For the optimized encoding (Opt.) preprocessing is more involved as explained in the previous section. It includes offline minimization of boolean functions used in DES, partial evaluating the DES description, simplifying it using the known plaintextsciphertext pairs, transforming the resulting boolean formula to a set of ground logic program rules as well as parsing the rules into the internal format of smodels. Hence, in both cases preprocessing produces a ground program parsed into the internal format of smodels. Table 2 gives the average running time and search space size for smodels (version 2.25 with backjump option) to find a stable model (a key) for such a ground program. Entries marked with ’—’ are cases where the set of 50 key searches could not be completed because the running time for each key search extended several CPU hours.
Both encodings have a reasonable performance (although it should be noted that special purpose methods and hardware are able to perform known plaintext attacks successfully even to the full DES). The direct encoding does not seem to be able to propagate the information from the known plaintextciphertext pairs as efficiently as the preprocessing techniques in the optimized encoding. The search heuristics of
smodels yields a rather stable performance on these DES examples except for the optimized encoding with three rounds and two blocks where there are three orders of magnitude differences in the minimal and maximal observed running times and search space sizes.We compare the performance of Smodels to that of a SATchecker which has been customized and tuned for the optimized SATencoding of DES described in [Massacci1999, Massacci & Marraro2000]. This SATchecker, based on rel_sat by Bayardo and Schrag BayaSchr97, clearly outperforms stateoftheart SATcheckers on DES encodings [Massacci & Marraro2000].
Table 3 reports the data on rel_sat. The data does not include preprocessing which in this case is similar to that of the optimized logic program encoding with the addition that it includes also the transformation of the optimized DES description (a boolean formula) to a compact conjunctive normal form (CNF) representation. Table 3 presents the average running time and search space size for rel_sat to find a propositional model (a key) for this CNF formula.
From this preliminary analysis one can say that the usage of stable models as computational paradigm to be used in practice does not score at all badly for such an industrial application.
Smodels  
Rounds  Blocks  Time (s)  Branches  
(Dir.)  (Opt.)  (Dir.)  (Opt.)  
1  1  0.3  0.07  155  28 
1  2  1.6  0.06  372  18 
1  4  2.2  0.1  179  16 
1  8  5.8  0.2  200  16 
2  1  1.2  0.1  151  9 
2  2  1.7  0.1  98  8 
2  4  2.0  0.2  51  8 
2  8  3.6  0.4  39  8 
3  1  —  230  —  699 
3  2  640  8900  20672  6000 
3  4  1400  190  14709  29 
3  8  3500  48  18612  8 
rel_sat with learning factor 5  

Rounds  Blocks  Time (s)  Branches 
1  1  0.02  32 
1  2  0.1  100 
1  4  0.2  107 
1  8  0.4  87 
2  1  0.2  283 
2  2  0.2  106 
2  4  0.3  70 
2  8  0.7  56 
3  1  —  — 
3  2  920  141291 
3  4  110  14419 
3  8  100  5483 
8 Conclusions
We believe that DES provides an interesting benchmark problem for nonmonotonic reasoning systems because (i) it supplies practically inexhaustible number of industrial relevant test cases, (ii) the encoding of DES using normal logic programs with the stable model semantics is easy to understand, and (iii) test cases are obtained for many nonmonotonic formalisms which contain this subclass of logic programs as a special case. We have developed a direct encoding and an optimized one extending the work of Massacci and Marraro. We have also tested the computational performance of the encodings using the Smodels system.
As DES is basically a boolean function, its encoding does not require any particular nonmonotonic constructs. In our encoding we have used default negation in a straightforward way (everything is false unless otherwise stated), to obtain a much leaner encoding than those obtained by encoding DES as a SAT formula (where both ways of the equivalence are needed). The resulting encodings are acyclic sets of rules which are compact but fairly simple to write and understand. It seems that they are more easier to understand than corresponding encodings of DES using CNF clauses which is the typical input format for current stateoftheart SATcheckers. Given that DES key search is a natural boolean satisfiability problem, it is somewhat surprising that our encodings are competitive when compared to stateoftheart SATcheckers and even to a tuned and customized SATchecker working on an optimized SATencoding of DES. We think that the success can be accounted for by the compactness of the logic program encoding and the search methods and pruning techniques employed in the Smodels system.
In order to obtain a deeper understanding of the relative strengths of SATcheckers and stable model implementations, an interesting comparison would be to map the stable model finding problem of DES key search directly to a satisfiability problem and use a stateoftheart SATchecker to solve the resulting problem. As our encodings are acyclic programs, the reduction could be done using, e.g., a completion approach [Fages1994].
References

[Bayardo & Schrag1997]
Bayardo, R., and Schrag, R.
1997.
Using CSP lookback techniques to solve realworld SAT instances.
In
Proc. of the 15th National Conference on Artificial Intelligence
, 203–208.  [Cholewiński et al.1995] Cholewiński, P., Marek, V., Mikitiuk, A., and Truszczyński, M. 1995. Experimenting with nonmonotonic reasoning. In Proc. of the 12th International Conference on Logic Programming, 267–281.
 [Dimopoulos, Nebel, & Koehler1997] Dimopoulos, Y.; Nebel, B.; and Koehler, J. 1997. Encoding planning problems in nonmonotonic logic programs. In Proc. of the Fourth European Conference on Planning, 169–181. SpringerVerlag.
 [Fages1994] Fages, F. 1994. Consistency of Clark’s completion and existence of stable models. Journal of Methods of Logic in Computer Science 1:51–60.
 [Feistel, Notz, & Smith1975] Feistel, H.; Notz, W.; and Smith, L. 1975. Some cryptographic techniques for machinetomachine data communication. Proc. of the IEEE 63(11):1545–1554.
 [FIPS1997] FIPS. 1997. Data encryption standard. Federal Information Processing Standards Publications FIPS PUB 462, National (U.S.) Bureau of Standards. Supersedes FIPS PUB 461 of Jan. 1988.
 [Gelfond & Lifschitz1988] Gelfond, M., and Lifschitz, V. 1988. The stable model semantics for logic programming. In Proc. of the 5th International Conference on Logic Programming, 1070–1080. The MIT Press.
 [Massacci & Marraro2000] Massacci, F., and Marraro, L. 2000. Logical cryptanalysis as a SAT problem: Encoding and analysis of the U.S. Data Encryption Standard. Journal of Automated Reasoning. To appear in the special issue on SAT2000.
 [Massacci1999] Massacci, F. 1999. Using walkSAT and lookback CSP for cryptographic key search. In Proc. of the 16th International Joint Conference on Artificial Intelligence, 290–295. Morgan Kaufmann Publishers.
 [Niemelä & Simons1997] Niemelä, I., and Simons, P. 1997. Smodels – an implementation of the stable model and wellfounded semantics for normal logic programs. In Proc. of the 4th International Conference on Logic Programming and NonMonotonic Reasoning, 420–429. Dagstuhl, Germany: SpringerVerlag.
 [Niemelä1999] Niemelä, I. 1999. Logic programming with stable model semantics as a constraint programming paradigm. Annals of Mathematics and Artificial Intelligence 25(3,4):241–273.
 [Rudell & SangiovanniVincentelli1987] Rudell, R., and SangiovanniVincentelli, A. 1987. Multiple valued minimization for pla optimization. IEEE Trans. on Computer Aided Design 6(5):727–750.
 [Schneier1994] Schneier, B. 1994. Applied Cryptography: Protocols, Algorithms, and Source Code in C. John Wiley&Sons.
 [Simons1998] Simons, P. 1998. Smodels 2.x. http://www.tcs.hut.fi/pub/smodels/. A system for computing the stable models of logic programs.
 [Stinson1998] Stinson, D. 1998. Cryptography: Theory and Practice. Boca RatonLondonTokyo: CRC Press.