1
00:00:00,830 --> 00:00:03,830
PROFESSOR: We've mentioned
the P equals NP question

2
00:00:03,830 --> 00:00:06,865
a number of times now as
the most important question

3
00:00:06,865 --> 00:00:09,160
in theoretical computer
science, and we've

4
00:00:09,160 --> 00:00:12,134
said that one way to
formulate it is exactly

5
00:00:12,134 --> 00:00:13,800
to ask whether there's
an efficient that

6
00:00:13,800 --> 00:00:17,640
is polynomial-time procedure
to test whether or not

7
00:00:17,640 --> 00:00:23,530
a formula in propositional
logic is satisfiable.

8
00:00:23,530 --> 00:00:25,425
Now, why is that such
an important problem?

9
00:00:27,912 --> 00:00:30,370
We're not just logicians and
we want to know whether or not

10
00:00:30,370 --> 00:00:31,770
some formula is satisfiable.

11
00:00:31,770 --> 00:00:34,990
How did it take on this
enormous importance

12
00:00:34,990 --> 00:00:36,520
and apply to so many fields?

13
00:00:36,520 --> 00:00:40,460
And illustrating how you could
use a satisfiability tester

14
00:00:40,460 --> 00:00:43,920
to factor efficiently
is a good hint

15
00:00:43,920 --> 00:00:47,110
about why it is that all
sorts of things reduce to SAT

16
00:00:47,110 --> 00:00:50,540
and why it, in fact, is such
a centrally important problem.

17
00:00:50,540 --> 00:00:54,010
So let's suppose that we
have a satisfiability tester

18
00:00:54,010 --> 00:00:59,670
and use it to find how
to factor a number n.

19
00:00:59,670 --> 00:01:01,850
Now, the observation
begins with how

20
00:01:01,850 --> 00:01:05,459
you use a SAT solver
is that you can begin

21
00:01:05,459 --> 00:01:08,430
by writing or observing
that it's easy enough

22
00:01:08,430 --> 00:01:11,740
to design a digital
circuit that multiplies,

23
00:01:11,740 --> 00:01:13,430
that does arithmetic
multiplications.

24
00:01:13,430 --> 00:01:15,130
In other words,
it's got some number

25
00:01:15,130 --> 00:01:18,360
of bits reserved for
an input x, a k bits,

26
00:01:18,360 --> 00:01:20,540
and another k bits
for an input y,

27
00:01:20,540 --> 00:01:25,230
and it's got 2k output
lines that produce

28
00:01:25,230 --> 00:01:28,440
the digits of x times y.

29
00:01:28,440 --> 00:01:31,780
You might need one extra
digit, but never mind that.

30
00:01:31,780 --> 00:01:34,840
So this is a multiplier circuit
takes an x, a k bit x in

31
00:01:34,840 --> 00:01:40,140
and a k bit y in and it
spits out the product, which

32
00:01:40,140 --> 00:01:42,820
is another 2k bit
number, and this is not

33
00:01:42,820 --> 00:01:44,000
a terribly big circuit.

34
00:01:44,000 --> 00:01:48,440
The naive way to design it
would use a number of gates

35
00:01:48,440 --> 00:01:51,820
and a number of wires that was
about quadratic in the number

36
00:01:51,820 --> 00:01:53,180
k.

37
00:01:53,180 --> 00:01:55,140
It's easy enough to
design one of these things

38
00:01:55,140 --> 00:01:59,690
where the size is literally
bounded by 5 times k squared,

39
00:01:59,690 --> 00:02:01,360
maybe plus a constant.

40
00:02:01,360 --> 00:02:07,180
And so this definitely
a small polynomial.

41
00:02:07,180 --> 00:02:10,150
Given the number of bits
that I'm working with,

42
00:02:10,150 --> 00:02:14,510
it's easy enough to build
this multiplier circuit.

43
00:02:14,510 --> 00:02:18,040
Now, suppose that I have a
way to test satisfiability

44
00:02:18,040 --> 00:02:19,400
of circuits.

45
00:02:19,400 --> 00:02:22,409
How am I going use this
multiplier circuit to factor?

46
00:02:22,409 --> 00:02:23,950
Well, the first
thing I'm going to do

47
00:02:23,950 --> 00:02:27,045
is let's suppose the number
that I'm factoring is n

48
00:02:27,045 --> 00:02:29,350
and is the product of
two primes, p and q.

49
00:02:29,350 --> 00:02:32,326
Those are the kinds of n's
that we've been using in RSA,

50
00:02:32,326 --> 00:02:35,780
and let me also observe that
it's very easy to design

51
00:02:35,780 --> 00:02:40,050
an n tester-- that is, a
little digital circuit that

52
00:02:40,050 --> 00:02:46,770
has 2k input lines and
produces on its one output line

53
00:02:46,770 --> 00:02:51,710
precisely when the input is
the binary representation of n.

54
00:02:51,710 --> 00:02:54,980
So let's attach this equality
tester that does nothing

55
00:02:54,980 --> 00:02:58,540
but ask whether it's being
fed the digits of n as input

56
00:02:58,540 --> 00:03:03,320
and it produces an
output, 1 for n and 0

57
00:03:03,320 --> 00:03:06,880
if the input pattern is and
the digital representation,

58
00:03:06,880 --> 00:03:09,240
the binary representation
of anything other than n.

59
00:03:09,240 --> 00:03:12,110
That's another trivial
circuit to build.

60
00:03:12,110 --> 00:03:17,610
So we put those two together,
and now watch what happens.

61
00:03:17,610 --> 00:03:22,840
I'm going to take the circuit
and set the first of the input

62
00:03:22,840 --> 00:03:26,750
bits to 0, and then I'm
going to ask the SAT

63
00:03:26,750 --> 00:03:29,350
solver the following
question-- is there

64
00:03:29,350 --> 00:03:34,400
a way to set the remaining
input bits other than 0?

65
00:03:34,400 --> 00:03:35,760
So I've set the first one to 0.

66
00:03:35,760 --> 00:03:36,960
What about these other bits?

67
00:03:36,960 --> 00:03:39,380
The SAT solver can
tell me whether or not

68
00:03:39,380 --> 00:03:42,430
it's possible to get a
1 out of this circuit

69
00:03:42,430 --> 00:03:44,900
with the 0 there fixed.

70
00:03:44,900 --> 00:03:47,460
So let's ask the SAT
solver what happens,

71
00:03:47,460 --> 00:03:49,580
and the SAT solver
says, hey, yes, there

72
00:03:49,580 --> 00:03:52,300
is a way to fill in
the remaining digits

73
00:03:52,300 --> 00:03:53,962
and get an output 1.

74
00:03:53,962 --> 00:03:55,170
Well, what does that tell me?

75
00:03:55,170 --> 00:03:59,590
Well, it tells me that there
is a factor that starts with 0,

76
00:03:59,590 --> 00:04:03,920
so let's fix the 0 based on the
fact that it's possible for me

77
00:04:03,920 --> 00:04:09,690
to fill in the remaining digits
with the bits of factors x

78
00:04:09,690 --> 00:04:12,080
and y that equal n.

79
00:04:12,080 --> 00:04:17,405
Let's try to set the
second input bit to 0

80
00:04:17,405 --> 00:04:18,279
and see what happens.

81
00:04:18,279 --> 00:04:20,690
Well, we'll ask the SAT
tester, is it possible

82
00:04:20,690 --> 00:04:22,700
now to fill in the
remaining digits

83
00:04:22,700 --> 00:04:27,500
to get the two numbers x and
y that multiply and produce

84
00:04:27,500 --> 00:04:29,180
n and therefore output 1?

85
00:04:29,180 --> 00:04:31,440
And the SAT tester
says, no, this

86
00:04:31,440 --> 00:04:33,350
is an unsatisfiable circuit.

87
00:04:33,350 --> 00:04:35,520
You can't get a 1
out of it any more.

88
00:04:35,520 --> 00:04:39,420
That tells me that I have to
set the second bit to 1 in order

89
00:04:39,420 --> 00:04:46,400
to have a factor of n where the
x and y will multiply together

90
00:04:46,400 --> 00:04:47,510
to be n.

91
00:04:47,510 --> 00:04:48,580
All right, fine.

92
00:04:48,580 --> 00:04:51,670
Go to the third bit, ask
whether or not 0 works.

93
00:04:51,670 --> 00:04:54,220
The SAT tester says,
let's say, yes.

94
00:04:54,220 --> 00:04:55,420
So then I could fix 0.

95
00:04:55,420 --> 00:04:59,700
I now know the first
all three bits of x.

96
00:04:59,700 --> 00:05:03,780
And of course, I go on
and in 2k SAT tests,

97
00:05:03,780 --> 00:05:08,040
I know exactly what p and q
are, and I have, in fact, found

98
00:05:08,040 --> 00:05:11,150
the factors p and q.

99
00:05:11,150 --> 00:05:12,650
So that wraps that one up.

100
00:05:12,650 --> 00:05:14,040
That's how you use a SAT tester.

101
00:05:14,040 --> 00:05:16,130
You just do the
SAT test 2k times

102
00:05:16,130 --> 00:05:20,050
and you factored
this 2k bit number.

103
00:05:20,050 --> 00:05:22,310
And of course, if the SAT
test is polynomial in k,

104
00:05:22,310 --> 00:05:25,360
then doing it 2k times just
is also polynomial in k

105
00:05:25,360 --> 00:05:28,390
with one degree higher.

106
00:05:28,390 --> 00:05:32,850
Now, the satisfiability
problem, as we formulated,

107
00:05:32,850 --> 00:05:35,980
was a problem about formulas
that as you wrote out

108
00:05:35,980 --> 00:05:38,230
a propositional formula
and asked whether or not

109
00:05:38,230 --> 00:05:40,190
it was satisfiable,
and I'm instead

110
00:05:40,190 --> 00:05:43,200
asking about satisfiability
of binary circuits.

111
00:05:43,200 --> 00:05:46,400
But in fact, as we did
in some early exercises,

112
00:05:46,400 --> 00:05:50,000
you can describe
a binary circuit

113
00:05:50,000 --> 00:05:53,520
by assigning a fresh variable
to every wire in the circuit

114
00:05:53,520 --> 00:05:56,880
and then writing a little
formula around each gate which

115
00:05:56,880 --> 00:06:00,100
explains how the input
wires to that gate

116
00:06:00,100 --> 00:06:03,020
are related to the
output wire of that gate.

117
00:06:03,020 --> 00:06:06,615
And that little formula explains
that wiring of that gate,

118
00:06:06,615 --> 00:06:09,400
and you take the "and"
of all those formulas

119
00:06:09,400 --> 00:06:13,700
and you have a formula
that is describing

120
00:06:13,700 --> 00:06:18,640
the structure of the circuitry,
and in fact the formula

121
00:06:18,640 --> 00:06:21,290
is satisfiable if and
only if the circuit

122
00:06:21,290 --> 00:06:23,280
can produce an output 1.

123
00:06:23,280 --> 00:06:26,460
So we really have
by assuming that I

124
00:06:26,460 --> 00:06:29,550
could test satisfiability
of formulas,

125
00:06:29,550 --> 00:06:33,550
I can therefore test
satisfiability of circuits,

126
00:06:33,550 --> 00:06:35,560
and therefore I can factor.

127
00:06:35,560 --> 00:06:40,180
So that's the simple trick to
find a propositional formula

128
00:06:40,180 --> 00:06:42,710
that's equisatisfiable
to the circuit--

129
00:06:42,710 --> 00:06:45,140
if the circuit
produces output 1 if

130
00:06:45,140 --> 00:06:48,030
and only if this formula
of about the same size

131
00:06:48,030 --> 00:06:50,600
as the circuit is satisfiable.

132
00:06:50,600 --> 00:06:53,310
And that's the last piece
that I needed in order

133
00:06:53,310 --> 00:06:57,080
to completely
reduce the factoring

134
00:06:57,080 --> 00:06:58,692
to the satisfiability
problem, and you

135
00:06:58,692 --> 00:07:00,900
could see that this is
actually a general method that

136
00:07:00,900 --> 00:07:05,970
will enable you to reduce most
any kind of one-way function

137
00:07:05,970 --> 00:07:08,870
to a few SAT tests.