RandomSwaps heuristic

occurs by enacting the following adjacent swaps: (b ^ c), (d ^ e), (b ^ e). At the end of the process, there are three moves which took place; the size of the tree after each move is retained, and the tree with the smallest size becomes the new BDD. Since there are five variables, this process is repeated five times, with the swapped variables being randomly chosen each time.

The RandomPivot heuristic (called CUDD_REORDER_RANDOM_PIVOT in CUDD) is similar, but chooses the variables to swap more deterministically. The variable which has the largest number of nodes is selected as a target; in case of a tie, the tied variable closest to the root becomes the target. The first variable to swap is chosen randomly from variables closer to the root than the target, and the second is chosen randomly from variables

9.2. BDD VARIANTS 126

further away from the root than the target. If there are no variables closer to the root than the target, or further away from the root than the target, then the target is chosen as the appropriate variable to swap. The swapping sequence (as detailed above) occurs using the chosen variables, with the smallest size being selected. The RandomPivot heuristic thus ensures that the layer that takes up the most space is targeted.

The Genetic heuristic (called CUDD_REORDER_GENETIC in CUDD) uses a genetic algorithm to attempt to find a better order, inspired by the work of Drechsler, Becker, and Gockel (1996). It uses a deterministic heuristic to ensure that at least one “reasonable” order exists in a population, and then proceeds to randomly generate other members of the population. Crossover in the algorithm is implemented by a Partially Matched Crossover operation, which attempts to “construct the children by choosing the part between the cut positions from one parent and preserve the position and order of as many variables as possible from the second parent”. The “best” children, as determined by size, are chosen for use in subsequent generations.

Neither the random nor the deterministic heuristics achieve better than exponential repre­ sentations. This does not rule out the possibility, but it does make it much more unlikely that a non-exponential representation exists.

A binary decision diagram can provide a compact representation for many functions, but the SHA-1 compression function is not among this set. Operations performed on a BDD are reasonably fast, and the representation makes it easy to find a preimage. However, a set of 64 inputs would require ~ 264 nodes to represent; this makes it infeasible to use for the purposes of this work.

9.2

BDD Variants

As mentioned in the introduction of this chapter, there are many different variants of BDD. To over-simplify somewhat, a BDD variant (hereafter *DD) does two things: it makes a decision at each node to go “left” or “right” (or “high”/ “low” , “then”/ “else” , etc), and it ends up at a particular constant value when it runs out of non-terminal children. Most *DDs, such as Algebraic Decision Diagrams (ADD) (Bahar, Frohm, Gaona, Hachtel, Macii, Pardo, and Somenzi, 1997) or Biconditional Binary Decision Diagrams (BBDD) (Amaru, Gaillardon, and De Micheli, 2013), change one (or, in more extreme variants, both) of these things. For example, an ADD uses a wider range of terminal values, and a BBDD makes decisions using the biconditional expansion f (v0,vi, ...,vn) =

9.2. BDD VARIANTS 127

((vo © vi) A f (—vi ,v i , ...,vn)) V (—(v0 © Vi) A f (v i, v i, ...,vn)) instead of Boole’s expansion theorem. In this way, and by complementary changes to the reduction rules, a variant can support more scenarios and/or increase the scalability and applicability of the *DD. Although the improvement is welcome, it does not fundamentally change the difficulty of representing SHA-1 using a *DD. Amaru et al. (2013), for example, claim a reduction in the size of a ROBDD of between 28-50%. Assuming that a 64-input BBDD were to be created, and a reduction of 50% were to be achieved, the diagram would still require ~ 263 nodes to be represented. A more fundamental change of the representation is required, and this subsection therefore examines one of the most unusual *DDs that may be applicable to the problem: zero-suppressed BDDs.

A zero-suppressed binary decision diagram (ZBDD) (Minato, 1993) is a specialized *DD which represents combination sets instead of bits. A combination set expresses a set of solutions to a combinatorial problem. Technically speaking, any BDD can represent a combination set: the transitions that lead to a 1-terminal are the transitions that make the function represented by the BDD (called the characteristic function) true, and the ones that lead to a 0-terminal make the characteristic function false.

Figure 9.7: Example: BDD representation of carry calculation

A ZBDD replaces the second reduction rule of a BDD with the rule Remove nodes with a

“then” child that leads to 0, rerouting the node’s input to the “else” child. As a result, the

9.2. BDD VARIANTS 128

it is assumed to be zero-valued for the terminal value to be 1. This means that a diagram does not need to explicitly record 0-valued nodes: it is “zero-suppressed”.

Consider a combinatorial problem such as the “carry” problem described in Section 4.2.1. In that problem, the v0 carry-value is set if exactly 1, 2, 5, or 6 bits (assuming k = 1) happen to be set. Note that the combination of the bits matters, but the order does not. There are then ^ + (5) + (6) = 28 possible ways for v0 to equal 1. Figure 9.7 shows what this would look like in a ROBDD (sans complement edges) and a ZBDD, both of which represent each bit as a node.

E xa m p le 9.5. Difference in interpretation of BDD and ZBDD. Consider the red path