Non-Clausal Redundancy Properties �

. State-of-the-art refutation systems for SAT are largely based on the derivation of clauses meeting some redundancy criteria, ensuring their addition to a formula does not alter its satis ﬁ ability. However, there are strong propositional reasoning techniques whose inferences are not easily expressed in such systems. This paper extends the redundancy framework beyond clauses to characterize redundancy for Boolean constraints in general. We show this characterization can be instantiated to develop e ﬃ ciently checkable refutation systems using redundancy properties for Binary Decision Diagrams (BDDs). Using a form of reverse unit propagation over conjunctions of BDDs, these systems capture, for instance, Gaussian elimination reasoning over XOR constraints encoded in a formula, without the need for clausal translations or extension variables. Notably, these systems generalize those based on the strong Propagation Redundancy (PR) property, without an increase in complexity.


Introduction
The correctness and reliability of Boolean satisfiability (SAT) solvers is critical for many applications. For instance SAT solvers are used for verifying hardware and software systems (e.g. [18,27,43]), to search for solutions to open problems in mathematics (e.g. [37,45]), and as subroutines of other logical reasoning tools (e.g. [6,66]). Solvers should be able to provide solution certificates that are easily and externally checkable. For a satisfiable formula, any satisfying assignment is a suitable certificate and typically can be easily produced by a solver. For an unsatisfiable formula, a solver should be able to produce a refutation proof.
Modern SAT solvers primarily refute unsatisfiable formulas using clausal proof systems, such as the popular DRAT system [68] used by the annual SAT competition in recent years [4], or newer systems based on the surprisingly strong Propagation Redundancy (PR) property [32]. Clausal proof systems iteratively extend a formula, typically given in conjunctive normal form (CNF), by adding clauses that are redundant; that is, their addition to the formula does not affect whether it is satisfiable. Systems are distinguished by their underlying redundancy properties, restricted but efficiently-decidable forms of redundancy.
Redundancy is a useful notion in SAT as it captures most inferences made by state-of-the-art solvers. This includes clauses implied by the current formula, such as the resolvent of two clauses or clauses learned during conflict-driven clause learning (CDCL) [7,50], as well as clauses which are not implied but derived nonetheless by certain preprocessing and inprocessing techniques [42], such as those based on blocked clauses [41,44,47]. Further, clausal proof systems based on properties like PR include short refutations for several hard families of formulas, such as those encoding the pigeonhole principle, that have no polynomiallength refutations in resolution [2] (see [15] for an overview). These redundancy properties, seen as inference systems, thus potentially offer significant improvements in efficiency, as the CDCL algorithm at the core of most solvers searches only for refutations in resolution [8]. While the recent satisfaction-driven clause learning (SDCL) paradigm has shown some initial success [34,36], it is still unclear how to design solving techniques which take full advantage of this potential.
Conversely, there are existing strong reasoning techniques which similarly exceed the abilities of CDCL alone, but are difficult to express using clausal proof systems. Important examples include procedures for reasoning over CNF formulas encoding pseudo-Boolean and cardinality constraints (see [57]), as well as Gaussian elimination (see [11,60,61,67]), which has been highlighted as a challenge for clausal proof systems [30]. Gaussian elimination, applied to sets of "exclusive-or" (XOR) constraints, is a crucial technique for many problems from cryptographic applications [61], and can efficiently solve, for example, Tseitin formulas hard for resolution [63,65]. This procedure, implemented by CryptoMin-iSAT [61], Lingeling [9], and Coprocessor [49] for example, can be polynomially simulated by extended resolution, allowing inferences over new variables, and similar systems (see [55,59]). However due to the difficulty of such simulations they are not typically implemented. Instead solvers supporting these techniques simply prevent them from running when proof output is required, preferring less efficient techniques whose inferences can be more easily represented. This paper extends the redundancy framework for clausal proof systems to include non-clausal constraints, such as XOR or cardinality constraints, presenting a characterization of redundancy for Boolean functions in general. We demonstrate a particular use of this characterization by instantiating it for functions represented by Binary Decision Diagrams [12], a powerful representation with a long history in SAT solving (e.g. [13,22,23,51,53]) and other areas of automated reasoning (e.g. [14,28,46,56]). We show the resulting refutation systems succinctly express Gaussian elimination while also generalizing existing clausal systems. Results using a prototype implementation confirm these systems allow compact and efficiently checkable refutations of CNF formulas that include embedded XOR constraints solvable by Gaussian elimination.
In the rest of the paper, Section 2 includes preliminaries and Section 3 presents the characterization of redundancy for Boolean functions. Section 4 introduces redundancy properties for BDDs, and Section 5 demonstrates their use for Gaussian elimination. Section 6 presents the results of our preliminary implementation, and Section 7 concludes.

Preliminaries
We assume a set of Boolean variables V under a fixed order ≺ and use standard SAT terminology. The set of truth values is B = {0, 1}. An assignment is a function τ : V → B and the set of assignments is Formulas express Boolean functions as usual, are assumed to be in conjunctive normal form, and are written using capital letters F and G. A clause can be represented by its set of literals and a formula by its set of clauses.
A partial assignment is a non-contradictory set of literals σ; that is, if l ∈ σ then ¬l � ∈ σ. The application of a partial assignment σ to a clause C is written C| σ and defined by: . Similarly the application of σ to a formula F is written F | σ and defined by: Unit propagation is the iterated replacement of F with F | {l} for each unit clause (l) ∈ F , until F includes the empty clause ⊥, or F contains no unit clauses. A formula F implies a clause C by reverse unit propagation (RUP) if unit propagation on F ∧ ¬C ends by producing ⊥ [26].
For a formula F and clause C, if F and F ∧ C are equisatisfiable (both satisfiable or both unsatisfiable) then C is redundant with respect to F . Efficiently identifiable redundant clauses are at the foundation of many formula simplification techniques and refutation systems (for instance, see [31,32,36,42]). In general, deciding whether a clause is redundant is complete for the complement of the class DP [5], containing both NP and co-NP [54], so solvers and proof systems rely on polynomially-decidable redundancy properties for checking specific instances of redundancy. The following characterization of redundant clauses provides a common framework for formulating such properties.
Theorem 1 (Heule, Kiesl, and Biere [35]). A clause C � = ⊥ is redundant with respect to a formula F if and only if there is a partial assignment ω such that C| ω = � and F | α � F | ω , for the partial assignment α = {¬l | l ∈ C}.
The partial assignment ω, usually called a witness for C, includes at least one of the literals occurring in C, while α is said to block the clause C. Redundancy properties can be defined by replacing � in the theorem above with efficientlydecidable relations R such that R ⊆ �. Propagation redundancy (PR) [32] replaces � with � 1 , where F � 1 G if and only if F implies each D ∈ G by RUP. The property PR gives rise to a refutation system, in which a refutation is a list of clauses C 1 , . . . , C n and witnesses ω 1 , . . . , ω n such that C k | ωk = � and Most redundancy properties used in SAT solving can be understood as restricted forms of propagation redundancy. The RAT property [42] is equivalent to literal propagation redundancy, where the witness ω for any clause C may differ from the associated α on only one literal; that is, ω = (α \ {¬l}) ∪ {l} for some l ∈ C [35]. The DRAT system [68] is based on RAT, with the added ability to remove clauses from the accumulated formula F � C i .

Redundancy for Boolean Functions
Theorem 1 provides a foundation for clausal proof systems by characterizing redundant clauses in a convenient way. However, the restriction to clauses places limitations on these systems, making some forms of non-clausal reasoning difficult to express. For solvers aiming to construct refutations in these systems, this translates directly to restrictions on which solving techniques can be used. We show this characterization can be broadened to include redundancy for non-clausal constraints, and can be used to define useful redundancy properties and refutation systems. The contributions of this paper are divided into three corresponding levels of generality. The top level, covered in the current section, is the direct extension of Theorem 1 from redundancy for clauses, written R, to redundancy for Boolean functions, written R f . The middle level, the focus of Section 4, instantiates the resulting Theorem 2 to define the refutation systems RUP BDD and PR BDD based on redundancy for Binary Decision Diagrams. At the bottom level, these systems are shown to easily handle Gaussian elimination (GE) in Section 5, as well as some aspects of cardinality reasoning (CR). The relationships between these notions of redundancy are shown in Figure 1.
Each level of generality is individually important to this work. At the bottom level, the straightforward expression of Gaussian elimination by RUP BDD and PR BDD makes it more feasible for solvers to use this efficient technique with proof production, especially as these systems generalize their clausal analogs already in use. The results in Section 6 confirm the usefulness of RUP BDD for this purpose. At the middle level, we show the notion of redundancy instantiated for BDDs in this way may be capable of other strong forms of reasoning as well. Finally, the top level provides a very general form of redundancy, independent of function representation. This may make possible the design of redundancy properties and refutation systems in contexts where the BDD representation of constraints is too large; for example, it is known that some pseudo-Boolean constraints can in general have exponential size BDD representations [1,40].
This section presents in Theorem 2 a characterization of redundancy for Boolean functions in general. One way of instantiating this characterization is demonstrated in Section 4 where the functions are represented by Binary Decision Diagrams; the resulting refutation systems are shown in Section 5 to easily express Gaussian elimination. However, the applicability of Theorem 2 is much broader, providing a foundation for redundancy-based refutation systems independent of the representation used.
Proofs of theoretical results not included in the text can be found in the appendix. We begin with the definition corresponding to the property R f . Definition 1. A Boolean function g is redundant with respect to a Boolean function f if the functions f and f ∧ g are both satisfiable, or both unsatisfiable.
As we will see, extending Theorem 1 to the non-clausal case relies on the notion of a Boolean transformation, or just transformation: a function ϕ : B V → B V , mapping assignments to assignments. Importantly, for a function f and trans- Composing a function with a transformation can be seen as a generalization of the application of a partial assignment to a formula or clause as defined in the previous section. Specifically, for a partial assignment σ letσ refer to the following transformation: for any assignment τ , the assignmentσ(τ ) satisfies � l∈σ l, andσ ignores any x ∈ V such that x, ¬x � ∈ σ. Then for any formula F the formula F | σ expresses exactly the function F •σ. In particular, if α is the partial assignment blocking a clause C then notice C •α(τ ) = 0 for all τ , butα ignores variables not appearing in C; consequentlyα(τ ) = τ if τ already falsifies C. Generalizing this idea to transformations that block non-clausal constraints is more complicated. In particular, there may be multiple blocking transformations.
Motivated by this we define transformations blocking a function as follows.
Notice any g not equal to the constant function 1 has blocking transformations; for example, by mapping every τ satisfying g to a particular assignment falsifying it. Using this definition, the following theorem shows how the redundancy of a Boolean function g with respect to another function f can be demonstrated. This is a direct generalization of Theorem 1, using a transformation blocking g in the place of the partial assignment blocking a clause, and a transformation ω such that g • ω is the constant function 1 in place of the witnessing assignment.
Theorem 2. Let f be a function and g a non-constant function. Then g is redundant with respect to f if and only if there exist transformations α and ω such that α blocks g and g •ω is the constant function 1, and further f •α � f •ω.
Proof. (⇒) Suppose g is redundant with respect to f and let α be any transfor- Here we can take as ω the transformation ω(τ ) = τ * for all τ ∈ B V , where τ * is some assignment satisfying f ∧ g. Then both f • ω and g • ω are the constant function 1, so that f • α � f • ω holds in this case as well.
(⇐) Suppose α, ω meet the criteria stated in the theorem. We show that g is redundant by demonstrating that if f is satisfiable, then so is f ∧ g. Suppose τ is an assignment satisfying f . If also g(τ ) = 1, then of course τ satisfies f ∧ g. If instead g(τ ) = 0, then α(τ ) = τ as α blocks the function g. Thus The clausal characterization in Theorem 1 shows that the redundancy of a clause can be evidenced by providing a witnessing assignment and demonstrating that an implication holds, providing a foundation for refutations based on the iterative conjunction of clauses. Theorem 2 above shows that the redundancy of a function in general can be seen in the same way by providing transformations α and ω. Consequently this suggests how to construct refutations based on the iterative conjunction of Boolean functions.
As for clausal redundancy, refutations are intuitively based on the following: if g 1 is redundant with respect to f , and g 2 is redundant with respect to f ∧ g 1 , then f and f ∧g 1 ∧g 2 are equisatisfiable; that is, g 1 ∧g 2 is redundant with respect to f . The following holds as a direct consequence.
This shows, abstractly, how redundant Boolean functions can be used as a basis for refutations in the same way as redundant clauses. To define practical, and polynomially-checkable, refutation systems based on non-clausal redundancy in this way, we focus on a representation of Boolean functions that can be used within the framework described above. Specifically, we consider sets of BDDs in conjunction, just as formulas are sets of clauses in conjunction. Clauses are easily expressed by BDDs, and thus this representation easily expresses (CNF) formulas; this is necessary as we are typically interested in proving the unsatisfiability not of functions in general, but of (CNF) formulas. It is important to notice this is only a particular instantiation of Theorem 2, and that other representations of Boolean functions may give rise to useful and efficient systems as well.
BDDs [3,12,48] are compact expressions of Boolean functions in the form of rooted, directed, acyclic graphs consisting of decision nodes, each labeled by a variable x ∈ V and having two children, and two terminal nodes, labeled by 0 and 1. The BDD for a function f : B V → B is based on its Shannon expansion, where σ 0 = {¬x} and σ 1 = {x}, for x ∈ V . As is common we assume BDDs are ordered and reduced : if a node with variable label x precedes a node with label y in the graph then x ≺ y, and the graph has no distinct, isomorphic subgraphs. Representation this way is canonical up to variable order, so that no two distinct BDDs with the same variable order represent the same Boolean function [12].
Our use of BDDs for representing non-clausal redundancy relies on the concept of cofactors as developed in BDD literature. The functions f •σ 0 and f •σ 1 are called literal cofactors of f by ¬x and x, respectively, and are usually written f | ¬x and f | x . The cofactor of f by a conjunction of literals c = l 1 ∧· · ·∧l n can be defined similarly, so that f | c = f •σ c , for the partial assignment σ c = {l 1 , . . . , l n }. This notation is the same as for the application of a partial assignment to a clause or formula from Section 2, as the notions coincide. More precisely, if a formula F and BDD f express the same function, so do the formula F | σc and BDD f | c .
More broadly, for BDDs f and g, a generalized cofactor of f by g is a BDD h such that f ∧ g = h ∧ g; that is, f and h agree on all assignments satisfying g. This leaves unspecified what value h(τ ) should take when g(τ ) = 0, and various different BDD operations have been developed for constructing generalized cofactors [19,20,21] The constrain operation [20] produces for f and g, with g not equal to the always false 0 BDD, a generalized cofactor which can be seen as the composition f • π g , where π g is the transformation [62]: The function d is defined as follows: Intuitively, d is a measure of distance between two assignments based on the variables on which they disagree, weighted by their position in the variable order. It is important to notice then that the transformation π g and the resulting f • π g depend on the variable order, and may differ for distinct orders. For a conjunction of literals c, though, f • π c = f | c regardless of the order, so that f | g refers to f • π g in general.
As the transformation π g maps an assignment falsifying the function g to the nearest assignment (with respect to d) satisfying it, a transformation that blocks the function g can surely be obtained as follows.
Lemma 1. If g is not equal to the constant function 1 then π ¬g blocks g.
This form of generalized cofactor, as computed by the constrain operation, is well suited for use in redundancy-based reasoning as described above, as the transformation π ¬g depends only on g. As a consequence, for BDDs f 1 and | ¬g expresses the same function as the BDD for the conjunction f 1 | ¬g ∧ f 2 | ¬g . Thus given a set of BDDs f 1 , . . . , f n we can represent (f 1 ∧ · · · ∧ f n )| ¬g simply by the set of cofactors f i | ¬g and without constructing the BDD for the conjunction f 1 ∧ · · · ∧ f n , which is NP-hard in general. In particular, given a formula F = C 1 ∧ · · · ∧ C n and a Boolean constraint g, the function F | ¬g can be represented simply by applying the constrain operation to each of the BDDs representing C i . Therefore, from Theorem 2 we can characterize redundancy for conjunctions of BDDs, written R BDD , as follows.
Proposition 2. Suppose f 1 , . . . , f n are BDDs and g is a non-constant BDD. If there is a partial assignment {l 1 , . . . , l k } such that for ω = � k i=1 l i , and g| ω = 1 then g is redundant with respect to f 1 ∧ . . . ∧ f n .

BDD Redundancy Properties
The previous section provided a characterization of redundancy for Boolean functions, and showed how this could be instantiated for BDDs. In this section we develop polynomially-checkable properties for showing that a BDD is redundant with respect to a conjunction of BDDs, and describe their use in refutation systems for proving the unsatisfiability of formulas. As Theorem 1 is used for defining clausal redundancy properties, Proposition 2 gives rise to BDD redundancy properties by replacing � with polynomiallydecidable relations. Similar to the use of the unit propagation procedure by the clausal properties RUP and PR, we describe a unit propagation procedure for use with a set of BDDs and derive analogous properties RUP BDD and PR BDD .
For a BDD f , the Shannon expansion shows that if f | ¬l = 0 (i.e. f | ¬l is the always false 0 BDD) for some literal l, then f = l ∧ f l , and therefore f � l. Then the units implied by f , written U (f ), can be defined as follows.
As f | ¬l can be computed in O(|f |), where |f | is the number of nodes in the BDD for f [58], then U (f ) can certainly be computed in O(|V | · |f |) ⊆ O(|f | 2 ), though this can be reduced to O(|f |). We write � U (f ) to mean � l∈U (f ) l. Figure 2 provides a sketch of the unit propagation procedure. Whenever U (f ) is non-empty for some f in a set of BDDs, each BDD in the set can be replaced with its cofactor by � U (f ). This approach to unit propagation is largely similar to that of Olivo and Emerson [52], except we consider two conflict situations: if some BDD becomes 0, or if two BDDs are the negations of each other.
For N = |f 1 | + · · · + |f n | the procedure UnitProp(f 1 , . . . , f n ) can be performed in time O(N 2 ). In line 5, if f j and � U (f i ) share no variables, then f j = f j | � U (fi) , otherwise the BDD for f j | � U (fi) can be constructed in time O(|f j |) and further |f j | � U (fi) | < |f j |. This procedure is correct: "conflict" is only returned when � n i=1 f i is unsatisfiable (see the appendix for the proof). Proposition 3. If UnitProp(f 1 , . . . , f n ) returns "conflict" then f 1 ∧ · · · ∧ f n ≡ 0.
UnitProp generalizes the usual unit propagation procedure on a formula: if C is a clause, then U (C) � = ∅ implies C is a unit clause and � l∈U (C) l = C. We extend the relation � 1 and the definition of RUP accordingly.
We show that RUP BDD is a redundancy property. Given BDDs f 1 , . . . , f n , g, checking whether g is implied by RUP BDD primarily consists of the UnitProp procedure, though each f i | ¬g must first be constructed, which can be done in time O(|f i | · |g|) [20]. The size of this BDD may in some cases be larger than the size of f i , though it is typically smaller [20,62] and at worst |f i | ¬g | ≤ |f i | · |g|. Consequently it can be decided in time O(|g| 2 · N 2 ) whether g is implied by RUP BDD . Finally if g is implied by RUP BDD then it is redundant with respect to f 1 ∧ · · · ∧ f n ; in fact, it is a logical consequence (proof available in the appendix).
From RUP BDD the property PR can be directly generalized to this setting as well. Specifically, we define the redundancy property PR BDD as follows.
Definition 6. Suppose f 1 , . . . , f n are BDDs and g is a non-constant BDD. Then with respect to f = f 1 ∧ · · · ∧ f n then g is redundant with respect to f , thus PR BDD is a redundancy property.
Notice these properties and derivations directly generalize their clausal equivalents; for example, if C is PR with respect to a formula F , then (the BDD expressing) C is PR BDD with respect to (the set of BDDs expressing) F . Deciding whether a clause C is PR with respect to a formula F is NP-complete [36]. As PR BDD generalizes PR, then PR BDD is NP-hard as well. Further, checking whether g is PR BDD with respect to f 1 ∧ · · · ∧ f n by some candidate ω can be done polynomially as argued above, thus the following holds.
In other words, the decision problems for PR and PR BDD are of equal complexity.
The properties RUP BDD and PR BDD as defined in this section can be used to show that a BDD can be added to a set of BDDs in a satisfiability-preserving way. Of course, any clause has a straightforward and simple representation as a BDD, so that a formula can be easily represented this way as a set of BDDs. As a result RUP BDD and PR BDD can be used as systems for refuting unsatisfiable formulas. In the following, we identify a clause with its representation as a BDD, and a formula with its representation as a set of such BDDs.
To simplify the presentation of derivations based on RUP BDD and PR BDD we introduce an additional redundancy property, allowing derivations to include steps to directly derive certain BDDs path-wise in the following way.
If f 1 ∧· · ·∧f n implies g by RUP path then it is a logical consequence of f 1 ∧· · ·∧f n , as this checks that no assignment satisfies both ¬g and f 1 ∧ · · · ∧ f n . The number of paths in a BDD g can however be exponential in |g|, as in the BDD for an XOR constraint, so the second condition ensures RUP path is polynomially-checkable.
The property RUP path is primarily useful as it allows the derivation of a BDD g whose representation as a set of clauses is included in {f 1 , . . . , f n }: if c corresponds to a path to 0 in g, the clause ¬c is included in the direct clausal translation of g. In this context, the restrictive condition (2) in Definition 7 can in fact be removed, since the number of paths in g is then at most n. Definition 8. A sequence of BDDs g 1 , . . . , g n is a RUP BDD derivation from a formula F if F ∧ � k−1 i=1 g i implies g k by RUP BDD , or by RUP path , for all 1 ≤ k ≤ n. A sequence of BDD and assignment pairs (g 1 , ω 1 ), . . . , (g n , ω n ) is As RUP BDD , RUP path , and PR BDD are redundancy properties, any RUP BDD or PR BDD derivation corresponds to a redundancy sequence of the same length. F = {a ∨ b, a ∨ c, b ∨ c, a ∨ d, b ∨ d, c ∨ d} and let g be the BDD such that g(τ ) = 1 if and only if τ satisfies at least 3 of a, b, c, d; that is, g is the cardinality constraint {a, b, c, d} ≥ 3. As seen in Example 2, the constraint g 1 = {a, b, c} ≥ 2 is RUP BDD with respect to F ; similarly so are the constraints, g 2 = {a, c, d} ≥ 2, and g 3 = {b, c, d} ≥ 2. Now, ¬a ∈ U (g 3 | ¬g ): for any τ the assignment π ¬g (τ ) satisfies at most 2 of a, b, c, d, and if a is one of them then π ¬g (τ ) surely falsifies g 3 . As a result, (g 3 | ¬g )| a = 0. In a similar way ¬b ∈ U (g 2 | ¬g ). Since g 1 | ¬g cofactored by the units ¬a and ¬b is falsified, then UnitProp(g 1 | ¬g , g 2 | ¬g , g 3 | ¬g ) returns "conflict." Consequently g is RUP BDD with respect to F ∧ g 1 ∧ g 2 ∧ g 3 , and g 1 , g 2 , g 3 , g is a RUP BDD derivation from F . This example can be generalized to show that RUP BDD is capable of expressing an inference rule for cardinality constraints called the diagonal sum [39]. For L = {l 1 , . . . , l n } let L i = L \ {l i }; the diagonal sum derives L ≥ k + 1 from the set of all n constraints L i ≥ k.

Example 3. Consider the formula
While the properties and refutation systems RUP BDD and PR BDD easily extend their clausal counterparts, it is important to notice that redundancy-based systems using BDDs can be defined in other ways. For instance, say Then IMP pair is polynomially checkable, computing the conjunction for each pair i, j. Moreover, it is clear that f 1 ∧ f 2 � g if and only if f 1 ∧ f 2 implies g by IMP pair . As many logical inference rules have this form, it is possible that systems based on IMP pair are very strong.

Gaussian Elimination
Next, we show how the Gaussian elimination technique for simplifying XOR constraints embedded in a formula is captured by the redundancy properties defined in the previous section. Specifically, if an XOR constraint X is derivable from a formula F by Gaussian elimination, we show there is a RUP BDD derivation from F including the BDD expressing X with only a linear size increase.
An XOR clause [x 1 , . . . , x n ] p expresses the function f : B V → B, where V = {x 1 , . . . , x n } and p is 0 or 1, such that f (τ ) = 1 if and only if the number of x i ∈ V satisfied by τ is equal modulo 2 to p. In other words, p expresses the parity of the positive literals x i an assignment must satisfy in order to satisfy the XOR clause. As [x, y, y] p and [x] p express the same function, we assume no variable occurs more than once in an XOR clause. Notice that [ ] 0 expresses the constant function 1, while [ ] 1 expresses 0.
The Gaussian elimination procedure begins by detecting XOR clauses encoded in a formula F . The direct encoding D(X) of X = [x 1 , . . . , x n ] p is the collection of clauses of the form C = {l 1 , . . . , l n }, where each l i is either x i or ¬x i and the number of negated literals in each C is not equal modulo 2 to p The formula D(X) expresses the same function as X, containing the clauses preventing each assignment over the variables in X not satisfying X. As a result, D(X) implies the BDD expressing X by RUP path (see appendix for proof).
Similar to the approach of Philipp and Rebola-Pardo [55], we represent Gaussian elimination steps by deriving the addition X ⊕ Y of XOR clauses X = [x 1 , . . . , x m , z 1 , . . . , z r ] p and Y = [y 1 , . . . , y n , z 1 , . . . , z r ] q , given by: The following lemma shows that X ⊕ Y is RUP BDD with respect to X ∧ Y ; that is, if a RUP BDD derivation includes X and Y then X ⊕ Y can be derived as well. This is a result of the following observation: while the precise cofactors of X and Y by ¬(X ⊕ Y ) depend on the variable order ≺, they are the negations of one another (proof is included in the appendix).

Lemma 3.
Let v be the ≺-greatest variable in occurring in exactly one of X and Y , and assume v occurs in Y . Then X| ¬(X⊕Y ) = X, and Y | ¬(X⊕Y ) = ¬X.
The above lemma shows that the procedure UnitProp(X| ¬X⊕Y , Y | ¬X⊕Y ) returns "conflict" immediately, and as a result X ⊕ Y is RUP BDD with respect to f 1 ∧ · · · ∧ f n ∧ X ∧ Y for any set of BDDs f 1 , . . . , f n .
Define a Gaussian elimination derivation Π from a formula F as a sequence of XOR clauses Π = X 1 , . . . , X N , such that for all 1 ≤ i ≤ N , either X i = X j ⊕ X k for j, k < i, or D(X i ) ⊆ F . The size of the derivation is |Π| = � N i=1 s i , where s i is the number of variables occurring in X i . We show that Π corresponds to a RUP BDD derivation with only a linear size increase. This size increase is a result of the fact that the BDD expressing an XOR clause X = [x 1 , . . . , x n ] p has size 2n + 1 (proof of the following theorem is available in the appendix).
Theorem 3. Suppose Π = X 1 , . . . , X N is a Gaussian elimination derivation from a formula F . Then there is a RUP BDD derivation from F with size O(|Π|).
A consequence of this theorem is that RUP BDD includes short refutations for formulas whose unsatisfiability can be shown by Gaussian elimination. More precisely, suppose a formula F includes the direct representations of an unsatisfiable collection of XOR clauses. Then there is a polynomial-length Gaussian elimination derivation of the unsatisfiable XOR clause [ ] 1 from F [61], and by Theorem 3, a polynomial-length RUP BDD derivation of the unsatisfiable BDD 0.
Notably, RUP BDD then includes short refutations of, for example, the Tseitin formulas, for which no polynomial-length refutations exist in the resolution system [63,65]. This limitation of resolution holds as well for the clausal RUP system, without the ability to introduce new variables, as it can be polynomially simulated by resolution [8,24]. As the translation into RUP BDD used to prove Theorem 3 introduces no new variables, this demonstrates the strength of RUP BDD compared to resolution and its clausal analog RUP.

Results
To begin to assess the practical usefulness of the systems introduced in Section 4, we have implemented in Python a prototype of a tool called dxddcheck 1 for checking refutations in a subset of RUP BDD . In particular we focus on the result of Section 5, that Gaussian elimination is succinctly captured by RUP BDD . We ran the SAT solver Lingeling (version bcp) on a collection of crafted unsatisfiable formulas, all of which can be solved using Gaussian elimination. From Lingeling output we extract a list of XOR clause additions and deletions, ending with the addition of the empty clause, as shown in Figure 4. This list is passed directly to dxddcheck, which carries it out as a DRUP BDD refutation; that is, a RUP BDD refutation also allowing steps which remove or "delete" BDDs from the set. These deletion steps can be removed without affecting the correctness of the refutation, though their inclusion can decrease the time required for checking it, as is the case with DRUP and RUP. For these experiments we used a 1.8 GHz Intel Core i5 CPU with 8 GB of memory. The table shows the time Lingeling took to solve each formula, the number of lines in the constructed proof and its size, and the time dxddcheck took to construct and check the associated DRUP BDD proof. These benchmarks are well-known challenging examples in the contexts of XOR reasoning and proof production. The rpar_ n formulas are compact, permuted encodings of two contradictory parity constraints on n variables, described by Chew and Heule [17]. The mchess_ n formulas are encodings of the mutilated n × n-chessboard problem, as studied by Heule, Kiesl, and Biere [33] as well as Bryant and Heule [13]. The urquhart formulas [16,64] are examples of hard Tseitin formulas.
Lingeling solved each formula by Gaussian elimination almost instantly. We ran Lingeling and Kissat [10], winner of the main track of the SAT competition in 2020, on the benchmarks without Gaussian elimination, as is required for producing clausal refutations, using an Intel Xeon E5-2620 v4 CPU at 2.10 GHz. Only rpar_50 was solved in under about 10 hours, producing significantly larger proofs; for instance, Kissat produced a refutation of size 6911 MB.
While methods to construct clausal proofs from Gaussian elimination have been proposed, most are either lacking a public implementation or are limited in scope [17,55]. An exception is the approach very recently proposed by Gocht and Nordström using pseudo-Boolean reasoning [25], with which we are interested in carrying out a thorough comparison of results in the future.

Conclusion
We presented a characterization of redundancy for Boolean functions, generalizing the framework of clausal redundancy and efficient clausal proof systems. We showed this can be instantiated to design redundancy properties for functions given by BDDs, and polynomially-checkable refutation systems based on the conjunction of redundant BDDs, including the system PR BDD generalizing the clausal system PR. The system PR BDD also generalizes RUP BDD , which can express Gaussian elimination reasoning without extension variables or clausal translations. The results of a preliminary implementation of a subset of RUP BDD confirms such refutations are compact and can be efficiently checked. Examples 2 and 3 show RUP BDD reasoning over cardinality constraints, and we are interested in exploring rules such as generalized resolution [38,39]. Other forms of non-clausal reasoning may be possible using BDD-based redundancy systems as well. We are particularly interested in exploring the property IMP pair .
While the system RUP BDD derives only constraints implied by the conjunction of the formula and previously derived constraints, PR BDD is capable of interference-based reasoning [29], like its clausal analog PR; there are possibly novel, non-clausal reasoning techniques taking advantage of this ability. Further, RUP BDD and PR BDD are based on the conjunction of BDDs, though Theorem 2 is more general and could be used for other ways of expressing Boolean functions. Finally we are interested in developing an optimized tool for checking proofs in the system PR BDD , as well as a certified proof checker.
Proof. By assumption D(X 1 ) ⊆ F , so that by Lemma 2 F implies X 1 by RUP path . Next, for i > 1, either D(X i ) ⊆ F as well, or X n = X j ⊕X k for j, k < n, and then X n is RUP BDD with respect to F ∧ X 1 ∧ · · · ∧ X n−1 by Lemma 3. Thus the sequence of BDDs representing σ = X 1 , . . . , X N is a RUP BDD derivation from F . As |X i | = 2 · s i + 1 for 1 ≤ i ≤ N , then σ has size O(|Π|). � �