Equivalence Verification of Large Galois Field Arithmetic Circuits using Word-Level Abstraction via Gröbner Bases

Transcription

1 Equivalence Verification of Large Galois Field Arithmetic Circuits using Word-Level Abstraction via Gröbner Bases Tim Pruss ECE University of Utah Priyank Kalla ECE University of Utah Florian Enescu Math & Stats Georgia State University ABSTRACT Custom arithmetic circuits designed over Galois fieldsf 2 k are prevalent in cryptography, where the field size k is very large (e.g. k = 571-bits). Equivalence checking of such large custom arithmetic circuits against baseline golden models is beyond the capabilities of contemporary techniques. This paper addresses the problem by deriving word-level canonical polynomial representations from gatelevel circuits as Z =F(A) over F 2 k, where Z and A represent the output and input bit-vectors of the circuit, respectively. Using algebraic geometry, we show that the canonical polynomial abstraction can be derived by computing a Gröbner basis of a set of polynomials extracted from the circuit, using a specific elimination (abstraction) term order. By efficiently applying these concepts, we can derive the canonical abstraction in hierarchically designed, custom arithmetic circuits with up to 571-bit datapath, whereas contemporary techniques can verify only up to 163-bit circuits. Categories and Subject Descriptors B.6.3 [Logic Design]: design aids verification General Terms Verification, Arithmetic Circuits Keywords Hardware Verification, Word-Level Abstraction, Gröbner Bases 1. INTRODUCTION Arithmetic circuits designed over Galois fields of the type F 2 k find application in areas such as hardware security, cryptography, error-correction codes, VLSI testing, among others. In such applications, the field size and thus the circuit data-path size (k) can be very large. For example, the US National Institute for Standards and Technology (NIST) recommends fields F 2 k corresponding to k = 163, 233, 283, 409, and 571, for Elliptic Curve Cryptography (ECC). The large size and high-complexity of such This research is funded in part by NSF grants CCF and CCF Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Permissions@acm.org. DAC 14 June , San Francisco, CA, USA ACM /14/06...$ architectures necessitates custom hierarchical design [1] [2]. Custom design raises the potential for bugs in the implementation. As bugs can compromise the security of cryptosystems [3], formal verification of Galois field circuits becomes an imperative. Verification of these circuits is very challenging, as custom architectures are usually structurally very dissimilar from the baseline specification (golden) models. Contemporary verification techniques [4] (including the recent approaches targeted for Galois field circuits [5]) are unable to prove equivalence of such large circuits. This paper presents an automatic combinational equivalence verification approach for very large Galois field arithmetic circuits. At the core of our approach is a symbolic method to derive the wordlevel, canonical, polynomial representation from a given combinational circuit. It employs concepts from commutative algebra and algebraic geometry notably, Gröbner bases [6] theory to derive the word-level abstraction. The approach is well-suited to arithmetic circuits that are hierarchically designed and cases where the verification instances are structurally dissimilar. Verification Problem: Given: i) a Galois fieldf 2 k, along with the primitive polynomial P(X) used for its construction; ii) the golden model circuit C 1 (called Spec); iii) the custom implementation C 2 (called Impl), along with any available design hierarchy. Prove or disprove the functional equivalence C 1 C 2 ; i.e. prove whether or not C 1,C 2 implement the same (polynomial) function over F 2 k. To solve this problem, we analyze the circuits C 1,C 2 separately, and derive unique canonical polynomial representationsf 1,F 2, respectively. The equivalence test is then performed by simply matching the coefficients off 1,F 2. The polynomial extraction approach is based on the following novel mathematical insights: The mathematical framework: A combinational circuit C with k- bit inputs and k-bit outputs implements Boolean functions that are mappings between k-dimensional Boolean spaces: f : B k B k, where B = {0,1}. The function f, which is a mapping among 2 k elements, can also be construed as a function over a Galois field of 2 k elements, f :F 2 k F 2 k. There is a well-known textbook result [7] which states that: i) over a Galois field (F q ) of q elements, every function f :F q F q is a polynomial function; and ii) there exists a unique canonical polynomial F that describes f. Motivated by this fundamental result, we devise an approach to derive a word-level, canonical, polynomial abstraction of the function as Z =F(A) over F 2 k, where Z ={z 0,...,z k 1 }, A={a 0,...,a k 1 } are, respectively, the output and input bit-vectors (words) of the circuit, and F denotes a polynomial representation of the circuit s functionality. The approach easily generalizes to circuits with arbitrary number of word-level inputs i.e. (multivariate) functions f :F n 2 k F 2 k represented by a polynomial Z =F(A 1,...,A n ). The polynomial F can be derived by means of the Lagrange interpolation formula [7] [8]. However, this requires to analyze f

2 over the entire field F 2 k, which is exhaustive and infeasible. To make this approach practical, we propose a symbolic method based on computer algebra and algebraic geometry to derive the canonical polynomial abstraction and employ it for design verification. Contributions: Using polynomial abstractions, we analyze the given circuits and model the gate-level Boolean operators as elements of a multivariate polynomial ring with coefficients inf 2 k. By exploiting concepts of Nullstellensatz, Gröbner bases, elimination ideals and projections of varieties [6], we formulate the polynomial abstraction problem as one of computing a Gröbner basis of this set of polynomials, using a specific elimination term order termed as the abstraction term order >. Computing Gröbner bases using elimination orders is infeasible for large circuits. To overcome this limitation, we refine the term order based on a topological analysis of the circuit. Using this refinement, we guide the S-polynomial computations in the Buchberger s algorithm [9] to derive the polynomial representation of the circuit s functionality. This approach identifies the function implemented by the given Galois field arithmetic circuits for verification. We experiment with different architectures of Galois field multipliers and show that: i) when the circuits are given as flattened netlists, we can abstract the polynomial for up to 409-bit NIST specified fields; and ii) when the design hierarchy is available, our approach can identify the polynomial up to 571-bits, i.e. for all NIST-specified Galois fields F 2 k used in ECC. Our approach scales well for practical verification, whereas other techniques [5] fail beyond 163-bit circuits. 2. RELATED PREVIOUS WORK Canonical Representations: The Reduced Ordered Binary Decision Diagram (ROBBD) [10] and its variants FDDs, ADDs, BMDs, etc. are canonical DAG representations of functions that are employed in design verification. The various decomposition principles behind these diagrams are based on point-wise, binary decomposition, w.r.t. each (Boolean) variable. As such, these do not fully provide word-level abstraction capabilities from bitlevel representations. Taylor Expansion Diagrams (TEDs) [11] are a word-level canonical representation of a polynomial expression, but they do not represent a polynomial function canonically. MODDs [12] are a DAG representation of the characteristic function of a circuit over Galois fields F 2 k. MODDs come close to satisfying our requirements as a canonical word-level representation that can be employed over Galois fields. However, MODDs do not scale well w.r.t. the circuit size. MODDs are known to be infeasible in representing functions over larger than 32-bit vectors [12]. Equivalence Checking: Modern equivalence checkers employ techniques based on AIG-based reductions [4] and circuit-sat solvers [13]. Such techniques are able to identify internal structural equivalences between the Spec and Impl circuits and reduce the instances for verification. However, when the arithmetic circuits are structurally very dissimilar, these techniques are infeasible in proving equivalence (Tables I and II in [5] depict such experiments). Word-Level Verification of Galois field circuits: In [14], the authors present the BLUEVERI tool for verification of Galois field circuits for error correcting codes against an algorithmic spec. The implementation consists of a set of (pre-designed and verified) circuit blocks that are interconnected to form the system. Their objective is to prove the equivalence of the implementation against a check file (spec), for which they employ a Nullstellensatz and Gröbner basis formulation. In their setting, the polynomial function representation of the sub-circuit blocks is already available. In [5], Lv et al. present computer algebra techniques for formal verification of Galois field arithmetic circuits. Given a specification polynomial F, and a circuit C, they formulate the verification problem as an ideal membership test using the Gröbner basis theory. Verification is performed by a sequence of divisions modulo the polynomials of the circuit. This approach moves the verification complexity solely to that of polynomial division which results in the size-explosion of intermediate remainders in the division. As a result, their approach does not scale beyond 163-bit circuits. In contrast to [14] [5], we are not given the specification polynomialf. Given the circuit C, we have to derive (extract) the wordlevel specificationf. Moreover, we perform a Gröbner basis computation on a subset of polynomials to derive the abstraction polynomial, which is the reason behind the success of our approach. Polynomial Interpolation: Interpolation can be used to derive a polynomial representation for a function over F 2 k. However, Newton s dense interpolation techniques exhibit very high complexity. While such techniques have been investigated by logic synthesis and testing communities [8], they are feasible only over small fields e.g. for computing Reed-Muller forms for multi-valued logic. 3. PRELIMINARIES Galois fields and Polynomial functions: A Galois field (F q ) is a field with a finite number (q) of elements, where q is a power of a prime integer i.e. q = p k, where p is a prime integer, and k 1. We consider fields where p = 2 and k > 1 i.e. binary Galois extension fields F 2 k as they are employed in hardware implementations of cryptography primitives. To constructf 2 k, we take the polynomial ringf 2 [x], wheref 2 = {0,1}, and an irreducible polynomial P(x) F 2 [x] of degree k, and construct F 2 k as F 2 [x] (mod P(x)). As a result, all field operations are performed modulo the irreducible polynomial P(x) and the coefficients are reduced modulo p=2. Any element A F 2 k can be represented in polynomial form as A=a 0 + a 1 α+ +a k 1 α k 1, where a i F 2,i = 0,...,k 1, and α is a root of the irreducible polynomial, i.e. P(α) = 0. Note that A is essentially represented as a k-bit vector. The field F 2 k can therefore be construed as a k- dimensional vector space over F 2, sof 2 F 2 k. Polynomial Functions f :F 2 k F 2 k: Arbitrary mappings among k-bit vectors can be constructed; each such mapping generates a function f : B k B k. Every such function is also a polynomial function over Galois fields: f :F 2 k F 2 k. THEOREM 3.1. From [7]: Any function f :F q F q is a polynomial function overf q, that is there exists a polynomialf F q [x] such that f(a)=f(a), for all a F q. An important property of Galois fields is that for all elements A F q,a q = A, and hence A q A=0. Therefore, the polynomial X q X vanishes on all points in F q. Consequently, any polynomial F(X) can be reduced (mod X q X) to obtain a canonical representation (F(X) (mod X q X)) with degree at most q 1. DEFINITION 3.1. Any function f :F d q F q has a unique canonical representation (UCR) as a polynomialf F q [x 1,...,x d ] such that all its nonzero monomials are of the form x i 1 1 x i d d where 0 i j q 1, for all j=1,...d. Modulo-multipliers overf 2 k: Over Galois fieldsf 2 k, multiplication is performed as Z = A B (mod P(x)), where A,B F 2 k are k-bit inputs and P(x) is the given irreducible polynomial. The multiplier circuit takes bit-level inputs{a 0,...,a k 1, b 0,...,b k 1 } and produces output Z={z 0,...,z k 1 }, such that A= i=0 i=k 1 a i α i, B= i=0 i=k 1 b i α i and Z = i=0 i=k 1 z i α i. First, the bit-wise multiplication S = A B is computed using an array multiplier architecture, and then the result S is reduced (mod P(x)) to obtain Z= S (mod P(x)). Such architectures are termed Mastrovito multipliers [15].

3 Mastrovito multipliers are inefficient, specially for cryptosystems where multiplication is often performed repeatedly. For such applications, Montgomery reduction operations are proposed [1] [2]. Montgomery reduction () computes: (A,B)=A B R 1 (mod P(x)), where A,B are k-bit inputs, R is suitably chosen as R = α k, R 1 is multiplicative inverse of R in F 2 k, and P(x) is the irreducible polynomial. Since Montgomery reduction cannot directly compute A B (mod P(x)), we need to pre-compute A R and B R, as shown in Fig. 1. A B R 2 R 2 A R B R A B R "1" G=A B (mod P) Figure 1: Montgomery multiplication over F 2 k using four s. Clearly, Montgomery multipliers are hierarchically designed as an interconnection of blocks (Fig. 1). These circuits are structurally dissimilar from the baseline Mastrovito multipliers. In this paper, Mastrovito and Montgomery multipliers are used as Spec and Impl benchmarks, respectively, for equivalence verification. 3.1 Computer Algebra Preliminaries Let F q [x 1,...,x d ] be the polynomial ring with indeterminates x 1,...,x d, where q = 2 k. A monomial is a power product X = x α 1 1 xα 2 2 xα d d, where α i 0,i {1,...,d}. A polynomial f F q [x 1,...,x d ], f 0, is a finite sum of terms f = c 1 X 1 + c 2 X 2 + +c t X t. Here c 1,...,c t are coefficients and X 1,...,X t are monomials. A monomial ordering > is imposed on the ring such that X 1 > X 2 > > X t. Subject to such an ordering, lt( f) = c 1 X 1, lm( f) = X 1, lc( f) = c 1, are the leading term, leading monomial and leading coefficient of f, respectively. Similarly, tail( f ) = c 2 X 2 + +c t X t. Division of a polynomial f by polynomial g gives re- g mainder polynomial r, denoted f + r. Similarly, f can be reduced (divided) w.r.t. a set of polynomials F ={ f 1,..., f s } to ob- F tain a remainder r, denoted f + r, such that no term in r is divisible by the leading term of any polynomial in F. An ideal J generated by polynomials f 1,..., f s F q [x 1,...,x d ] is: J = f 1,..., f s ={ s i=1 h i f i : h i F q [x 1,...,x d ]}. The polynomials f 1,..., f s form the basis or generators of J. Let a=(a 1,...,a d ) F d q be a point, and f F q [x 1,...,x d ] be a polynomial. We say that f vanishes on a if f(a) = 0. For any ideal J = f 1,..., f s F q [x 1,...,x d ], the affine variety of J over F q is: V(J) = {a F d : f J, f(a) = 0}. In other words, the variety corresponds to the set of all solutions to f 1 = = f s = 0. DEFINITION 3.2. For any subset V of F d q, the ideal of polynomials that vanish on V, called the vanishing ideal of V, is defined as: I(V)={ f F q [x 1,...,x d ] : a V, f(a)=0}. Therefore, if a polynomial f vanishes on a variety V, then f I(V). THEOREM 3.2. Strong Nullstellensatz over F q : (From [16]): Let J F q [x 1,...,x d ] be an ideal, and let J 0 = x q 1 x 1,...,x q d x d be the ideal of all vanishing polynomials. Let V Fq (J) denote the variety of J over F q. Then, I(V Fq (J)) = J+ J 0 = J+ x q 1 x 1,..., x q d x d. Gröbner Bases: An ideal J may have many different generators (representations): i.e. F = { f 1,..., f s } and G = {g 1,...,g t } such that J= f 1,..., f s = g 1,...,g t and V(J)= V( f 1,..., f s )= V(g 1,...,g t ). A Gröbner basis is a representation of an ideal which allows to solve many polynomial decision questions. DEFINITION 3.3. [Gröbner Basis] For a monomial ordering >, a set of non-zero polynomials G = {g 1,g 2,,g t } contained in an ideal J, is called a Gröbner basis for J f J, f 0, there exists i {1,,t} such that lm(g i ) divides lm( f); i.e., G= GB(J) f J : f 0, g i G : lm(g i ) lm( f). As a consequence of Definition 3.3, the set G is a Gröbner basis of ideal J if and only if for all f J, dividing f by polynomials of G G gives 0 remainder: G=GB(J) f J, f + 0. Buchberger s algorithm [9], shown in Algorithm 1, computes a Gröbner basis over a field. Spoly( f,g)= L lt( f) f L lt(g) g where L=LCM(lm( f),lm(g)). Note that Spoly( f,g) cancels the leading terms of f,g, and the remainder r obtained in Spoly( f,g) G + r gives a new leading term. A Gröbner basis is computed when all Spoly( f,g) G + 0. A Gröbner basis can be further reduced; a reduced Gröbner basis is a canonical representation of the ideal w.r.t. the set monomial order. Algorithm 1: Buchberger s Algorithm Input: F ={ f 1,..., f s } Output: G={g 1,...,g t } G := F; repeat G := G; for each pair{ f,g}, f g in G do Spoly( f,g) G + r ; if r 0 then G := G {r} ; end end until G=G ; 4. WORD-LEVEL ABSTRACTION USING GRÖBNER BASIS We are given a circuit C with k-bit inputs and outputs that performs a polynomial computation Z = F(A) over F q = F 2 k. Let P(x) be the given irreducible or primitive polynomial used for field construction, and let α be its root, i.e. P(α)=0. Note that we do not know the polynomial representation F(A) and our objective is to identify (the coefficients of) F(A). Let {a 0,...,a k 1 } denote the primary inputs and let {z 0,...,z k 1 } be the primary outputs of C. Then, the word-level and bit-level correspondences are: A=a 0 + a 1 α+ +a k 1 α k 1 ; Z = z 0 + z 1 α+ +z k 1 α k 1 ; (1) We analyze the circuit and model all the gate-level Boolean operators as polynomials in F 2 F 2 k. To this set of Boolean polynomials, append the polynomials of Eqn. (1) that relate the wordlevel and bit-level variables. Denote this set of polynomials as F = { f 1,..., f s } over the ring R = F q [x 1,...,x d,z,a]. Here x 1,...,x d denote, collectively, all the bit-level variables of the circuit i.e. primary inputs, primary outputs and the intermediate circuit variables and Z,A, are the word-level variables. Denote the generated ideal as J = F R. Also, denote the (unknown) specification of the circuit as a polynomial f : Z F(A), or equivalently as f : Z+F(A), as 1=+1 inf 2 k. As Z =F(A), clearly f : Z+F(A) agrees with the solutions to the circuit equations f 1 = = f s = 0. This means that f : Z+ F(A) vanishes on the variety V Fq (J). If f : Z+F(A) vanishes on

4 V Fq (J), then due to Definition 3.2, f : Z+F(A) is a member of the ideal I(V Fq (J)). Strong Nullstellensatz over Galois fields (Theorem 3.2) tells us that I(V Fq (J))=J+ J 0, where J 0 = x 2 1 x 1,...,x 2 d x d,z q Z,A q A is the ideal of all vanishing polynomials in R. From these results, we deduce that: PROPOSITION 4.1. The (unknown) specification polynomial f : Z+F(A) (J+ J 0 ). The variety V Fq (J) is the set of all consistent assignments to the nets (signals) in the circuit C. If we project this variety on the word-level input and output variables of the circuit C, we essentially generate the function f implemented by the circuit. Projection of varieties from d-dimensional space F d q onto a lower dimensional subspace F d l q is equivalent to eliminating l variables from the corresponding ideal. DEFINITION 4.1. (Elimination Ideal) From [6]: Given J = f 1,..., f s F q [x 1,...,x d ], the lth elimination ideal J l is the ideal off q [x l+1,...,x d ] defined by J l = J F q [x l+1,...,x d ]. In other words, the lth elimination ideal does not contain variables x 1,...,x l, nor do the generators of it. Moreover, Gröbner bases may be used to generate an elimination ideal by using an elimination term order. One such ordering is a pure lexicographic ordering, which features into the following theorem: THEOREM 4.1. (Elimination Theorem) From [6]: Let J F q [x 1,...,x d ] be an ideal and let G be a Gröbner basis of J with respect to a lex ordering where x 1 > x 2 > >x d. Then for every 0 l d, the set G l = G F q [x l+1,...,x d ] is a Gröbner basis of the lth elimination ideal J l. EXAMPLE 4.1. Consider polynomials f 1 : x 2 y z 1, f 2 : x y 2 z 1, f 3 : x y z 2 1 and ideal J = f 1, f 2, f 3 C[x,y,z]. Let us compute a Gröbner basis G of J w.r.t. lex term order with x > y > z. Then G = {g 1,...,g 4 } is obtained as: g 1 : x y z 2 1; g 2 : y 2 y z 2 z; g 3 : 2yz 2 z 4 z 2 ; g 4 : z 6 4z 4 4z 3 z 2. Notice that the polynomial g 4 contains only the variable z, and it eliminates variables x, y. Similarly, polynomials g 2,g 3,g 4, contain variables y,z and eliminate x. According to Theorem 4.1, G 1 = G C[y,z]={g 2,g 3,g 4 } and G 2 = G C[z]={g 4 } are the Gröbner bases of the 1 st and 2 nd elimination ideals of J, respectively. The above example motivates our approach: since we want to derive a polynomial representation from a circuit in variables Z, A, we can compute a Gröbner basis of J+ J 0 w.r.t. an elimination order that eliminates all the (d) bit-level variables of the circuit. The Gröbner basis G d = G F q [Z,A] of the d th elimination ideal of (J+ J 0 ) will contain polynomials in only Z,A. PROBLEM SETUP 4.1. Given a circuit C with k-bit inputs and outputs which computes a polynomial function f :F 2 k F 2 k. Let A = {a 0,...,a k 1 } and Z = {z 0,...,z k 1 } be the inputs and outputs of the circuit, respectively, such that A = a 0 + a 1 α+ + a k 1 α k 1 and Z = z 0 + +z k 1 α k 1, where P(α)=0. Let Z = F(A) be the unknown polynomial function implemented by the circuit. Denote by x i,i=1,...,d all the Boolean variables of the circuit. Let R = F 2 k[x i,z,a : i = 1,...d] denote the corresponding polynomial ring and let ideal J F 2 k[x i,z,a : i = 1...d] be generated by the bit-level and word-level polynomials of the circuit. Let J 0 = xi 2 x i,z 2k Z,A 2k A : i=1,...,d denote the ideal of vanishing polynomials in R. DEFINITION 4.2. Abstraction Term Order >: Using the variable order x 1 > x 2 > > x d > Z > A, impose a lex term order > on the polynomial ring R=F q [x 1,...,x d,z,a]. This elimination term order>is defined as the Abstraction Term Order. The relative ordering among x 1,...,x d can be chosen arbitrarily. THEOREM 4.2. Abstraction Theorem: Using the setup and notations from Problem Setup 4.1 above, compute a Gröbner basis G of ideal (J+ J 0 ) using the abstraction term order >. Then: (i) G must contain a polynomial of the form Z+G(A); and (ii) Z+G(A) is such thatf(a)=g(a), A F q. In other words, G(A) andf(a) are equal as polynomial functions over F q. PROOF. (i) Since f : Z+F(A) is a polynomial representation of the circuit, Z+F(A) J+ J 0, due to Proposition 4.1. Therefore, according to the definition of a Gröbner basis (Definition 3.3), the leading term of Z+F(A) (which is Z) should be divisible by the leading term of some polynomial g i G. The only way lt(g i ) can divide Z is when lt(g i )=Z itself. Moreover, due to our abstraction (lex) term order, Z > A, so this polynomial must be of the form Z+G(A). (ii) As Z = F(A) represents the function of the circuit, Z + F(A) J + J 0. Moreover, V(J+ J 0 ) V(Z +F(A)). Project this variety V(J+J 0 ) onto the co-ordinates corresponding to(a,z). What we obtain is the graph of the function A F(A) over F 2 k. Since Z+G(A) is an element of the Gröbner basis of J+J 0, V(J+ J 0 ) V(Z+G(A)) too. Due to this inclusion of varieties, the points that satisfy (J+ J 0 ) also satisfy Z+G(A)=0 and Z+F(A)=0. Therefore, Z =G(A) gives the same function as Z =F(A), for all A F 2 k. COROLLARY 4.1. Computing a reduced Gröbner basis G r of J+J 0, we will obtain one and only one polynomial in G r of the form Z+G(A), such that Z =G(A) is the unique, minimal, canonical representation of the function f implemented by the circuit. As a consequence of Theorem 4.2 and Corollary 4.1, if we compute a reduced Gröbner basis G of J+J 0 using the abstraction term order, we will always find the one and only polynomial of the form Z+G(A) in the Gröbner basis, such that Z =G(A) is the unique canonical polynomial representation of the circuit. The above results trivially extend to circuits with multiple wordlevel input variables A 1,...,A n, and the canonical polynomial representation obtained by computing a reduced Gröbner basis G r of J+ J 0 using>is of the form Z =F(A 1,...,A n ). EXAMPLE 4.2. Demonstration of our approach: Consider the 2-bit multiplier circuit over F 2 2 given in Fig. 2, which implements a polynomial function: Z = A B, Z,A,B F 4. Here, A = a 0 + a 1 α, B=b 0 +b 1 α are the word-level inputs and Z= z 0 +z 1 α is the output in F 4, and P(x) = x 2 + x+1 (given) where P(α) = 0. The Figure 2: A 2-bit Multiplier over F 2 2. The gate corresponds to ANDgate, i.e. bit-level multiplication modulo 2. The gate corresponds to XOR-gate, i.e. addition modulo 2. functionality of the circuit is described using the following polynomials derived from the Boolean gate-level operators: f 1 : z 0 +

5 z 1 α+z; f 2 : b 0 +b 1 α+b; f 3 : a 0 +a 1 α+a; f 4 : s 0 +a 0 b 0 ; f 5 : s 1 +a 0 b 1 ; f 6 : s 2 +a 1 b 0 ; f 7 : s 3 +a 1 b 1 ; f 8 : r 0 +s 1 +s 2 ; f 9 : z 0 + s 0 + s 3 ; f 10 : z 1 + r 0 + s 3. Ideal J = f 1,..., f 10. Generate J 0 as the ideal of vanishing polynomials. Impose the following abstraction term order, i.e. a lex order with circuit variables > Output Z > Inputs, A, B, and compute a Gröbner basis G of J+ J 0. We find the following polynomials in the basis: g 1 : z 0 + z 1 α+z; g 2 : b 0 + b 1 α+b; g 3 : a 0 + a 1 α+a; g 4 : s 3 + r 0 + z 1 ;g 5 : s 1 + s 2 + r 0 ; g 6 : s 0 + s 3 + z 0 ; g 7 : Z+AB; g 8 : a 1 b 1 +a 1 B+b 1 A+z 1 ; g 9 : r 0 +a 1 b 1 +z 1 ; g 10 : s 2 +a 1 b 0, and the polynomials of J 0. The polynomial g 7 : Z+ AB describes Z = AB as the (canonical) polynomial function implemented by the circuit. 5. IMPROVING OUR APPROACH Computing Gröbner bases w.r.t. elimination orders is infeasible for large circuits. The worst-case complexity of computing GB(J+ J 0 ) inf q [x 1,...,x d ] is known to be bounded by q O(d) [16], which is prohibitive over large fields. Therefore, we need to improve our approach to overcome this complexity. Notice that our approach searches for only one polynomial (Z + G(A)) in the Gröbner basis, and it does so by computing the entire Gröbner basis. This motivates us to investigate whether it is possible to guide a sequence of Spoly( f,g) J+J 0 + r computations to arrive at the desired word-level polynomial, without considering other polynomials in the generating set. For this purpose, we exploit the wellknown product criteria: LEMMA 5.1. [Product Criterion [17]] Let f,g F[x 1,,x d ] be polynomials. If the equality lm( f) lm(g)=lcm(lm( f),lm(g)) holds, then Spoly( f,g) G + 0. The above result states that when the leading monomials of f,g are relatively prime, then Spoly( f,g) always reduces to 0 modulo G. Thus Spoly( f,g) need not be considered in Buchberger s algorithm. Recall that in the Abstraction Term Order (Definition 4.2), we have circuit variables x 1,...,x d > Z > A, where the relative ordering among x 1,...,x d is not important. We will now further refine the abstraction term order while exploiting the product criteria. DEFINITION 5.1. Refined Abstraction Term Order> r : Starting from the primary outputs of the circuit C, perform a reverse topological traversal toward the primary inputs. Order each variable of the circuit according to its reverse topological level: i.e. x i > x j if x i appears earlier in the reverse topological order. Impose a lex term order> r onf q [x 1,...,x d,z,a] with circuit variables ordered reverse topologically > Z> A. This term order> r is called the refined abstraction term order (RATO). When RATO is imposed on the set of polynomials F ={ f 1,..., f s }, J = F, it is easy to see that each polynomial in F is of the form f i = x i +P i, where x i is a gate-output and P i = tail( f i ) represents the function implemented by that gate. Moreover, each indeterminate x j that appears in P i satisfies x i > x j (acyclic circuit). Furthermore, each gate output is a leading term of some polynomial in F. Since each gate output is a unique signal, f i = x i + P i and f j = x j + P j have relatively prime leading terms (x i x j ). So, Spoly( f i, f j ) need not be considered in the Gröbner basis computation. However, there is one (and only one) pair of polynomials( f w, f g ) F with leading terms that are not relatively prime: i) the wordlevel polynomial ( f w ) corresponding the outputs: f w = z 0 + z 1 α+ +z k 1 α k 1 + Z, with gate output z 0 as the leading term; and ii) the polynomial f g that models the function at the gate z 0. Due to RATO, Spoly( f w, f g ) J+J 0 + r is the only candidate critical pair to be evaluated at the start of Buchberger s algorithm. Based on these concepts, we devise the following approach to efficiently search for the polynomial function: 1. Impose RATO on the ring. Select the only critical pair( f w, f g ) that does not have relatively prime leading terms, and compute Spoly( f w, f g ) F,F 0 + r. 2. Then r will contain only the following variables: i) the bitlevel primary input variables of the circuit; ii) the word-level output Z; and iii) the word-level input A. The remainder r will not contain any bit-level variable corresponding to the output of any gate in the design; i.e. primary output bits and intermediate variables of the circuit do not appear in r. To prove this, assume that a non-primary-input variable x j appears in a monomial term m j in r. Since there always exists a polynomial f j F such that f j = x j + tail( f j ), lt( f j ) divides monomial m j and m j can be canceled. Therefore, all such terms m j with non-primary-input bit-level variables can be eliminated. 3. Two cases need to be considered: (a) (Case 1:) Remainder r does not even contain the primary input bits. Then, r contains only the word-level variables Z,A. Since RATO is lex with Z > A, the remainder r corresponds to the desired canonical polynomial representation: r : Z+G(A). (b) (Case 2:) Remainder r contains both the bit-level primary input variables (call this set X PI ), as well as the word-level variables. Then, due to Lemma 5.1, we only need to consider the set F = {r, f wi } and F 0 = {xi 2 x i,z q Z,A q A : x i X PI }, where f wi = a 0 + a 1 α+ +a k 1 α k 1 +A is the polynomial that relates the word-level (A) and bit-level inputs {a 0,...,a k 1 }. Compute the reduced Gröbner basis G of F F 0, which is a much simplified computation. Then, G will definitely contain a polynomial of the form Z+G(A), which will be the canonical polynomial representation of the function of the circuit. EXAMPLE 5.1. Consider, again, the example shown in Example 4.2, corresponding to the multiplier circuit of Fig. 2. Impose RATO:{z 0 > z 1 }>{r 0 > s 0 > s 3 }>{s 1 > s 2 }>{a 0 > a 1 > b 0 > b 1 } > Z > A. Then, the polynomials f 1..., f 10 shown in Example 4.2 are already represented in RATO. Assume that the circuit is correct and it has no bugs. Then f 1 and f 9 are the only two polynomials whose leading terms are not relatively prime. Computing Spoly( f 1, f 9 ) F,F 0 + r, we find that r = Z+ A B which is the word-level polynomial representation of the circuit. Now, let us introduce a bug in the design. Replace the polynomial f 8 : r 0 + s 1 + s 2 in F with f 8 : r 0 + s 0 + s 2 (bug introduced). Computing Spoly( f 1, f 9 ) F,F 0 + r, we find that r = αa 1 b 1 +(α+ 1)a 1 B+b 1 A+Z+(α+1)AB. Note that in addition to word-level variables Z,A,B, we also have bit-level primary inputs a 1,b 1 in r. Moreover, all other polynomials in F have leading terms that are relatively prime w.r.t. lt(r). Now we take F = {r, a 0 + a 1 α+a, b 0 + b 1 α+b} and F 0 = {a 2 0 a 0,a 2 1 a 1,b 2 0 b 0,b 2 1 b 1,A 4 A,B 4 B,Z 4 Z} and compute the reduced Gröbner basis G of F F 0. We find the polynomial Z+(α) A 2 B 2 + A 2 B+(α+1) A B 2 +(α+1) A B in G which is indeed the polynomial representation of the buggy circuit!

6 6. EXPERIMENTAL RESULTS Using the approach described in Section 5, we have performed experiments to prove equivalence between Mastrovito (C 1 ) and Montgomery (C 2 ) multiplier circuits. The Mastrovito multiplier, baseline golden model (Spec), is provided as a bit-blasted/flattened gatelevel netlist. The (Impl) is given as the hierarchically designed Montgomery multiplier, as shown in Fig. 1; i.e. each block is given as a flattened gate-level netlist, and these blocks are interconnected to construct the multiplier circuit. For equivalence checking using AIG and SAT-based methods, a miter is constructed between Spec and Impl, and the ABC tool [4] and CSAT solver [13] are used. These tools cannot prove equivalence beyond 16-bit multiplier circuits within 24-hours; none of the NIST-specified ECC circuits can be verified. This is exactly the same observation made by the authors of [5] (cf. Table I & II in [5]). When we apply the approach of [5], we are able to prove equivalence only up to 163-bit multipliers, beyond which the verification tool of [5] runs into a memory explosion. We apply our abstraction-based approach to derive the canonical word-level polynomials F 1,F 2 from circuits C 1,C 2 and then prove equivalence by checking if F 1 =F 2 (coefficient matching). First, we use the SINGULAR computer algebra tool [18] to derive the polynomial abstraction by computing a full Gröbner basis of J+ J 0 (using the slimgb command), and find that the technique is infeasible (memory explosion) beyond only 32-bit circuits; as the full Gröbner basis using elimination orders is extremely large. Finally, we apply the approach presented in Section 5 to specifically guide the search for the abstraction polynomial. Since this approach constitutes only a sequence of polynomial divisions, we exploit an F4-style reduction approach, described in [5] (Section 7), for which we built a custom tool. All experiments are conducted on Intel Xeon 6-core CPU running Scientific Linux 6.2 x86_64 with 96GB RAM. Timeout limit for all experiments, for all tools, was restricted to 24 hours. Table I depicts the time required to derive the polynomial abstraction from Mastrovito circuits. The tool takes the circuit as input, performs a reverse topological traversal to determine RATO, applies the approach presented in Section 5 and derives the polynomial representation Z = A B. For up to 409-bit multipliers, with 508K gates, our approach is successful. Table II depicts the results for Montgomery multipliers. In the table, BLK A and B denote the input blocks, BLK Mid denotes the middle block and BLK Out is the output block. While each block is an block, some have been simplified by constant-propagation (recall, R=α k ), hence they have different sizes. First, a polynomial is extracted for each block (gate-level to word-level abstraction), and then the approach is re-applied at word-level to derive the input-output relation (solved trivially in < 1 second). Our approach can extract the word-level polynomial for up to 571-bit circuits! Table 1: Abstraction of Mastrovito multipliers. Time given in seconds, memory given in MB. TO = 24 hours. Size (k) # of Gates 153K 167K 399K 508K 1.6M Our tool Time 4,351 5,777 40,114 72,708 TO Max Mem CONCLUSION This paper has presented a technique to derive a word-level, canonical polynomial representation from a circuit by modeling the function over the Galois fieldf 2 k. We show that this can be achieved by computing a Gröbner basis of the ideal generated by the constraints Table 2: Abstraction of Montgomery blocks. Time given in seconds, memory is given in MB Circuit Size (k) Blk A 33K 55K 82K 168K 330K # of Gates Blk B 33K 55K 82K 168K 330K Blk Mid 85K 163K 241K 502K 980K Blk Out 32K 54K 81K 168K 328K Blk A ,011 5,084 14,288 Blk B ,058 5,381 12,298 Time Blk Mid 264 1,014 5,085 20,294 47,364 Our Tool Blk Out ,032 3,243 13,508 Total Time 636 1,909 8,186 34,002 87,458 Max Mem derived from the circuit using an elimination term order. To overcome the complexity of computing the Gröbner basis, we have proposed a refinement of the abstraction term order, using which we can more efficiently guide the search for the word-level polynomial abstraction. Using our approach, we can identify the polynomial function and thus prove the correctness of Galois field multiplier circuits with up to 571-bit data-path size. 8. REFERENCES [1] C. K. Koc and T. Acar, Montgomery Multiplication in GF(2 k ), Designs, Codes and Cryptography, vol. 14, pp , [2] Huapeng Wu, Montgomery Multiplier and Squarer for a Class of Finite Fields, IEEE Transactions On Computers, vol. 51, May [3] E. Biham, Y. Carmeli, and A. Shamir, Bug Attacks, in Proceedings on Advances in Cryptology, pp , [4] A. Mishchenko, S. Chatterjee, R. Brayton, and N. Een, Improvements to Combinational Equivalence Checking, in Proc. Intl. Conf. on CAD (ICCAD), pp , [5] J. Lv, P. Kalla, and F. Enescu, Efficient Gr bner Basis Reductions for Formal Verification of Galois Field Arithmetic Circuits, in IEEE Trans. on CAD, vol. 32, pp , [6] D. Cox, J. Little, and D. O Shea, Ideals, Varieties and Algorithms, Springer-Verlag, [7] Rudolf Lidl and Harald Niederreiter, Finite Fields, Cambridge University Press, [8] Z. Zilic and Z. Vranesic, A deterministic multivariate interpolation algorithm for small finite fields, IEEE Trans. Comp., vol. 51, [9] B. Buchberger, Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal, PhD thesis, Philosophiesche Fakultät an der Leopold-Franzens-Universität, Austria, [10] R. E. Bryant, Graph Based Algorithms for Boolean Function Manipulation, IEEE Trans. on Comp., vol. C-35, pp , [11] M. Ciesielski, P. Kalla, and S. Askar, Taylor Expansion Diagrams: A Canonical Representation for Verification of Data-Flow Designs, IEEE Transactions on Computers, vol. 55, pp , [12] A. Jabir et al., A Technique for Representing Multiple Output Binary Functions with Applications to Verification and Simulation, IEEE Trans. on Comp., vol. 56, pp , [13] F. Lu, L. Wang, K. Cheng, and R. Huang, A Circuit SAT Solver With Signal Correlation Guided Learning, in IEEE Design, Automation and Test in Europe, pp , [14] A. Lvov, L. Lastras-Montaño, V. Paruthi, R. Shadowen, and A. El-Zein, Formal Verification of Error Correcting Circuits using Computational Algebraic Geometry, in Proc. Formal Methods in Computer-Aided Design (FMCAD), pp , [15] E. Mastrovito, VLSI Designs for Multiplication Over Finite Fields GF(2 m ), Lecture Notes in CS, vol. 357, pp , [16] S. Gao, Counting Zeros over Finite Fields with Gröbner Bases, Master s thesis, Carnegie Mellon University, [17] B. Buchberger, A criterion for detecting unnecessary reductions in the construction of a groebner bases, in EUROSAM, [18] W. Decker, G.-M. Greuel, G. Pfister, and H. Schönemann, SINGULAR A computer algebra system for polynomial computations, 2011,