EFFICIENT SYMBOLIC COMPUTATION FOR WORD-LEVEL ABSTRACTION FROM COMBINATIONAL CIRCUITS FOR VERIFICATION OVER FINITE FIELDS

EXTENDED VERSION OF THE PAPER ACCEPTED TO APPEAR IN IEEE TRANS ON CAD, PAPER ACCEPTANCE OCTOBER 2015 1 EFFICIENT SYMBOLIC COMPUTATION FOR WORD-LEVEL ABSTRACTION FROM COMBINATIONAL CIRCUITS FOR VERIFICATION OVER FINITE FIELDS Tim Pruss, Priynk Kll, Senior Memer, IEEE, nd Florin Enesu Astrt Astrtion plys n importnt role in digitl design, nlysis nd verifition This pper introdues word-level strtion of the funtion implemented y omintionl logi iruit The strtion provides nonil representtion of the funtion s polynomil Z= F(A) over the finite field F 2 k, where Z, A represent the k-it word-level output nd input of the iruit, respetively This nonil strtion n e utilized for forml verifition nd equivlene heking of omintionl iruits Our pproh to strtion is sed upon onepts from omputtionl ommuttive lger nd lgeri geometry We show tht the strtion Z= F(A) n e derived y omputing Gröner sis of the polynomils orresponding to the iruit, using speifi elimintion term order derived from the iruit s topology Computing Gröner ses using elimintion term orders is infesile for lrge iruits To overome this limittion, we desrie n effiient symoli omputtion to derive the wordlevel polynomil Our lgorithms exploit i) the struture of the iruit, ii) the properties of Gröner ses, iii) hrteristis of finite fields F 2 k, nd iv) modern lgorithms from symoli lger, to derive the nonil polynomil representtion A stndlone ustomized tool is developed tht implements these onepts to derive the polynomil strtion This pproh nd our tool re used to verify (nd detet ugs in) omintionl finite field rithmeti iruits with up to 1024- it opernds wheres ontemporry verifition tehniques re infesile Keywords-Word-Level Astrtion, Forml Verifition, Equivlene Cheking, Gröner Bses, Finite Fields I INTRODUCTION Forml verifition tehniques n enefit gretly from strtions of the funtionlity of the iruits tht re eing verified Astrtions my redue the omplexity of nlysis of the design nd my provide hierrhil view of the register trnsfer level (RTL) whih my id in RTL nd systemlevel verifition Word-level strtion speifilly fouses on extrting word-level representtion of the funtion implemented y gte-level design For instne, it-level representtion of multiplier is represented s olletion of logi gtes nd nets, wheres word-level strtion hides the underlying logi nd represents the funtion with itvetor level inputs nd output, eg Z = A B As the dtpth size of the multiplier grows, the it-level representtion my inrese (possily exponentilly) in size, while the word-level strtion does not hnge It is desirle for the otined word-level strtion to e nonil representtion of the funtion, to filitte forml verifition nd equivlene heking etween speifition (golden) model ginst n optimized implementtion Word-level strtions of iruit loks lso hve pplitions in other res of eletroni design utomtion (EDA), T Pruss nd P Kll (kll@eeuthedu) re with the Dept of Eletril nd Computer Engineering, University of Uth, Slt Lke City, UT 84112 F Enesu is with the Dept of Mthemtis nd Sttistis, Georgi Stte University, Atlnt, GA 30303 This work is supported in prt y the US Ntionl Siene Foundtion grnts CCF-1320335 nd CCF-1320385 suh s in high-level dtpth synthesis [1], resoure llotion [2], omponent mthing nd reuse [3], word-level interpolnts [4], SMT-solving [5], et Due to their mny fundmentl pplitions, it is importnt to investigte vrious forms of word-level funtionl strtions of hrdwre designs long with effiient lgorithmi tehniques to derive them This pper desries method to derive nonil wordlevel polynomil representtion from given gte-level omintionl iruit This strtion polynomil is derived over the finite field of 2 k elements (F 2 k) where k orresponds to the size of the input/output it-vetors (words) nd it represents the funtion implemented y the iruit The iruit is modeled s set of polynomils overf 2 k, nd onepts from omputer-lger nd lgeri geometry (notly, Gröner ses [6] [7]) over finite fields re pplied to derive the strtion An effiient lgorithmi pproh sed on new onepts nd disoveries is desried to mke our pproh prtil The polynomil strtion pproh is sed on the following mthemtil insights: The mthemtil frmework: A omintionl iruit C with k-it inputs nd k-it outputs implements Boolen funtions tht re mppings etween k-dimensionl Boolen spes: f :B k B k, where B={0,1} The funtion f, whih is mpping mong 2 k elements, n lso e onstrued s funtion f :F 2 k F 2 k, ie s funtion over the finite field of 2 k elements It is well-known tht over the finite field (F q ) of q elements, every funtion f :F q F q is polynomil funtion [8] Moreover, there exists unique nonil polynomil F tht desries f Motivted y this fundmentl result, we devise n pproh to derive word-level, nonil, polynomil strtion of the funtion s Z = F(A) over F 2 k, where Z ={z 0,,z k 1 }, A={ 0,, k 1 } re, respetively, the output nd input it-vetors (words) of the iruit C, nd F denotes polynomil representtion of the iruit s funtionlity The pproh is generlized to iruits with different input/output it-vetor sizes, ie funtions of the type f : B n B m, modeled s polynomil over f : F 2 n F 2 m Note tht the funtion f : B k B k n lso e viewed s mpping over finite integer rings Z (mod 2 k ), ie over f : Z 2 k Z 2 k However, not every funtion is polynomil funtion over Z 2 k, so the finite integer ring model is eyond the sope of this pper The polynomil F n e derived y mens of the Lgrnge interpoltion formul [8] [9] However, this requires to nlyze f over the entire field F 2 k, whih is exhustive nd infesile To mke this pproh prtil, we propose symoli method sed on omputer lger nd lgeri geometry to derive the nonil polynomil strtion from the iruit This strtion is employed for forml verifition nd equivlene heking of omintionl iruits C 1,C 2 The iruits n e nlyzed seprtely to derive their orresponding nonil polynomil representtions F 1,F 2, respetively

EXTENDED VERSION OF THE PAPER ACCEPTED TO APPEAR IN IEEE TRANS ON CAD, PAPER ACCEPTANCE OCTOBER 2015 2 Equivlene test is then performed y simply mthing the oeffiients of F 1,F 2 Motivting pplition: While this pproh is theoretilly pplile to ritrry omintionl iruits, the min motivtion to derive this pproh stems from the prolem of hrdwre verifition of ryptogrphy primitives Suh designs perform polynomil omputtions over the finite field F 2 k, where the dtpth size k is very lrge For exmple, the US Ntionl Institute for Stndrds nd Tehnology (NIST) reommends fields F 2 k orresponding to k = 163,233,283,409, nd 571 its for ellipti-urve ryptogrphy (ECC) For other non-ecc sed rypto- nd error-orreting iruits, k n e 1024-its or lrger! The lrge size nd high omplexity of suh rhitetures neessittes hierrhil nd ustom design [10] [11] [12] [13] Custom design rises the potentil for ugs in lrge systems Arithmeti ugs re known to ompromise the seurity of rypto-systems [14]; therefore, forml verifition of suh systems is n impertive Our pproh is prtiulrly powerful for forml verifition of hierrhil nd ustom finite field rithmeti rhitetures, where the speifition (golden) models re struturlly very dissimilr thn their optimized implementtions Contemporry iruit verifition tehniques (eg [15] [16]) re unle to prove equivlene etween suh lrge, ustom, modulo-rithmeti iruits A Approh & Contriutions We nlyze the given iruits nd model the gte-level opertors s polynomils with oeffiients in F 2 k, where k orresponds to the opernd-size in the iruit Using the onepts of Nullstellenstz over finite fields, projetions of vrieties, elimintion idels nd Gröner ses [7], we formulte the polynomil strtion prolem s one of omputing Gröner sis of this set of polynomils, using speifi elimintion term order, lled the strtion term order > Computing Gröner ses using elimintion orders is infesile for lrge iruits To overome this limittion, we present refinement of this strtion term order sed on the topologil nlysis of the iruit This refinement llows us to overome the omplexity of Gröner sis omputtions, nd derive the strtion polynomil using effiient symoli omputtion lgorithms By exploiting the inomil expnsion over F 2 k, we further dedue tht the symoli omputtion prolems so derived exhiit very speil struture tht further simplify our omputtions This tehnique is implemented s stndlone ustom verifition tool for nonil word-level strtion from gte-level omintionl iruits, nd employed for forml verifition nd equivlene heking of finite field rithmeti iruits We demonstrte the pplition of our pproh to verify vriety of finite field rithmeti rhitetures Our pproh n verify, nd lso find ugs in, lrge (up to k = 1024 it) rithmeti iruits, wheres ontemporry verifition tehniques re infesile Our pproh is, however, not effiient for verifition of rndom-logi nd integer rithmeti iruits The pper lso disusses this prtiulr limittion whih is limittion not so muh of our lgorithms, ut rther (theoretil) limittion tht is inherent in the omplexity of the representtion Pper orgniztion: Setion II reviews relted previous work in funtionl strtion, omintionl equivlene heking nd verifition of finite field rithmeti iruits Setion III overs preliminry onepts relted to finite fields, polynomil funtions, nd lgeri geometry Setion IV desries the min theoretil results of our pproh on polynomil strtion from iruits A new, improved, guided pproh to strtion is desried in Setion V Our ustom strtion tool nd experiments re desried in Setion VI The limittions of our pproh re lso nlyzed Finlly, Setion VII onludes the pper II RELATED PREVIOUS WORK Cnonil Representtions: The Redued Ordered Binry Deision Digrm (ROBBD) [17] nd its vrints OKFDDs, ADDs, BMDs, et re nonil DAG representtions of funtions tht re employed in design verifition The vrious deomposition priniples ehind these digrms re sed on point-wise, inry deomposition, wrt eh (Boolen) vrile As suh, these do not fully provide wordlevel strtion pilities from it-level representtions The Tylor Expnsion Digrm (TED) [18] is word-level nonil representtion of polynomil expression, ut it does not represent polynomil funtion nonilly The work of [19] nd [20] represents polynomil funtions nonilly, ut over finite integer rings Z 2 k nd not over F 2 k MODDs [21] re DAG representtion of the hrteristi funtion of iruit over finite fields F 2 k MODDs ome lose to stisfying our requirements s nonil wordlevel representtion tht n e employed over finite fields However, MODDs do not sle well wrt the iruit size MODDs re infesile in representing funtions over lrger thn 32-it words [21] Equivlene Cheking: Modern equivlene hekers employ tehniques sed on And-Invert-Grph (AIG) redutions [15] nd iruit-sat solvers [22] Suh tehniques re le to identify internl struturl equivlenes etween the speifition models (Spe) nd implementtion (Impl) iruits nd redue the instnes for verifition However, when the rithmeti iruits re struturlly very dissimilr, these tehniques re infesile in proving equivlene (Tles I nd II in [16] depit suh experiments) In generl, the pplitions trgeted in this pper re hrd for SAT/SMT solvers Computer lger sed verifition: In [23] [24] [25] [13], the uthors present the BLUEVERI tool from IBM for verifition of finite field error orreting iruits ginst n lgorithmi spe The implementtion onsists of set of (predesigned nd verified) iruit loks tht re interonneted to form the error orreting system The spe is given s set of design onstrints on hek file Their ojetive is to prove the equivlene of the implementtion ginst this hek file, for whih they employ Nullstellenstz nd Gröner sis formultion In their setting, the polynomil representtion of the su-iruit loks is lredy ville, wheres our pproh identifies suh representtion Moreover, improvements to the ore Gröner sis omputtionl engine re not the sujet of their work

EXTENDED VERSION OF THE PAPER ACCEPTED TO APPEAR IN IEEE TRANS ON CAD, PAPER ACCEPTANCE OCTOBER 2015 3 In [26] [16], Lv et l present omputer lger tehniques for forml verifition of finite field rithmeti iruits Given speifition polynomil f, nd iruit C, they formulte the verifition prolem s n idel memership test using Nullstellenstz nd Gröner ses They show tht for ny omintionl iruit, there exists term order (derived from the iruit) tht renders the set of polynomils itself Gröner sis By exploiting this term order, the need for Gröner sis omputtion is voided nd verifition is performed only y polynomil division In ontrst to [16], we re not given the speifition polynomil f Given the iruit C, we hve to derive (extrt) the word-level speifition f Among other relevnt works, [27] desries how to use Gröner sis tehniques to ount the zeros of n idel over F q The uthors then follow-up with n pproh for quntifier elimintion over F q [28] Our prolem formultion employs some of the onepts presented in [27] [28] Computer lger tehniques hve lso een employed for verifition of integer rithmeti iruits [29] [30] Other funtion extrtion tehniques: In [31], the uthors present n pproh to funtion extrtion from it-level iruits using network-flow sed model y interpreting the omputtion s flow of inry dt through the iruit-network, represented s pseudo-boolen expression Improvements to this pproh re desried in [32], where the lgeri trsformtions re guided y nlyzing the struture (leveliztion) of the iruit The extrted signtures re in terms of it-level polynomils nd do not provide wordlevel strtion In [3], the uthors present n pproh tht serhes for liner word-level strtion, with integer oeffiients, using *BMDs However, their pproh is not omplete in the sense tht liner word-level strtion does not lwys exist for ritrry iruits Polynomil Interpoltion: Coneptully, our strtion n e derived using polynomil interpoltion It flls into the tegory of dense interpoltion (s opposed to the lssil multivrite sprse interpoltion prolem, see [33]), s we require polynomil tht desries the funtion t eh of the q points of the fieldf q However, Newton s dense interpoltion exhiits very high omplexity In the logi synthesis nd VLSI testing re, the work of [9] investigtes dense interpoltion Due to its inherently high-omplexity, their pproh is fesile for pplitions over smller fields, eg omputing Reed-Muller forms for multi-vlued logi III PRELIMINARIES A Finite fields nd polynomil funtions A finite field, lso lled Glois field, is field with finite numer of elements It is denoted s F q, where q orresponds to the numer of elements, nd it is lwys power of prime integer ie q= p k where p 2 is prime integer nd k > 0 is positive integer In this work, we re onerned with inry Glois extension fields F 2 k, where p = 2, so tht the field ontins q=2 k elements We use the nottions F q nd F 2 k interhngely, with q lwys tken s 2 k The field F 2 k is onstruted s F 2 k F 2 [x] (mod P(x)), where: i) F 2 ={0,1} denotes the finite field of 2 elements; ii) F 2 [x] is the univrite polynomil ring with oeffiients in F 2 ; nd iii) P(x) denotes n irreduile (or primitive) polynomil in F 2 [x] of degree k F 2 k is k-dimensionl extension of the se field F 2 ; ll the field opertions in F 2 k re performed modulo the irreduile polynomil P(x) nd the oeffiients re redued modulo p=2 (due to whih 1=+1 overf 2 k) In this work, we lwys hoose P(x) to e primitive polynomil nd α s primitive element Any element A F 2 k n e represented s A= 0 + 1 α+ + k 1 α k 1, where i F 2,i=0,,k 1, nd α is root of the primitive polynomil, ie P(α) = 0 Sine k-it vetor { 0,, k 1 } represents 2 k distint vlues, it n e viewed s n element A of F 2 k Exmple 31: Let us onstrut F 2 4 s F 2 [x] (mod P(x)), where P(x) = x 4 + x 3 + 1 F 2 [x] is primitive polynomil of degree k = 4 Let α e root of P(x), ie P(α)=0 Any element A F 2 [x] (mod x 4 + x 3 + 1) hs representtion of the type: A = 3 x 3 + 2 x 2 + 1 x+ 0 where the oeffiients 3,, 0 re in F 2 = {0,1} Sine there re only 16 suh polynomils, we otin the 16 elements of the field F 16 Eh element n then e viewed s 4-it vetor over F 2 : F 16 ={(0000),(0001),(1110),(1111)} Eh element lso hs n exponentil representtion; ll three representtions re shown in Tle I For exmple, onsider the element α 12 Computing α 12 (mod α 4 + α 3 + 1) = α+1 = (0011); hene we hve the three equivlent representtions TABLE I: Bit-vetor, Exponentil nd Polynomil representtion of elements in F 2 4 =F 2 [x] (mod x 4 + x 3 + 1) 3 2 1 0 Exponentil Polynomil 3 2 1 0 Exponentil Polynomil 0000 0 0 1000 α 3 α 3 0001 1 1 1001 α 4 α 3 + 1 0010 α α 1010 α 10 α 3 + α 0011 α 12 α+1 1011 α 5 α 3 + α+1 0100 α 2 α 2 1100 α 14 α 3 + α 2 0101 α 9 α 2 + 1 1101 α 11 α 3 + α 2 + 1 0110 α 13 α 2 + α 1110 α 8 α 3 + α 2 + α 0111 α 7 α 2 + α+1 1111 α 6 α 3 + α 2 + α+1 There my e more thn one primitive polynomils of degree k in F 2 [x], nd ny of them ould e used to onstrut the field F 2 k Finite fields re unique (up to isomorphism) irrespetive of the hosen primitive polynomil For verifition, if the primitive polynomil P(x) is lredy given, we use it for strtion Otherwise, we hoose P(x) of degree k with fewest terms, s the redution (mod P(x)) my result in fewer terms eing generted Polynomil Funtions f : F 2 k F 2 k: Aritrry mppings mong k-it vetors n e onstruted; eh suh mpping genertes funtion f :B k B k Sine every k-it vetor n e onstrued s n element in F 2 k (s shown in the ove exmple), every suh funtion n e viewed s mpping over f :F 2 k F 2 k Importntly, every suh funtion is lso polynomil funtion over F 2 k Theorem 31: (From [8]) Any funtion f : F q F q is polynomil funtion over F q, tht is there exists polynomil F F q [x] suh tht f()=f(), for ll F q By nlyzing f over eh of the q points, one n pply

EXTENDED VERSION OF THE PAPER ACCEPTED TO APPEAR IN IEEE TRANS ON CAD, PAPER ACCEPTANCE OCTOBER 2015 4 Lgrnge s interpoltion formul nd interpolte polynomil F(x)= q n=1 i n (x x i ) i n (x n x i ) f(x n), (1) whih is polynomil of degree t most q 1 in x One n esily see tht F() = f() for ll F q, nd F(x) is therefore the polynomil representtion of the funtion f Exmple 32: Let A = { 2, 1, 0 } nd Z = {z 2,z 1,z 0 } e 3-it vetors Consider the funtion Z[2 : 0] = A[2 : 0] >> 1, ie 1-it right shift opertion on A The funtion mps s follows: { 2 1 0 } A {z 2 z 1 z 0 } Z 000 0 000 0 001 1 000 0 010 α 001 1 011 α+1 001 1 100 α 2 010 α 101 α 2 + 1 010 α 110 α 2 + α 011 α+1 111 α 2 + α+1 011 α+1 By pplying Lgrnge s interpoltion formul overf 2 3, we otin Z=(α 2 +1)A 4 +(α 2 +1)A 2, s the nonil polynomil representtion of the funtion, where P(α)=α 3 + α+1= 0 An importnt property of finite fields is tht for ll elements A F q,a q = A, nd hene A q A = 0 Therefore, the polynomil x q x vnishes on ll points in F q The polynomil x q x is lso referred to s vnishing polynomil of F q Any polynomil F(x) n e redued (mod x q x) to otin nonil representtion F(x) (mod x q x) with degree t most q 1 The result n e generlized s: Definition 31: Any funtion f : F n q F q hs unique nonil representtion (UCR) s polynomil F F q [x 1,,x n ] suh tht ll its nonzero monomils re of the form x i 1 1 x i n where 0 i j q 1, for ll j = 1,,n B Hrdwre designs over F 2 k verified in this pper In ECC, the opertions of enryption, deryption nd uthentition re uilt upon point-ddition nd point-douling opertions on ellipti urves over F 2 k These opertions re implemented s polynomil omputtions (ADD, MULT) over F 2 k [34], s shown elow: Exmple 33: Consider point ddition in López-Dh (LD) projetive oordinte Given n ellipti urve: Y 2 + XYZ = X 3 Z + X 2 Z 2 + Z 4 over F 2 k, where X,Y,Z re k- it vetors tht re elements in F 2 k nd similrly,, re onstnts from the field Let (X 3, Y 3, Z 3 ) = (X 1, Y 1, Z 1 ) + (X 2, Y 2, 1) represent point ddition over the ellipti urve Then X 3, Y 3, Z 3 n e omputed s follows: A= Y 2 Z 2 1 +Y 1; B=X 2 Z 1 + X 1 C=Z 1 B; D=B 2 (C+ Z 2 1 ) Z 3 = C 2 ; E = A C X 3 = A 2 + D+E; F = X 3 + X 2 Z 3 G=X 3 +Y 2 Z 3 ; Y 3 = E F+ Z 3 G Effiient VLSI rhitetures for multiplition nd squring hve een devised [35] [11] [12] [10], whih re employed s modulo-rithmeti nd logi units (malus) in suh ryptosystems [36] We riefly review suh rithmeti rhitetures (2) on whih we hve pplied our strtion sed pproh for verifition Over finite fields F 2 k, multiplition is performed s Z = A B (mod P(x)), where A,B F 2 k re k-it inputs, Z is the k-it output, nd P(x) is the given primitive polynomil The multiplier iruit tkes it-level inputs { 0,, k 1, 0,, k 1 } nd produes output {z 0,,z k 1 }, suh tht A= i=k 1 i=0 i α i, B= i=k 1 i=0 i α i nd Z= i=k 1 i=0 z i α i, where P(α)=0 In one pproh, the it-wise multiplition S = A B is omputed using n rry multiplier rhiteture, nd then the result S is redued (mod P(x)) to otin Z = S (mod P(x)) Suh rhitetures re termed Mstrovito multipliers [35] Mstrovito multipliers re ineffiient, espeilly for ryptosystems where multiplition is often performed repetedly For suh pplitions, Montgomery Redution (MR) opertions re proposed [11] [12] tht ompute: MR(A,B)=A B R 1 (mod P(x)), where A,B re k-it inputs, R is suitly hosen s R=α k, R 1 is multiplitive inverse of R in F 2 k, nd P(x) is the irreduile polynomil Sine MR(A, B) nnot diretly ompute A B (mod P(x)), we need to pre-ompute A R nd B R, s shown in Fig 1 A B R 2 R 2 MR MR A R B R MR A B R MR "1" Fig 1: Montgomery multiplition over F 2 k G=A Z B (mod P) using four MRs In mny non-ecc sed rypto-systems, the dtpth size k n e extremely lrge, eg k=1024 its To overome the omplexity of suh lrge designs, the onept of omposite field rithmeti is used [37] Here, the field F 2 k is deomposed s F (2 m ) n for non-prime k = m n, nd the iruits re designed over the deomposed field This deomposition introdues hierrhy (modulrity) in the design y first lifting the se field fromf 2 to F 2 m, nd then onstrutingf (2 m ) n s n-dimensionl extension of F 2 m Suh iruits omprise m-it F 2 m dders nd multipliers, whih re interonneted together to form k= m n it iruit over F (2 m ) n [10] Exmple 34: An exmple of omposite field multiplier is shown in Fig 2, where multiplition over F 2 4 is deomposed s polynomil omputtions over F (2 2 2 As shown in the ) figure, inputs A = ( 3,, 0 ),B = ( 3,, 0 ) over F 2 4 re first trnsformed into elements A 0,A 1,B 0,B 1 over the se field F 2 2; these re then interonneted (dded nd multiplied) to produe the finl output Z ={Z 0,Z 1 } Assoited with oth Montgomery multipliers nd omposite field iruits is level of hierrhy (modulrity) in design With or without the vilility of this hierrhy informtion, our pproh n e pplied to identify the funtion implemented the given iruit However, when this hierrhy informtion is ville, our pproh n perform strtion hierrhilly nd itertively signifintly improving the effiieny of verifition In this pper, we hve experimented

EXTENDED VERSION OF THE PAPER ACCEPTED TO APPEAR IN IEEE TRANS ON CAD, PAPER ACCEPTANCE OCTOBER 2015 5 A trnsformtion A A + + Z r B trnsformtion B B (10) (10) + Z Z Fig 2: 4-it omposite field multiplier designed over F (2 2 ) 2 with oth flttened ( it-lsted ) nd hierrhil implementtions of the ove multipliers, for oth uggy nd ug-free implementtions C Algeri Geometry nd Symoli Computtion 1) Polynomil rings nd term orderings: We model the given omintionl iruits with set of multivrite polynomils with oeffiients from the finite field F q Let F q [x 1,,x d ] e the polynomil ring in vriles x 1,,x d A monomil in vriles x 1,,x d is power produt of the form X = x e 1 1 xe 2 2 xe d d, where e i Z 0,i {1,,d} A polynomil f F q [x 1,,x d ] is written s finite sum of terms f = 1 X 1 + 2 X 2 + + t X t Here 1,, t re oeffiients nd X 1,,X t re monomils To systemtilly mnipulte the polynomils, monomil order > (lso lled term order) is imposed on the ring The monomils of ny polynomil f = 1 X 1 + 2 X 2 + + t X t re ordered wrt to >, suh tht X 1 > X 2 > >X t Sujet to suh term order, lt( f) = 1 X 1, lm( f) = X 1, l( f) = 1, re the leding term, leding monomil nd leding oeffiient of f, respetively We lso denote til( f ) = f lt( f) = 2 X 2 + + t X t In this work, we will mostly e onerned with terms ordered lexiogrphilly (lex) 2) Polynomil redution: Polynomil redution (division) plys key role in our strtion lgorithms Let f,g e polynomils If non-zero term X of f is divisile y the leding term of g, then we sy tht f is reduile to r modulo g g, denoted f r, where r= f X g Similrly, f n e lt(g) redued (divided) wrt set of polynomils F ={ f 1,, f s } to F otin reminder r This redution is denoted f + r, nd the reminder r hs the property tht no term in r is divisile y the leding term of ny polynomil f i in F 3) Idels, Vrieties & Nullstellenstz: To nlyze the funtion implemented y iruit, we will model the iruit y wy of set of polynomils F = { f 1,, f s }, nd then nlyze the set of ll solutions to f 1 = f 2 = = f s = 0 The set of ll solutions to given system of polynomil equtions f 1 = = f s = 0 is lled the vriety, denoted s V( f 1,, f s ) The vriety depends not just on the given system of polynomils, ut rther on the idel generted y the polynomils Definition 32: An idel J generted y polynomils f 1,, f s F q [x 1,,x d ] is: J = f 1,, f s ={ s i=1 h i f i : h i F q [x 1,,x d ]} The polynomils f 1,, f s form the sis or genertors of J Let =( 1,, d ) F d q e point, nd f F q[x 1,,x d ] e polynomil We sy tht f vnishes on if f()=0 Then, for ny idel J = f 1,, f s F q [x 1,,x d ], the vriety of J over F q is formlly defined s: V Fq (J)= V( f 1,, f s )={ F d q : f J, f()=0} In the ontext of this work, the set of polynomils F = { f 1,, f s } desriing the given iruit genertes n idel J= f 1,, f s F q [x 1,,x d ] The vriety V Fq (J) orresponds to the set of ll evlutions of the iruit Then, to formulte our strtion prolem, we need to onsider the idels of polynomils tht vnish on vriety V Definition 33: For ny V F d q, the idel of polynomils tht vnish on V, lled the vnishing idel of V, is defined s: I(V) = { f F q [x 1,,x d ] : V, f() = 0} Therefore, if polynomil f vnishes on vriety V, then f I(V) Our strtion prolem is formulted using the Strong Nullstellenstz pplied over F q, whih is stted elow The proof of this fundmentl result n e found in Theorem 32 in [27] The nottion of sum of idels is used elow: if I 1 = f 1,, f s nd I 2 = h 1,,h r, then I 1 + I 2 = f 1,, f s, h 1,,h r Moreover, J 0 = x q 1 x 1,,x q d x d is used to denote the idel of ll vnishing polynomils over F q Theorem 32: Strong Nullstellenstz over F q : Let J F q [x 1,,x d ] e n idel, nd let J 0 = x q 1 x 1,,x q d x d e the idel of ll vnishing polynomils Let V Fq (J) denote the vriety of J over F q Then, I(V Fq (J))=J+ J 0 4) Gröner Bses: An idel J my hve mny different genertors: it is possile to hve sets of polynomils F = { f 1,, f s } nd G ={g 1,,g t } suh tht J = f 1,, f s = g 1,,g t nd V(J) = V( f 1,, f s ) = V(g 1,,g t ) Some generting sets re etter thn others, ie they re etter representtion of the idel A Gröner sis is one suh representtion tht possesses mny importnt properties tht llow to solve mny polynomil deision questions In the

EXTENDED VERSION OF THE PAPER ACCEPTED TO APPEAR IN IEEE TRANS ON CAD, PAPER ACCEPTANCE OCTOBER 2015 6 ontext of this work, Gröner ses re utilized s nonil representtion of n idel Definition 34: [Gröner Bsis] [6]: For monomil ordering >, set of non-zero polynomils G={g 1,g 2,,g t } ontined in n idel J, is lled Gröner sis of J iff f J, f 0, there exists i {1,,t} suh tht lm(g i ) divides lm( f); ie, G=GB(J) f J : f 0, g i G : lm(g i ) lm( f) Buherger s lgorithm [38], shown in Algorithm 1, omputes Gröner sis over field Given polynomils F = { f 1,, f s }, the lgorithm omputes the Gröner sis G = {g 1,,g t } The lgorithm tkes pirs of polynomils ( f,g), nd omputes their S-polynomil (Spoly( f, g)): Spoly( f,g)= L lt( f) f L lt(g) g where L = LCM(lm( f),lm(g)) Spoly( f,g) nels the leding terms of f nd g Therefore, the omputtion Spoly( f,g) G + r results in reminder r, whih if non-zero, provides n element with new leding term in the generting set The Gröner sis lgorithm termintes when for ll pirs ( f,g), Spoly( f,g) G + 0 Algorithm 1: Buherger s Algorithm Input: F ={ f 1,, f s } Output: G={g 1,,g t } G := F; repet G := G; for eh pir { f,g}, f g in G do Spoly( f,g) G + r ; if r 0 then G := G {r} ; end end until G=G ; A Gröner sis G my ontin redundnt elements To remove these redundnt elements, G is first mde miniml nd susequently redued Definition 35: A Gröner sis G = {g 1,,g t } for polynomil idel J is miniml when: i) g i G, l(g i ) = 1; ii) i j, lm(g i ) does not divide lm(g j ) To otin miniml GB, ll polynomils g j re removed from G if there exists g i suh tht lm(g i ) lm(g j ) Then the remining elements (g i s) re mde moni y dividing eh g i y l(g i ) This miniml sis is further redued y ensuring tht no term in g j is divisile y the leding term lt(g i ) for ll i j Sujet to >, the redued Gröner sis G={g 1,,g t } is unique nonil representtion of the idel property we utilize for nonil polynomil strtion IV WORD-LEVEL ABSTRACTION USING GRÖBNER BASIS We re given omintionl iruit C with k-it inputs nd outputs, s shown in Fig 3 Our ojetive is to derive nonil word-level strtion polynomil Z = F(A) for the iruit C As disussed efore, one suh strtion exists s polynomil funtion over the Glois field F 2 k We now desrie Gröner sis pproh to derive the strtion polynomil Fig 3: Polynomil strtion from iruit A The Prolem Formultion over F 2 k Bsed on the dtpth size k, q=2 k is hosen to model the iruit s system of polynomils over F q [x 1,,x d,z,a], where {x 1,,x d } orrespond to ll the it-level vriles (nets) in the iruit, Z nd A re the word-level output nd input, respetively To onstrut the field, we hoose primitive polynomil P(x) with the fewest terms, s it simplifies our omputtions Every Boolen logi gte in the iruit C is mpped to polynomil funtion over F 2 ( F 2 k): NOT : +1 (mod 2) AND : (mod 2) OR : ++ (mod 2) XOR : + (mod 2) For exmple, let = represent n AND gte Over F 2, this orresponds to the eqution = ; its polynomil form is, or equivlently + sine 1=1 over F 2 Let { f 1,, f s } denote the set of polynomils derived from every Boolen gte in the iruit Next, the word-level nd itlevel orrespondenes over F 2 k re onsidered s A= k 1 i=0 i α i nd Z = k 1 i=0 z i α i, where P(α)=0 These re represented s polynomils: f A : 0 + 1 α+ + k 1 α k 1 + A f Z : z 0 + z 1 α+ + z k 1 α k 1 + Z Denote the idel generted y ll these polynomils s J = f 1,, f s, f A, f Z The (unknown) word-level strtion of the iruit Z = F(A) n e represented s the speifition (spe) polynomil f : Z + F(A) The genertors of J enpsulte the funtionlity of the iruit Clerly, the spe polynomil f : Z+ F(A) grees with the solutions to the iruit s equtions f 1 = = f s = f A = f Z = 0 In other words, f() = 0 for ll points tht re solutions to f 1 = = f s = f A = f Z = 0 In omputer lger terminology, we sy tht f vnishes on the vriety V Fq (J) This implies tht f I(V Fq (J)), due to Definition 33 Strong Nullstellenstz over Glois fields (Theorem 32) tells us tht I(V Fq (J)) = J+ J 0, where J 0 = x 2 1 x 1,,x 2 d x d,z q Z,A q A is the idel of ll vnishing polynomils in F q [x 1,,x d,z,a] Note tht sine the it-level vriles x 1,,x d tke vlues in F 2, the vnishing polynomil x 2 i x i is used; wheres A q A nd Z q Z re used for the vnishing polynomils in word-level vriles From these results, we dedue tht: Proposition 41: The (unknown) strtion polynomil f : Z+ F(A) is memer of the idel J+ J 0 (3) (4)

EXTENDED VERSION OF THE PAPER ACCEPTED TO APPEAR IN IEEE TRANS ON CAD, PAPER ACCEPTANCE OCTOBER 2015 7 B Astrtion Using Gröner Bsis The vriety V(J+J 0 ) is the set of ll onsistent ssignments to the nets (signls) in the iruit C If we projet this vriety on the word-level input nd output vriles, we essentilly generte the funtion f implemented y the iruit Projetion of vrieties from d-dimensionl spe F d q onto lower dimensionl suspe F d l q orresponds to eliminting l vriles from the orresponding idel Definition 41: (Elimintion Idel) From [7]: Given J = f 1,, f s F q [x 1,,x d ], the lth elimintion idel J l is the idel of F q [x l+1,,x d ] defined y: J l = J F q [x l+1,,x d ] In other words, the lth elimintion idel does not ontin vriles x 1,,x l, nor do the genertors of it Moreover, Gröner ses my e used to generte n elimintion idel y using n elimintion term order One suh ordering is pure lexiogrphi (lex) ordering, whih fetures into the theorem: Theorem 41: (Elimintion Theorem) From [7]: Let J F q [x 1,,x d ] e n idel nd let G e Gröner sis of J with respet to lex ordering where x 1 > x 2 > > x d Then for every 0 l d, the set G l = G F q [x l+1,,x d ] is Gröner sis of the lth elimintion idel J l Exmple 41: Consider polynomils f 1 : x 2 y z 1, f 2 : x y 2 z 1, f 3 : x y z 2 1 nd idel J = f 1, f 2, f 3 C[x, y, z] Let us ompute Gröner sis G of J wrt lex term order with x > y > z Then G = {g 1,,g 4 } is otined s: g 1 : x y z 2 1; g 2 : y 2 y z 2 z; g 3 : 2yz 2 z 4 z 2 ; g 4 : z 6 4z 4 4z 3 z 2 Notie tht the polynomil g 4 ontins only the vrile z, nd it elimintes vriles x, y Similrly, polynomils g 2,g 3,g 4, ontin vriles y,z nd eliminte x Aording to Theorem 41, G 1 = G C[y,z]={g 2,g 3,g 4 } nd G 2 = G C[z] = {g 4 } re the Gröner ses of the 1 st nd 2 nd elimintion idels of J, respetively The ove exmple motivtes our pproh: sine we wnt to derive polynomil representtion from iruit in vriles Z,A, we n ompute Gröner sis of J+ J 0 wrt n elimintion order tht elimintes ll the (d) it-level vriles of the iruit Then the Gröner sis G d = G F q [Z,A] of the d th elimintion idel of J+ J 0 will ontin polynomils in only Z, A We will show tht the desired nonil polynomil representtion f : Z+ F(A) will e found in G d Prolem Setup 41: Given iruit C with k-it inputs nd outputs whih omputes polynomil funtion f :F 2 k F 2 k Let A={ 0,, k 1 } nd Z={z 0,,z k 1 } e the inputs nd outputs of the iruit, respetively, suh tht A= 0 + 1 α+ + k 1 α k 1 nd Z = z 0 + + z k 1 α k 1, where P(α)=0 Let Z = F(A) e the unknown polynomil funtion (spe) implemented y the iruit Denote y x i,i=1,,d, ll the Boolen (it-level) vriles of the iruit Let R=F 2 k[x i,z,a : i = 1, d] denote the orresponding polynomil ring nd let idel J = f 1,, f s, f A, f Z F 2 k[x i,z,a : i = 1d] e generted y the it-level polynomils of the iruit ( f 1,, f s ) nd the word-level designtion polynomils ( f A, f Z ) Let J 0 = x 2 i x i,z 2k Z,A 2k A : i = 1,,d denote the idel of vnishing polynomils in R We define the following term order for this purpose of strtion: Definition 42: Astrtion Term Order >: Using the vrile order {x 1,,x d } > Z > A, impose lex term order > on F q [x 1,,x d,z,a] This term order is defined s the Astrtion Term Order (ATO) > The reltive ordering mong the it-level iruit vriles x 1,,x d is not importnt nd n e hosen ritrrily Theorem 42: Astrtion Theorem: Using the setup nd nottions given in Prolem Setup 41, ompute Gröner sis G of idel J+ J 0 using ATO > Then: 1) G must ontin the vnishing polynomil A q A s the only polynomil with only A s the support vrile; 2) G must ontin polynomil of the form Z+ G(A); 3) Z+ G(A) is suh tht F(A) = G(A), A F q In other words, G(A) nd F(A) re equl s polynomil funtions overf q, nd tht Z= G(A) is polynomil representtion of the iruit C Proof: 1) The vnishing polynomil A q A is given element of the generting set J + J 0 Vrile A is lso the lst vrile in the strtion term order Moreover, A is n input to the iruit, so A is n independent vrile whih n tke ny nd ll vlues in F q Sine only vnishing polynomil ontins s solutions ll points in F q, it follows tht G d+1 = G F q [A]={A q A} 2) Sine f : Z + F(A) is polynomil representtion of the iruit, Z+ F(A) J+ J 0, due to Proposition 41 Therefore, ording to the definition of Gröner sis (Definition 34), the leding term of Z + F(A) (whih is Z) should e divisile y the leding term of some polynomil g i G The only wy lt(g i ) n divide Z is when lt(g i )=Z itself Moreover, due to our strtion (lex) term order, Z > A, so this polynomil must e of the form Z+ G(A) 3) As Z = F(A) represents the funtion of the iruit, Z+ F(A) J+ J 0 Moreover, V(J+ J 0 ) V(Z+ F(A)) Projet this vriety V(J+ J 0 ) onto the o-ordintes orresponding to (A,Z) Wht we otin is the grph of the funtion A F(A) over F 2 k Sine Z+ G(A) is n element of the Gröner sis of J + J 0, V(J + J 0 ) V(Z + G(A)) too Due to this inlusion of vrieties, the points tht stisfy J+ J 0 lso stisfy Z+ G(A) = 0 nd Z+ F(A)=0 Therefore, Z = G(A) gives the sme funtion s Z = F(A), for ll A F 2 k Corollry 41: Let G red = {g 1,,g t } denote the redued Gröner sis of J+ J 0 wrt ATO > Then G red ontins the one nd only polynomil of the form g i : Z+ F(A), suh tht Z = F(A) is the unique, nonil representtion of the funtion f implemented y the iruit Proof: Assume tht there re more thn one polynomils in G red ontining only vriles Z nd A Aording to Theorem 42, one of these polynomils is g i : Z+ G(A) Clerly, lt(g i ) = Z divides the leding term of ll other polynomils g j in vriles (Z,A), s Z > A in ATO All suh polynomils g j s re redundnt nd eliminted from the sis when it is redued to G red Therefore, only one polynomil of the type g i : Z+ F(A) ppers in the redued sis

EXTENDED VERSION OF THE PAPER ACCEPTED TO APPEAR IN IEEE TRANS ON CAD, PAPER ACCEPTANCE OCTOBER 2015 8 Moreover, due to the presene of vnishing polynomils A q A J+J 0, Z+F(A) will e redued (mod A q A) Consequently, Z + F(A) results s the unique, redued, nonil word-level polynomil representtion of the iruit As onsequene of Theorem 42 nd Corollry 41, if we ompute redued Gröner sis G red of J+ J 0 using the strtion term order, we will lwys find the one nd only polynomil of the form Z+ F(A) in the sis, suh tht Z = F(A) is the unique nonil polynomil representtion of the iruit If the iruit ontins multiple word-level inputs A 1,,A n, eh k-it wide, then ATO n e extended to inlude these vriles y imposing lex term order > with {x 1,,x d } > Z > A 1 > > A n Susequently, the redued Gröner sis of J+ J 0 omputed with ATO ontins f : Z + F(A 1,,A n ) s the only polynomil in vriles Z,A 1,,A n, orresponding to the desired strtion The pplition of this pproh is demonstrted using the exmple shown elow Exmple 42: Consider the iruit of Fig 4 Vriles 0, 1, 0, 1 re primry inputs, z 0,z 1 re primry outputs, nd 0, 1, 2, 3,r 0 re intermedite vriles As the iruit ontins 2-it inputs nd outputs, we will strt polynomil Z = F(A,B) over F 2 2 y omputing redued Gröner sis of polynomil derived from the iruit To onstrut F 2 2, we use the primitive polynomil P(x)=x 2 + x+1, with P(α)=0 A B 0 1 0 1 0 3 2 z 1 Fig 4: An ritrry iruit modeled over F(2 2 ) With the mpping rules given in Eqn (3), the Boolen equtions re trnsformed into polynomils over F 2 : 0 = 0 0 f 1 : 0 + 0 0 1 = 0 1 f 2 : 1 + 0 1 2 = 1 0 f 3 : 2 + 1 0 3 = 1 1 f 4 : 3 + 1 1 r 0 = 1 2 f 5 : r 0 + 1 + 2 z 0 = 0 3 f 6 : z 0 + 0 + 3 z 1 = r 0 0 f 7 : z 1 + r 0 + 0 The word-level designtion polynomils re: f A : 0 + 1 α+a; f B : 0 + 1 α+b; f Z : z 0 +z 1 α+z Thus the idel J= f 1,, f 7, f A, f B, f Z is generted y the polynomils derived from the iruit The vnishing polynomils in our system re: 1 f 8 : 2 0+ 0 f 9 : 2 1+ 1 f 10 : 2 0+ 0 f 11 : 2 1+ 1 f 12 : 2 0+ 0 f 13 : 2 1+ 1 f 14 : 2 2+ 2 f 15 : 2 3+ 3 f 16 : r 2 0+ r 0 f 17 : z 2 0 + z 0 f 18 : z 2 1 + z 1 f 19 : A 4 + A f 20 : B 4 + B f 21 : Z 4 + Z r 0 z 0 Z Then J 0 = f 8,, f 21, nd J + J 0 is simply f 1,,f 21, f A, f B, f Z Impose the following strtion term order, ie lex order with {z 0 > z 1 > r 0 > 0 > 1 > 2 > 3 > 0 > 1 > 0 > 1 }> Output Z > Inputs, A > B nd ompute redued Gröner sis G red of J+ J 0 The resulting sis ontins 14 polynomils: g 1 : B 4 + B g 2 : A 4 + A g 3 : Z+(α+1) A 2 B 2 g 4 : 1 + B 2 + B g 14 : z 0 + α A 2 B 2 +(α+1) A B As expeted, the first two polynomils re the vnishing polynomils in word-level inputs nd the polynomil g 3 is the only polynomil in vriles Z, A, B whih represents the polynomil funtion of the iruit C s Z =(α+1) A 2 B2 C Generlizing the pproh for funtions f :F 2 m F 2 n When the word sizes of the inputs nd output of the iruits vry, the funtionlity of the iruit must e nlyzed over n enompssing field Let m e the size of the input itvetor A nd n e with size of the output Z suh tht m n Then the iruit implements funtion over f :F 2 m F 2 n In suh ses, the strtion n e performed over F 2 k where k=lcm(m,n), y virtue of the following result [39] Lemm 41: The field F 2 k F 2 n when n k By seleting k = LCM(m,n), the field F 2 k eomes the smllest single field ontining oth F 2 m nd F 2 n Let α,β nd γ e the primitive elements of F 2 k,f 2 m nd F 2 n, respetively The word-level designtion polynomils now eome: f A : 0 + 1 β+ + m 1 β m 1 + A f Z : z 0 + z 1 γ+ + z n 1 γ n 1 + Z Sine the nlysis is performed over F 2 k, β nd γ must e mpped to α This is omplished y mens of the following result [39], whih n e esily derived y nlyzing the multiplitive group struture of the fields: β=α (2k 1)/(2 m 1) γ=α (2k 1)/(2 n 1) By repling β nd γ in terms of α in Eqn (5), the strtion n e performed s efore y omputing the redued Gröner sis of the idel J + J 0 However, re should e tken to ompose the vnishing polynomils: x 2 i x i for the it-level vriles, A 2m A for the m-it input, nd Z 2n Z for the n-it output Exmple 43: Consider the iruit shown in Fig 5 The input A is 3 its wide while the output Z is 2 its Thus, A F 2 3 nd Z F 2 2 Let β e the primitive element of F 2 3 nd γ e the primitive element of F 2 2, ie A= 0 + 1 β+ 2 β 2 nd Z = z 0 + z 1 γ The funtion F 2 3 F 2 2 must e nlyzed (5) (6)

EXTENDED VERSION OF THE PAPER ACCEPTED TO APPEAR IN IEEE TRANS ON CAD, PAPER ACCEPTANCE OCTOBER 2015 9 0 1 2 s 0 s 1 s 2 Fig 5: Astrtion over iruit with vrying word sizes over F 2 6 sine LCM(2,3)=6, ie F 2 3 nd F 2 2 re susets of F 2 6 Choose P(X)= X 6 +X+1 s the primitive polynomil to onstrut this field, where P(α)=0, nd find β nd γ in terms of α: β=α (26 1)/(2 3 1) = α 9 nd γ=α (26 1)/(2 2 1) = α 21 So the word-level polynomils represented in F 2 6 re: f A : 0 + 1 α 9 + 2 α 18 + A; f Z : z 0 + z 1 α 21 + Z, nd the itlevel polynomils re derived from the iruit s efore Colletively, these generte idel J On the other hnd, in J 0, the vnishing polynomils orresponding to the it-level vriles re inluded s {x 2 i + x i}, wheres the vnishing polynomils of the word-level vriles re omposed ording to their respetive opernd sizes: A 23 + A nd Z 22 + Z Then, y omputing the redued Gröner sis of J+J 0, the word-level strtion of the iruit Z+ F(A) is found to e: Z+ A 6 (α 2 + α)+a 5 (α 4 + α 3 + α)+a 4 (α 2 + α) + A 3 (α 4 + α 3 + α 2 )+A 2 (α 4 + α 3 + α 2 )+A(α 4 + α 3 + α) where α 6 + α+1 = 0 Simulting this polynomil for ll A F 2 3 results in vlues of Z F 2 2 orresponding extly to the funtion implemented y the iruit We hve utilized this generliztion of our model for verifition of omposite field rithmeti iruits Preliminry experiments: Using the results of Theorem 42 nd Corollry 41, we performed some proof-of-onept experiments to evlute the effiy of our pproh to strtion We experimented prtiulrly with Glois field Mstrovito multipliers, nd employed the SINGULAR omputer lger tool [40] to derive the strtion polynomil Z+ A B, using the slimg ommnd to ompute the redued Gröner sis of J+ J 0 using ATO We found tht eyond k=32 it opernds, the redued Gröner sis omputtion explodes in oth time nd spe, nd the strtion eomes infesile Computing Gröner ses using elimintion term orders is infesile for lrge iruits The worst-se time nd spe omplexity of omputing the Gröner sis of J + J 0 in F q [x 1,,x d ] is known to e ounded y q O(d) [27], whih is prohiitive over lrge fields To mke our pproh prtil, we need to overome this omplexity This is desried next V EFFICIENT SEARCH FOR THE ABSTRACTION The forementioned omplexity mkes the omputtion of redued Gröner sis infesile However, our strtion pproh serhes for only one polynomil (Z + F(A)) in the sis This motivtes n investigtion into whether it is possile to guide sequene of Spoly( f,g) J+J 0 + r omputtions to rrive t the desired word-level polynomil, z 0 z 1 without onsidering other polynomils in the generting set For this purpose, we exploit the well-known Buherger s produt riteri: Lemm 51: [Produt Criterion [41]] Let F e ny field, nd f,g F[x 1,,x d ] e polynomils If the equlity lm( f) lm(g)=lcm(lm( f),lm(g)) holds, then Spoly( f,g) G + 0 The ove result sttes tht when the leding monomils of f,g re reltively prime, then Spoly( f,g) lwys redues to 0 modulo the sis G Thus Spoly( f,g) orresponding to the ritil pir ( f,g) need not e onsidered in Buherger s lgorithm Rell tht in the Astrtion Term Order (Definition 42), the reltive ordering mong the it-level iruit vriles x 1,,x d is unimportnt This ordering is now further refined to exploit the produt riteri For this purpose, we drw inspirtions from Proposition 2 in [29] tht shows how to derive term order from the iruit tht mkes leding terms of ll pirs of gte-level polynomils reltively prime Definition 51: Refined Astrtion Term Order > r : Strting from the primry outputs of the iruit C, perform reverse topologil trversl towrd the primry inputs Order eh vrile of the iruit ording to its reverse topologil level: ie x i > x j if x i ppers erlier in the reverse topologil order Impose lex term order > r on F q [x 1,,x d,z,a] with the it-level vriles x 1,,x d ordered reverse topologilly > Z > A This term order > r is lled the refined strtion term order (RATO) Denote F ={ f 1,, f s, f A, f Z } to e the set of polynomils whih genertes the idel J= F nd denote F 0 to e the set of vnishing polynomils whih genertes the idel J 0 = F 0 Let us impose RATO on the ring, nd nlyze the hrteristis of the generting set F F 0 First, we onsider only the it-level polynomils f 1,, f s derived from the logi gtes in the iruit Due to RATO, eh it-level polynomil will e of the form f i = x i + til( f i ), where x i is the output of the orresponding logi gte Sine the sme signl nnot e the output of two or more gtes, eh polynomil pir ( f i, f j ),i j will hve reltively-prime leding terms Consequently, Spoly( f i, f j ) F F 0 + 0 for ll it-level polynomils due to the produt riteri, nd need not e onsidered in the Gröner sis omputtion Also, orresponding to eh it-level polynomil f i = x i + til( f i ), there exists it-level vnishing polynomil x 2 i + x i While their leding terms re not reltively prime, it ws shown in Theorem 61 in [16] tht Spoly( f i,x 2 i + x i) F F 0 + 0 To show this, let us denote til( f i ) = P i so tht f i = x i + P i Also, every vrile x j tht ppers in P i stisfies x i > x j Then Spoly( f i,x 2 i + x i) = x i P i + x i, whih n e redued y the polynomil f i F: (x i P i + x i ) x i+p i xi + P 2 i x i +P i P 2 i + P i Note tht sine P i = til(x i ) ontins only it-level vriles, Pi 2+P i is vnishing polynomil, or Pi 2+P i + 0 Therefore, the S-polynomils Spoly( f i = x i + til( f i ), x 2 i + x i) F F 0 + 0 for ll i=1,,d; so these lso need not e onsidered in the Gröner sis omputtion However, there is one (nd only one) pir of polynomils ( f Z, f zi ) F whih do not hve reltively prime leding F 0

EXTENDED VERSION OF THE PAPER ACCEPTED TO APPEAR IN IEEE TRANS ON CAD, PAPER ACCEPTANCE OCTOBER 2015 10 terms, nd for whih Spoly( f Z, f zi ) F F 0 + r results in new polynomil in the Gröner sis omputtion Here: i) f Z is the word-level designtion polynomil orresponding the output f Z = z 0 + z 1 α+ +z k 1 α k 1 + Z, with some gte output z i s the leding term; nd ii) the polynomil f zi = z i + til( f zi ) models the funtion implemented t the gte, nd lt( f zi )=z i So let us nlyze the reminder r otined s Spoly( f Z, f zi ) F F 0 + r Due to RATO, r does not ontin ny it-level non-primry input vriles of the iruit C, nd it my only depend upon: i) the word-level vriles (Z, A), nd ii) the primry input its ( 0,, k 1 ) To show this, ssume tht r ontins it-level non-primry input vrile x j in term m j Sine there exists polynomil f j = x j +til( f j ) F, lt( f j ) m j, nd ll suh terms m j will e neled during the redution Spoly( f Z, f zi ) F F 0 + r Vriles Z,A never pper s leding terms of ny polynomil in F s they pper lst in RATO Similrly, the it-level primry inputs 0,, k 1 lso never pper s leding terms of ny polynomil in F, s primry inputs re not outputs of ny gte Bsed on the ove disussion, we onlude tht: Proposition 51: Due to RATO, ( f Z, f zi ) is the only ndidte ritil pir to e evluted s Spoly( f Z, f zi ) F,F 0 + r t the strt of Buherger s lgorithm when pplied to our setup Moreover, the otined reminder r is funtion only in vriles 0,, k 1,Z nd A Exmple 51: Let us revisit Exmple 42 nd the orresponding iruit shown in Fig 4 Impose RATO: lex term order with {z 0 > z 1 } > {r 0 > 0 > 3 } > { 1 > 2 } > { 0 > 1 > 0 > 1 } > Z > A Then, the set of polynomils F = { f 1, f 21, f Z, f A, f B } shown in Exmple 42 re lredy represented in RATO Notie tht the pir( f Z, f 6 ) F is the only ritil pir with leding terms tht re not reltively prime Due to Proposition 51, omputing Spoly( f Z, f 6 ) F F 0 + r, we find tht r =(α+ 1) 1 1 +(α+1) 1 B+(α+1) 1 A+Z+(α+1)AB Note tht the reminder r ontins word-level vriles Z, A, B, nd the it-level primry inputs 1, 1 Intermedite it-level vriles (non primry inputs) do not pper in r A Eliminting Bit-Level Vriles The reminder r otined in Prop 51 is funtion of the primry input vriles, in ddition to the word-level vriles In order to derive purely word-level expression, the it-level vriles need to e eliminted from r We now derive funtionl (polynomil) mpping from eh it-level primry input vrile 0,, k 1 to the word-level input vrile A in the form of i = F i (A) Then sustituting eh i = F i (A) in r will result in purely word-level expression These mppings re derived s set of polynomil funtions F ={ f 0,, f k 1 } in the following form: 0 = F 0 (A) f 0 : 0 + F 0 (A) k 1 = F k 1 (A) f k 1 : k 1 + F k 1 (A) where eh F i (A) represents some polynomil funtion of A Due to RATO, terms in { 0,, k 1 }>A, thus the leding terms of f 0,, f k 1 re 0,, k 1, respetively Then r F F 0 + r w ensures tht the new reminder r w must ontin only word-level vriles In other words, r w must e in the form Z + F(A) nd is the nonil word-level polynomil representtion of the iruit Lemm 52: (From [39]) Let α 1,,α t e ny elements in F 2 k Then (α 1 + α 2 + +α t ) 2i = α 2i 1 + α2i 2 + + α2i t for ll integers i 1 Lemm 52 n e pplied to derive the desired mpping We tke the word-level designtion polynomil f A : A= 0 + 1 α+ + k 1 α k 1, nd ompute A 2 j for ll 0 j < k: A= 0 + 1 α+ + k 1 α k 1 A 2 = 2 0 + 2 1 α2 + + 2 k 1 α2(k 1) = 0 + 1 α 2 + + k 1 α 2(k 1) ( 2 i = i ) A 22 = 0 + 1 α 4 + + k 1 α 4(k 1) A 2k 1 = 0 + 1 α 2k 1 + + k 1 α 2k 1 (k 1) These equtions n e represented in mtrix form, A=M, where A=[A,A 2,,A 2k 1 ] T, M is k k mtrix of oeffiients, nd =[ 0,, k 1 ] T : A A 2 A 22 A 2k 1 1 α α 2 α k 1 1 α 2 α 4 α (k 1) 2 = 1 α 4 α 8 α (k 1) 4 1 α 2k 1 α 2 2k 1 α (k 1) 2k 1 0 1 2 k 1 (7) (8) Tret s vetor of k unknowns, M nd A s mtries of onstnts This represents system of k liner equtions in k unknowns { 0,, k 1 } Then F n e derived y solving Eqn (8) using Crmer s rule: i = M i, 0 i k 1 (9) M provided tht M = 0 Here M i orresponds to the mtrix M where the i th olumn [α i,α i 2,,α i 2k 1 ] T in M is repled y the vetor A=[A,A 2,,A 2k 1 ] T Notie tht M in Eqn (8) exhiits speil struture Elements in every row of M form geometri progression; this mkes M Vndermonde mtrix, whose determinnt is omputed with simple formul Definition 52: Let V(x 1,,x n ) denote squre n n mtrix of the form 1 x 1 x 2 1 x n 1 1 1 x 2 x 2 2 x n 1 2 (10) 1 x n x 2 n x n 1 n Then V(x 1,,x n ) is squre Vndermonde Mtrix, the determinnt of whih n e omputed s: V(x 1,,x n ) = (x j x i ) (11) 1 i< j n