Hardware Datapath Verification using Commutative Algebra and Algebraic Geometry

Transcription

1 Hardware Datapath Verification using Commutative Algebra and Algebraic Geometry Priyank Kalla Associate Professor Electrical and Computer Engineering, University of Utah A tutorial presented at the joint session of SAT, DIFTS and FMCAD 2015 Research funded in part by the US National Science Foundation

2 The Core Message of the Tutorial Modern Algebraic Geometry Study of the zeros of multivariate polynomials Infeasible to enumerate the solutions Reason about various properties of the solution-sets Employ techniques that lie at the cross-roads of number-theory, commutative algebra, geometry Use of Gröbner bases as a powerful reasoning engine Hardware datapaths possess structure and symmetry in the problem Gröbner bases help identify this structure/symmetry Exploit this structure/symmetry to engineer domain-specific implementations for datapath verification Enables verification of hard datapath verification problems P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 2 / 54

3 Tutorial Objective and Agenda Formal verification of datapath implementations (RTL) Word-level abstractions from designs, symbolic techniques Model bit-precise semantics at word-level Applications: Cryptography, Error Control Circuits, Signal Processing P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 3 / 54

4 Tutorial Objective and Agenda Formal verification of datapath implementations (RTL) Word-level abstractions from designs, symbolic techniques Model bit-precise semantics at word-level Applications: Cryptography, Error Control Circuits, Signal Processing Equivalence check: specification (Spec) vs implementation (Impl) Spec and Impl: same function? RTL: functions over k-bit vectors k-bit vector Boolean domain B k k-bit vector integers (mod 2 k ) = Z 2 k k-bit vector Galois (Finite) field F 2 k P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 3 / 54

5 Tutorial Objective and Agenda Formal verification of datapath implementations (RTL) Word-level abstractions from designs, symbolic techniques Model bit-precise semantics at word-level Applications: Cryptography, Error Control Circuits, Signal Processing Equivalence check: specification (Spec) vs implementation (Impl) Spec and Impl: same function? RTL: functions over k-bit vectors k-bit vector Boolean domain B k k-bit vector integers (mod 2 k ) = Z 2 k k-bit vector Galois (Finite) field F 2 k Approach: Computer Algebra Techniques Model: Polynomial functions over f : Z 2 k Z 2 k or f : F 2 k F 2 k Devise decision procedures for polynomial function equivalence Commutative algebra, algebraic geometry + contemporary verification P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 3 / 54

6 Verification of Galois field circuits Wide applications of Galois field (GF) circuits Cryptography: RSA, Elliptic Curve Cryptography (ECC) Error Correcting Codes, Digital Signal Processing, etc. P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 4 / 54

7 Verification of Galois field circuits Wide applications of Galois field (GF) circuits Cryptography: RSA, Elliptic Curve Cryptography (ECC) Error Correcting Codes, Digital Signal Processing, etc. Bugs in GF arithmetic circuits can leak secret keys Biham et al., Bug Attacks, Crypto 2008 [1] P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 4 / 54

8 Verification of Galois field circuits Wide applications of Galois field (GF) circuits Cryptography: RSA, Elliptic Curve Cryptography (ECC) Error Correcting Codes, Digital Signal Processing, etc. Bugs in GF arithmetic circuits can leak secret keys Biham et al., Bug Attacks, Crypto 2008 [1] Target problems Given Galois field F 2 k, polynomial f, and circuit C Verify: circuit C implements f; or find the bug Given circuit C, with k-bit inputs and outputs Derive a polynomial representation for C over f : F 2 k F 2 k Word-level abstraction as a canonical polynomial representation P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 4 / 54

9 Verification of Galois field circuits Wide applications of Galois field (GF) circuits Cryptography: RSA, Elliptic Curve Cryptography (ECC) Error Correcting Codes, Digital Signal Processing, etc. Bugs in GF arithmetic circuits can leak secret keys Biham et al., Bug Attacks, Crypto 2008 [1] Target problems Given Galois field F 2 k, polynomial f, and circuit C Verify: circuit C implements f; or find the bug Given circuit C, with k-bit inputs and outputs Derive a polynomial representation for C over f : F 2 k F 2 k Word-level abstraction as a canonical polynomial representation Solutions employing Nullstellensatz over F 2 k + Gröbner Basis methods Focus: Techniques and implementations to address scalability Term-orders, custom F 4 -style reduction P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 4 / 54

10 Galois Field Overview Galois field F q is a finite field with q elements, q = p k,p = prime 0, 1 elements, associate, commutative, distributive laws Closure property: +,,, inverse ( ) Our interest: F q = F 2 k (q = 2 k ) F 2 k: k-dimensional extension of F 2 = {0,1} k-bit bit-vector, AND/XOR arithmetic Efficient crypto-hardware implementations To construct F 2 k F 2 k F 2 [x] (mod P(x)) P(x) F 2 [x], irreducible polynomial of degree k Operations performed (mod P(x)) and coefficients reduced (mod 2) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 5 / 54

11 Example Field Construction: F 8 Construct: F 2 3 = F 2 [x] (mod P(x) = x 3 +x +1) Consider any polynomial A(x) F 2 [x] A(x) (mod x 3 +x +1) = a 2 x 2 +a 1 x +a 0. Let P(α) = 0: a 2,a 1,a 0 = 0,0,0 = 0 a 2,a 1,a 0 = 0,0,1 = 1 a 2,a 1,a 0 = 0,1,0 = α a 2,a 1,a 0 = 0,1,1 = α+1 a 2,a 1,a 0 = 1,0,0 = α 2 a 2,a 1,a 0 = 1,0,1 = α 2 +1 a 2,a 1,a 0 = 1,1,0 = α 2 +α a 2,a 1,a 0 = 1,1,1 = α 2 +α+1 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 6 / 54

12 Polynomial Functions f : F q F q Every function is a polynomial function over F q Consider 1-bit right-shift operation Z[2 : 0] = A[2 : 0] >> 1 {a 2 a 1 a 0 } A {z 2 z 1 z 0 } Z α α α α 101 α α 110 α 2 +α 011 α α 2 +α α+1 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 7 / 54

13 Polynomial Functions f : F q F q Every function is a polynomial function over F q Consider 1-bit right-shift operation Z[2 : 0] = A[2 : 0] >> 1 {a 2 a 1 a 0 } A {z 2 z 1 z 0 } Z α α α α 101 α α 110 α 2 +α 011 α α 2 +α α+1 Z = (α 2 +1)A 4 +(α 2 +1)A 2 over F 2 3 where α 3 +α+1 = 0 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 7 / 54

14 Verification Application: Elliptic Curve Cryptography Encryption, Decryption & Authentication using point addition: P + Q = R y 2 +xy = x 3 +ax 2 +b over F 2 k R Compute Slope: y 2 y 1 x 2 x 1 P Q R = P + Q Computation of inverses over F 2 k is expensive R P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 8 / 54

15 Point addition using Projective Co-ordinates Curve: Y 2 +XYZ = X 3 Z +ax 2 Z 2 +bz 4 over F 2 k Let (X 3, Y 3, Z 3 ) = (X 1, Y 1, Z 1 ) + (X 2, Y 2, 1) A = Y 2 Z1 2 +Y 1 B = X 2 Z 1 +X 1 C = Z 1 B D = B 2 (C +az1 2 ) Z 3 = C 2 E = A C X 3 = A 2 +D +E F = X 3 +X 2 Z 3 G = X 3 +Y 2 Z 3 Y 3 = E F +Z 3 G P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 9 / 54

16 Point addition using Projective Co-ordinates Curve: Y 2 +XYZ = X 3 Z +ax 2 Z 2 +bz 4 over F 2 k Let (X 3, Y 3, Z 3 ) = (X 1, Y 1, Z 1 ) + (X 2, Y 2, 1) A = Y 2 Z1 2 +Y 1 B = X 2 Z 1 +X 1 C = Z 1 B D = B 2 (C +az1 2 ) Z 3 = C 2 E = A C X 3 = A 2 +D +E F = X 3 +X 2 Z 3 G = X 3 +Y 2 Z 3 Y 3 = E F +Z 3 G No inverses, just addition and multiplication Verify ECC hardware primitives: circuits for GF Multiplication and exponentiation Challenge: Large datapath size, from k = 163-bits to bits P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 9 / 54

17 Field polynomials of F q Theorem (Fermat s Little Theorem over F q ) For any element α F q, then α q = α. Vanishing Polynomials The polynomial (x q x) vanishes (= 0) on all points in F q. We call (x q x) a vanishing polynomial of F q. P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 10 / 54

18 Computer Algebra Terminology Let F q = GF(2 k ), and F q be its closure F q [x 1,...,x n ]: ring of all polynomials with coefficients in F q Polynomial f = c 1 X 1 +c 2 X 2 + +c t X t Coefficients c i, monomial X = x α1 1 x α2 2 xn αn,α i Z 0 A monomial ordering is imposed on the ring, so f : X 1 > X 2 > > X t Leading term lt(f) = c 1 X 1, tail(f) = c 2 X 2 + +c t X t Leading coefficient lt(f) = c 1 and leading monomial lm(f) = X 1 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 11 / 54

19 Computer Algebra Terminology Let F q = GF(2 k ), and F q be its closure F q [x 1,...,x n ]: ring of all polynomials with coefficients in F q Polynomial f = c 1 X 1 +c 2 X 2 + +c t X t Coefficients c i, monomial X = x α1 1 x α2 2 xn αn,α i Z 0 A monomial ordering is imposed on the ring, so f : X 1 > X 2 > > X t Leading term lt(f) = c 1 X 1, tail(f) = c 2 X 2 + +c t X t Leading coefficient lt(f) = c 1 and leading monomial lm(f) = X 1 Example: f = 2x 2 yz +3xy 3 2x 3 LEX with x > y > z : f = 2x 3 +2x 2 yz +3xy 3 DEGLEX with x > y > z : f = 2x 2 yz +3xy 3 2x 3 DEGREVLEX with x > y > z : f = 3xy 3 +2x 2 yz 2x 3 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 11 / 54

20 Computer Algebra Terminology Let F q = GF(2 k ), and F q be its closure F q [x 1,...,x n ]: ring of all polynomials with coefficients in F q Polynomial f = c 1 X 1 +c 2 X 2 + +c t X t Coefficients c i, monomial X = x α1 1 x α2 2 xn αn,α i Z 0 A monomial ordering is imposed on the ring, so f : X 1 > X 2 > > X t Leading term lt(f) = c 1 X 1, tail(f) = c 2 X 2 + +c t X t Leading coefficient lt(f) = c 1 and leading monomial lm(f) = X 1 Example: f = 2x 2 yz +3xy 3 2x 3 LEX with x > y > z : f = 2x 3 +2x 2 yz +3xy 3 DEGLEX with x > y > z : f = 2x 2 yz +3xy 3 2x 3 DEGREVLEX with x > y > z : f = 3xy 3 +2x 2 yz 2x 3 Leading terms lt(f) play an important role P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 11 / 54

21 Polynomial Division as Cancellation of Terms Divide f = x 3 2x 2 +2x +8 by g = 2x 2 +3x +1 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 12 / 54

22 Polynomial Division as Cancellation of Terms Divide f = x 3 2x 2 +2x +8 by g = 2x 2 +3x x 7 4 2x 2 +3x +1 ) x 3 2x 2 +2x +8 x x2 1 2 x 7 2 x x x x x P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 12 / 54

23 Polynomial Division as Cancellation of Terms Divide f = x 3 2x 2 +2x +8 by g = 2x 2 +3x x 7 4 2x 2 +3x +1 ) x 3 2x 2 +2x +8 x x2 1 2 x 7 2 x x x x x The key step in division: r = f lt(f) lt(g) g, denoted f g r Similarly divide f by a set of polynomials F = {f 1,...,f s } f 1,...,f s Denoted: f + r Remainder r is reduced: no term in r is divisible by lt(f i ) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 12 / 54

24 Varieties We will model the circuit with a set of polynomials F = {f 1,...,f s } In verification, we need solutions to the system of equations: f 1 = 0 f 2 = 0. f s = 0 Variety: Set of ALL solutions to a given system of polynomial equations: V(f 1,...,f s ) Variety depends on the ideal generated by the polynomials Reason about the Variety by analyzing the Ideals P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 13 / 54

25 Ideals in Rings Definition Ideals of Polynomials: Let f 1,f 2,...,f s F q [x 1,...,x n ]. Let J = f 1,f 2...,f s = {f 1 h 1 +f 2 h 2 + +f s h s : h i F q [x 1,...,x n ]} J = f 1,f 2...,f s is an ideal generated by f 1,...,f s and the polynomials are called the generators. Definition Ideal Membership: Let f,f 1,f 2,...,f s F q [x 1,...,x n ]. Let J = f 1,f 2...,f s be an ideal F q [x 1,...,x n ]. If f = f 1 h 1 +f 2 h 2 + +f s h s, then f J. Let f 1 (a) = f 2 (a) = = f s (a) = 0; if f f 1,...,f s then f(a) = 0 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 14 / 54

26 Ideal Membership Test Requires a Gröbner Basis Different generators can generate the same ideal f 1,,f s = = h 1,...,h r = = g 1,,g t, such that V(f 1,...,f s ) = V(h 1,...,h r ) = V(g 1,...,g t ) Some generators are a better representation of the ideal A Gröbner basis is a canonical representation of an ideal P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 15 / 54

27 Ideal Membership Test Requires a Gröbner Basis Different generators can generate the same ideal f 1,,f s = = h 1,...,h r = = g 1,,g t, such that V(f 1,...,f s ) = V(h 1,...,h r ) = V(g 1,...,g t ) Some generators are a better representation of the ideal A Gröbner basis is a canonical representation of an ideal Definition (Gröbner Basis) G = {g 1,...,g t } = GB(J) f J, g i s.t. lm(g i ) lm(f) Definition (Gröbner Basis for Ideal Membership Test) G = GB(J) f J,f g 1,g 2,,g t + 0 Implies a decision procedure for ideal membership P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 15 / 54

28 Buchberger s Algorithm Computes a Gröbner Basis Buchberger s Algorithm INPUT : F = {f 1,...,f s }, and term order > OUTPUT : G = {g 1,...,g t } G := F; REPEAT G := G For each pair {f,g},f g in G DO S(f,g) G + r IF r 0 THEN G := G {r} UNTIL G = G S(f,g) = L lt(f) f L lt(g) g L = LCM(lm(f),lm(g)), lm(f): leading monomial of f P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 16 / 54

29 Gröbner basis for Verification Intuitively: Given a property to verify: f Polynomials corresponding to the circuit: f 1,...,f s Generate ideal J = f 1,...,f s Formulate verification test: Is f J? Compute Gröbner basis G = GB(J) = {g 1,...,g t } g 1,...,g t Test if f + 0? P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 17 / 54

30 Gröbner basis for Verification Intuitively: Given a property to verify: f Polynomials corresponding to the circuit: f 1,...,f s Generate ideal J = f 1,...,f s Formulate verification test: Is f J? Compute Gröbner basis G = GB(J) = {g 1,...,g t } g 1,...,g t Test if f + 0? However, it is not sufficient to analyze ideal J, but analyze ideal I(V(J)) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 17 / 54

31 Need to Analyze I(V(J)) Consider ideal J = x 2,y 2 with V(J) = (0,0) Let f(x,y) = x +y, then f(0,0) = 0; i.e. f vanishes on V(J) But f / J, as no combination of x 2,y 2 can generate x +y So, f I(V(J)). P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 18 / 54

32 I(V(J)) and Nullstellensatz Definition (Ideals of polynomials that vanish on V) Given an ideal J = f 1,...,f s R = F q [x 1,...,x n ], let V(J) be its variety. Then: I(V(J)) = {f R : f(a) = 0 a V(J)} If f vanishes on V(J), then f I(V(J)) Given ideal J, not easy to find I(V(J)) [unless operating over F q ] Theorem (Strong Nullstellensatz over F q ) Over Galois fields F q, I(V Fq (J)) = J +J 0, where: J = f 1,...,f s is an arbitrary ideal J 0 = x q 1 x 1,...,x q n x n is the ideal of vanishing polynomials in F q Proof: I(V Fq (J)) = I(V Fq (J +J 0 )) = J +J 0 = J +J 0 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 19 / 54

33 Verification Formulation: The Mathematical Problem Given specification polynomial: f : Z = A B (mod P(x)) over F 2 k, for given k, and given P(x), s.t. P(α) = 0 Given circuit implementation C Primary inputs: A = {a 0,...,a k 1 },B = {b 0,...,b k 1 } Primary Output Z = {z 0,...,z k 1 } A = a 0 +a 1 α+a 2 α 2 + +a k 1 α k 1 B = b 0 +b 1 α+ +b k 1 α k 1, Z = z 0 +z 1 α+ +z k 1 α k 1 Does the circuit C implement f? Mathematically: Model the circuit (gates) as polynomials: f 1,...,f s J = f 1,...,f s F 2 k[x 1,...,x n ] Does f agree with solutions to f 1 = f 2 = = f s = 0? Does f vanish on the Variety V Fq (J)? Is f I(V Fq (J)) = J +J 0 or is f GB(J+J 0 ) + 0? P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 20 / 54

34 Example Verification Formulation Ideal J = f 1,...,f 10 z 0 = s 0 s 3 ; f 1 : z 0 +s 0 +s 3 z 1 = r 0 s 3 ; f 2 : z 1 +r 0 +s 3. Figure: A GF multiplier over F 2 2 s 0 = a 0 b 0 ; f 7 : s 0 +a 0 b 0 A = a 0 +a 1 α; f 8 : A+a 0 +a 1 α B = b 0 +b 1 α; f 9 : B +b 0 +b 1 α Z = z 0 +z 1 α; f 10 : Z +z 0 +z 1 α Ideal J 0 = z 2 0 z 0,s 2 0 s 0,...,A 2k A,B 2k B,Z 2k Z Verification problem: Check if f GB(J+J 0 ) + 0? P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 21 / 54

35 Complexity of Gröbner Basis and Term Orderings In general, Complexity of Gröbner basis: doubly-exponential Degree of polynomials in G is bounded by 2( 1 2 d2 +d) 2n 1 [2] However, for zero dimensional ideals: single-exponential complexity For J F q [x 1,...,x n ], Complexity GB(J +J 0 ) : q O(n) GB(J +J 0 ) computation explodes for 32-bit circuits GB complexity very sensitive to term ordering Let f = 2x 2 yz +3xy 3 2x 3 LEX x > y > z: f = 2x 3 +2x 2 yz +3xy 3 DEGLEX x > y > z: f = 2x 2 yz+3xy 3 2x 3 DEGREVLEX x > y > z: f = 3xy 3 +2x 2 yz 2x 3 Recall, S-polynomial depends on term ordering: S(f,g) = L lt(f) f L lt(g) g; L = LCM(lm(f),lm(g)) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 22 / 54

36 Buchberger s Algorithm Computes a Gröbner Basis Buchberger s Algorithm INPUT : F = {f 1,...,f s }, and term order > OUTPUT : G = {g 1,...,g t } G := F; REPEAT G := G For each pair {f,g},f g in G DO S(f,g) G + r IF r 0 THEN G := G {r} UNTIL G = G S(f,g) = L lt(f) f L lt(g) g L = LCM(lm(f),lm(g)), lm(f): leading monomial of f P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 23 / 54

37 Effect of Term Orderings on Buchberger s Algorithm Product Criteria If lm(f) lm(g) = LCM(lm(f),lm(g)), then S(f,g) G + 0. lm(f) lm(g) = LCM(lm(f),lm(g)), implies lm(f),lm(g) are relatively prime Our investigations... Find a term order that makes ALL {lm(f), lm(g)} relatively prime. Then: All Spoly(f,g) G + 0 and we will already have a Gröbner basis! P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 24 / 54

38 For Circuits, such an order can be derived f 1 : s 0 +a 0 b 0 ; f 2 : s 1 +a 0 b 1 ; f 3 : s 2 +a 1 b 0 ; f 4 : s 3 +a 1 b 1 ; f 5 : r 0 +s 1 +s 2 ; f 6 : z 0 +s 0 +s 3 f 7 : z 1 +r 0 +s 3 ; f 8 : A+a 0 +a 1 α; f 9 : B +b 0 +b 1 α f 10 : Z +z 0 +z 1 α; Reverse Topological Traversal of the Circuit LEX with Z > {A > B} > {z 0 > z 1 } > {r 0 > s 0 > s 3 } > {s 1 > s 2 } > {a 0 > a 1 > b 0 > b 1 } P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 25 / 54

39 Our Discovery: Gröbner Basis of J +J 0 Using Our Topological Term Order: F = {f 1,...,f s } is a Gröbner Basis of J = f 1,...,f s F 0 = {x q 1 x 1,...,x q n x n } is also a Gröbner basis of J 0 But we have to compute a Gröbner Basis of J +J 0 = f 1,f 2...,f s, x q 1 x 1,...,x q n x n We show that {f 1,f 2...,f s, x q 1 x 1,...,x q n x n } is a Gröbner basis!! From our circuit: f i = x i +P; Vanishing polynomials x q i x i Only pairs to consider: S(f i, x q i x i ) in Buchberger s Algorithm: S(f i = x i +P, x q i x i ) = x q 1 i P +x i x q 1 i P +x i x i +P x q 2 i P 2 +x i x i +P... x i+p P q P J P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 26 / 54

40 Our Overall Approach Given the circuit, perform reverse topological traversal Derive the term order to represent the polynomials for every gate The set: {F,F 0 } = {f 1,...,f s, x q 1 x 1,...,x q n x n } is a Gröbner Basis Obtain: f F,F 0 + r If r = 0, the circuit is correct If r 0, then r contains only the primary input variables Any SAT assignment to r 0 generates a counter-example Counter-example found in no time as r is simplified by Gröbner basis reduction P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 27 / 54

41 Improve GB-reduction: F 4 -style reduction Our approach moves the complexity from GB(J +J 0 ) to f f 1,...,f s + r P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 28 / 54

42 Improve GB-reduction: F 4 -style reduction Our approach moves the complexity from GB(J +J 0 ) to f f 1,...,f s + r New algorithm to compute a Gröbner basis by J.C. Faugère: F 4 G Buchberger s algorithm S(f, g) + r Instead, compute a set of S(f,g) in one-go Reduces them simultaneously Significant speed-up in computing a Gröbner basis Models the problem using sparse linear algebra Gaussian elimination on a matrix representation of the problem Our term order: already a Gröbner basis. We only need F 4 -style reduction: F,F 0 f + r P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 28 / 54

43 F 4 -style reduction Spec: f : Z +A B, compute f f 1,...,f s + r Find a polynomial f i that divides f, or cancels LT(f) r = f lt(f) lt(f i ) f i = f lc(f) lc(f i ) lm(f) lm(f i ) f i Construct a matrix: rows = polynomials, columns = monomials, entries = coefficient of monomial present in the polynomial Z AB Ba 0 Ba 1 z 0 z 1 r 0 a 0 b 0 a 0 b 1 a 1 b 0 a 1 b 1 f f α Bf α a 0 f α 0 0 a 1 f α f f f P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 29 / 54

44 F 4 -style reduction Spec: f : Z +A B, compute f f 3 : Z = z 0 +z 1 α f 1,...,f s + r Z AB Ba 0 Ba 1 z 0 z 1 r 0 a 0 b 0 a 0 b 1 a 1 b 0 a 1 b 1 f f α Bf α a 0 f α 0 0 a 1 f α f f f P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 30 / 54

45 F 4 -style reduction To cancel the term AB f 1 : A = a 0 +a 1 α Bf 1 : AB = Ba 0 +Ba 1 α Z AB Ba 0 Ba 1 z 0 z 1 r 0 a 0 b 0 a 0 b 1 a 1 b 0 a 1 b 1 f f α Bf α a 0 f α 0 0 a 1 f α f f f P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 31 / 54

46 F 4 -style reduction Construct the Matrix for polynomial reduction Apply Gaussian elimination on the matrix Last row = result of reduction = α 2 +α+1 = 0 Z AB Ba 0 Ba 1 z 0 z 1 r 0 a 0 b 0 a 0 b 1 a 1 b 0 a 1 b α α 1 α α 1 α 0 1 α α 0 1 α α α α 0 0 α α α α 0 α α α 2 +α α 2 +α+1 See publication [Lv et al, TCAD 2013] [3] for more details P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 32 / 54

47 Problem 2: Polynomial Interpolation from Circuits Circuit: f : B k B k Model it as a polynomial function f : F 2 k F 2 k Interpolate a word-level polynomial from the circuit: Z = F(A) A = a 0 +a 1 α+...a k 1 α k 1, Z = z 0 +z 1 α+...z k 1 α k 1 Compute Gröbner basis of circuit polynomials with elimination (LEX) order: circuit-variables > Z > A Obtain Z = F(A) as a unique, canonical, polynomial representation from the circuit P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 33 / 54

48 f 1 : z 0 +z 1 α+z; f 2 : b 0 +b 1 α+b; f 3 : a 0 +a 1 α+a; f 4 : s 0 +a 0 b 0 ; f 5 : s 1 +a 0 b 1 ; f 6 : s 2 +a 1 b 0 ; f 7 : s 3 +a 1 b 1 ; f 8 : r 0 +s 1 +s 2 ; f 9 : z 0 +s 0 +s 3 ; f 10 : z 1 +r 0 +s 3. Ideal J = f 1,...,f 10. Add J 0 and compute GB(J +J 0 ) with x i > Z > A > B, then G : g 1 : z 0 +z 1 α+z; g 2 : b 0 +b 1 α+b; g 3 : a 0 +a 1 α+a; g 4 : s 3 +r 0 +z 1 ;g 5 : s 1 +s 2 +r 0 ; g 6 : s 0 +s 3 +z 0 ; g 7 : Z +AB; g 8 : a 1 b 1 +a 1 B +b 1 A+z 1 ; g 9 : r 0 +a 1 b 1 +z 1 ; g 10 : s 2 +a 1 b 0 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 34 / 54

49 A Proof Outline for this result Let unknown specification polynomial f : Z +F(A) (Z = F(A)) I have already shown that f J +J 0 Let G = {g 1,...,g t } be a reduced GB(J +J 0 ) with LEX circuit variables > Z > A Definition of GB: g i such that lm(g i ) Z So g i = Z +F(A) Play the same tricks with term-ordering and scale your verification For more details, see [4] [5]. For the algebraists... In general, π l (V(J)) V(J l ). However, over Galois fields F q, π l (V(J +J 0 )) = V((J +J 0 ) l ). P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 35 / 54

50 Tool Development and Experimental Results Initial experiments with Singular computer algebra tool [6] Developed a custom verification tool, written in C++ GF library, ring operations F q [x 1,...,x n ], LEX order Euclidean algorithm, F 4 -style reduction fine-tuned for circuits Solves verification & abstraction Tools and benchmarks can be obtained from: P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 36 / 54

51 Experimental Results Verification of GF Multipliers A B mod P(x) Z Array Mult Figure: Mastrovito Multiplier Flattened Mastrovito multipliers. Time is given in seconds.memory is given in MB. TO = 3 days (259,200 seconds.) Size (k) # of Gates 153K 167K 399K 508K 1.6M Bug Free 1,443 1,913 11,116 17, ,032 Time (s) Buggy 1,487 2,106 11,606 20, ,194 Max Memory (MB) ,855 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 37 / 54

52 Composite Field Arithmetic Circuits: F 2 k F (2m ) n (10) (10) transformation transformation a a a a b b b b a a a a b b b b A A B B Z Z A B Z r a b b c c c c a c c c c c c Figure: 4-bit composite multiplier designed over F (2 2 ) 2 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 38 / 54

53 Abstraction of Composite Field Multipliers Abstraction of Mastrovito multipliers over F (2 m ) n. Time is given in seconds. Memory is given in MB. k = 1024 Time Max m n Bug Free Buggy Mem , , , 520 1, See publication [5] for more details P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 39 / 54

54 Limitations of the Abstraction Approach (a) XOR logic (b) OR logic For XOR logic: f 1 : z +f +d f 2 : f +e +c f 3 : e +b +a The reduction procedure z f 1,f 2,f 3 + r will be computed as follows: z z+f+d f +d (f +d) f+e+c e +d +c (e +d +c) e+b+a d +c +b +a P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 40 / 54

55 Limitations of the Abstraction Approach (c) XOR logic (d) OR logic For OR logic: f 1 : z +fd +f +d f 2 : f +ec +e +c f 3 : e +ba+b +a The reduction procedure, z f 1,f 2,f 3 + r is now computed as: z z+fd+f+d fd +f +d (fd +f +d) f+ec+e+c f +edc +ed +dc +d; (f +edc +ed +dc +d) f+ec+e+c edc +ed +ec +e +dc +d +c (edc +ed +ec +e +dc +d +c) e+ba+b+a + dcba+dcb +dca+dba+dc +db +da+d +cba+cb +ca+c +ba+b +a P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 41 / 54

56 Use implicit representations: ZBDDs Chain of OR-gates: ZDD size is 2n 1 instead of 2 n 1 z after reduction d 0x7c c 0x6c 0x28 b 0x38 0x27 a 0x2d 0x Figure: ZDD for remainder (mod chain of OR gates) for 4 variables P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 42 / 54

57 Further Work pursued by my research group Implement GB-reduction tool using GPU computing Formal verification of sequential Galois field circuits (see [7]) Designed using optimal normal bases over F 2 k Extensions of our work to Sequential Circuits Reachability analysis of finite state machines at word-level New directions in Boolean Gröbner bases Z 2 [x 1,...,x n ] using implicit representation, such as Zero-suppressed BDDs Abstraction from f : B k B k to f : Z 2 k Z 2 k Explore over-approximations of functions of the circuit through elimination ideals P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 43 / 54

58 Sequential Galois field circuits A A Combinational Logic B B R R Figure: A typical normal basis GF sequential circuit model. A = (a 0,...,a k 1 ) and similarly B,R are k-bit registers; k-cycle execution of the FSM: R = F(A,B) Project the variety V(J +J 0 ) on the state-variables Word-Level Reachability Analysis of FSM over F 2 k Efficient solutions for quantifier elimination over F 2 k [8] See our recent [DATE 2015] paper [7] P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 44 / 54

59 Datapath Verification over Z 2 k Consider the signal processing computation: F = 1 2 a 2 +b 2 Let x = a 2 +b 2 > 0, then F = 1 2 x 2 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 45 / 54

60 Datapath Verification over Z 2 k Consider the signal processing computation: F = 1 2 a 2 +b 2 Let x = a 2 +b 2 > 0, then F = 1 2 x 2 Approximate using Taylor s series, and implement with X[15 : 0] P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 45 / 54

61 Datapath Verification over Z 2 k Consider the signal processing computation: F = 1 2 a 2 +b 2 Let x = a 2 +b 2 > 0, then F = 1 2 x 2 Approximate using Taylor s series, and implement with X[15 : 0] F[15 : 0] = 156(X[15 : 0]) (X[15: 0]) (X[15: 0]) (X[15: 0]) (X[15: 0]) (X[15: 0]) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 45 / 54

62 Datapath Verification over Z 2 k Consider the signal processing computation: F = 1 2 a 2 +b 2 Let x = a 2 +b 2 > 0, then F = 1 2 x 2 Approximate using Taylor s series, and implement with X[15 : 0] F[15 : 0] = 156(X[15 : 0]) (X[15: 0]) (X[15: 0]) (X[15: 0]) (X[15: 0]) (X[15: 0]) G[15 : 0] = 156(X[15 : 0]) (X[15 : 0]) (X[15 : 0]) (X[15: 0]) (X[15: 0]) (X[15 : 0]) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 45 / 54

63 Datapath Verification over Z 2 k Consider the signal processing computation: F = 1 2 a 2 +b 2 Let x = a 2 +b 2 > 0, then F = 1 2 x 2 Approximate using Taylor s series, and implement with X[15 : 0] F[15 : 0] = 156(X[15 : 0]) (X[15: 0]) (X[15: 0]) (X[15: 0]) (X[15: 0]) (X[15: 0]) G[15 : 0] = 156(X[15 : 0]) (X[15 : 0]) (X[15 : 0]) (X[15: 0]) (X[15: 0]) (X[15 : 0]) F G, but F[15 : 0] = G[15 : 0] or F = G (mod 2 16 ) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 45 / 54

64 What s the big deal over Z 2 k? The finite integer ring Z 2 k is a non-unique factorization domain (non-ufd) The presence of zero-divisors, lack of inverses, and P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 46 / 54

65 The ideal of vanishing polynomials (again!) F = G (mod 2 k ) F G = 0 (mod 2 k ) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 47 / 54

66 The ideal of vanishing polynomials (again!) F = G (mod 2 k ) F G = 0 (mod 2 k ) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 47 / 54

67 The ideal of vanishing polynomials (again!) F = G (mod 2 k ) F G = 0 (mod 2 k ) Ideal of vanishing polynomials (J 0 ) in Z 2 k[x] If the generators of J 0 are known in Z 2 k, compute Gröbner basis How do we generate this ideal? P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 47 / 54

68 Number theory: Divisibility properties f (mod 2 k ) = 0 means that 2 k f P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 48 / 54

69 Number theory: Divisibility properties f (mod 2 k ) = 0 means that 2 k f n! divides the product of any n consecutive integers E.g. 4! divides P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 48 / 54

70 Number theory: Divisibility properties f (mod 2 k ) = 0 means that 2 k f n! divides the product of any n consecutive integers E.g. 4! divides Find the least integer λ s.t. 2 k λ! P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 48 / 54

71 Number theory: Divisibility properties f (mod 2 k ) = 0 means that 2 k f n! divides the product of any n consecutive integers E.g. 4! divides Find the least integer λ s.t. 2 k λ! Therefore, 2 k divides the product of any λ consecutive integers P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 48 / 54

72 Number theory: Divisibility properties f (mod 2 k ) = 0 means that 2 k f n! divides the product of any n consecutive integers E.g. 4! divides Find the least integer λ s.t. 2 k λ! Therefore, 2 k divides the product of any λ consecutive integers Example: In Z 2 3, λ = 4, as 8 4! P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 48 / 54

73 Number theory: Divisibility properties f (mod 2 k ) = 0 means that 2 k f n! divides the product of any n consecutive integers E.g. 4! divides Find the least integer λ s.t. 2 k λ! Therefore, 2 k divides the product of any λ consecutive integers Example: In Z 2 3, λ = 4, as 8 4! Product of 4 consecutive integers vanishes in Z 8 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 48 / 54

74 Number theory: Divisibility properties f (mod 2 k ) = 0 means that 2 k f n! divides the product of any n consecutive integers E.g. 4! divides Find the least integer λ s.t. 2 k λ! Therefore, 2 k divides the product of any λ consecutive integers Example: In Z 2 3, λ = 4, as 8 4! Product of 4 consecutive integers vanishes in Z 8 Factorize f as a product of 4 consecutive integers P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 48 / 54

75 Number theory: Divisibility properties f (mod 2 k ) = 0 means that 2 k f n! divides the product of any n consecutive integers E.g. 4! divides Find the least integer λ s.t. 2 k λ! Therefore, 2 k divides the product of any λ consecutive integers Example: In Z 2 3, λ = 4, as 8 4! Product of 4 consecutive integers vanishes in Z 8 Factorize f as a product of 4 consecutive integers (x +1)(x +2)(x +3)(x +4) = 0 (mod 8) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 48 / 54

76 Basis for factorization In Z 2 k, find least λ s.t. 2 k λ! S 0 (x) = 1 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 49 / 54

77 Basis for factorization In Z 2 k, find least λ s.t. 2 k λ! S 0 (x) = 1 S 1 (x) = (x +1) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 49 / 54

78 Basis for factorization In Z 2 k, find least λ s.t. 2 k λ! S 0 (x) = 1 S 1 (x) = (x +1) S 2 (x) = (x +1)(x +2): Product of 2 consecutive integers... P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 49 / 54

79 Basis for factorization In Z 2 k, find least λ s.t. 2 k λ! S 0 (x) = 1 S 1 (x) = (x +1) S 2 (x) = (x +1)(x +2): Product of 2 consecutive integers... S λ (x) = (x +λ)s λ 1 (x): Product of λ consecutive integers P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 49 / 54

80 Basis for factorization In Z 2 k, find least λ s.t. 2 k λ! S 0 (x) = 1 S 1 (x) = (x +1) S 2 (x) = (x +1)(x +2): Product of 2 consecutive integers... S λ (x) = (x +λ)s λ 1 (x): Product of λ consecutive integers If f = F λ S λ (x), F λ Z 2 k[x], then f = 0 (mod 2 k ) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 49 / 54

81 Basis for factorization What is f cannot be factorized as f = F λ S λ? P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 50 / 54

82 Basis for factorization What is f cannot be factorized as f = F λ S λ? Example: In Z 2 3[x],λ = 4 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 50 / 54

83 Basis for factorization What is f cannot be factorized as f = F λ S λ? Example: In Z 2 3[x],λ = 4 f = 4x 2 +4x = 4(x +1)(x +2) = 0 (mod 2 3 ) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 50 / 54

84 Basis for factorization What is f cannot be factorized as f = F λ S λ? Example: In Z 2 3[x],λ = 4 f = 4x 2 +4x = 4(x +1)(x +2) = 0 (mod 2 3 ) The missing factors are compensated by the coefficient P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 50 / 54

85 Basis for factorization What is f cannot be factorized as f = F λ S λ? Example: In Z 2 3[x],λ = 4 f = 4x 2 +4x = 4(x +1)(x +2) = 0 (mod 2 3 ) The missing factors are compensated by the coefficient Deciding vanishing polynomials: V(x) = 0 (mod 2 k ) iff V(x) = F λ S λ + λ 1 a n S n (x) n=0 a n = integer multiple of 2 k gcd(2 k,n!) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 50 / 54

86 Basis for factorization What is f cannot be factorized as f = F λ S λ? Example: In Z 2 3[x],λ = 4 f = 4x 2 +4x = 4(x +1)(x +2) = 0 (mod 2 3 ) The missing factors are compensated by the coefficient Deciding vanishing polynomials: V(x) = 0 (mod 2 k ) iff V(x) = F λ S λ + λ 1 a n S n (x) n=0 a n = integer multiple of 2 k gcd(2 k,n!) V(x) = canonical representation of the vanishing ideal in Z 2 k[x] P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 50 / 54

87 Basis for factorization What is f cannot be factorized as f = F λ S λ? Example: In Z 2 3[x],λ = 4 f = 4x 2 +4x = 4(x +1)(x +2) = 0 (mod 2 3 ) The missing factors are compensated by the coefficient Deciding vanishing polynomials: V(x) = 0 (mod 2 k ) iff V(x) = F λ S λ + λ 1 a n S n (x) n=0 a n = integer multiple of 2 k gcd(2 k,n!) V(x) = canonical representation of the vanishing ideal in Z 2 k[x] V(x) constitutes a Gröbner basis P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 50 / 54

88 Basis for factorization What is f cannot be factorized as f = F λ S λ? Example: In Z 2 3[x],λ = 4 f = 4x 2 +4x = 4(x +1)(x +2) = 0 (mod 2 3 ) The missing factors are compensated by the coefficient Deciding vanishing polynomials: V(x) = 0 (mod 2 k ) iff V(x) = F λ S λ + λ 1 a n S n (x) n=0 a n = integer multiple of 2 k gcd(2 k,n!) V(x) = canonical representation of the vanishing ideal in Z 2 k[x] V(x) constitutes a Gröbner basis To prove f = g (mod 2 k ), compute (f g) (mod V(x)) = r, is r = 0? P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 50 / 54

89 For the SMT community... Application to simulation and BV-constraint solving V(x) = F λ S λ + λ 1 a n S n (x) = 0 (mod 2 k ) n=0 Exhaustive simulation is not always necessary for polyfunction equivalence (mod 2 k ) V(x) vanishes on any λ consecutive integers In Z 2 k, λ is very small For example, in Z 2 16, λ = 18 Instead of a 16-bit solver, can you not design a 5-bit solver? Doesn t invalidate NP-hardness results of polynomial identity testing In Z p [x],λ = p, so exhaustive simulation is needed Related Publications: [9] [10] P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 51 / 54

90 Conclusions Formal Verification of large Galois Field circuits Computer algebra approach: Nullstellensatz+Gröbner Bases methods Engineering a term order to obviate Gröbner basis computation Can verify up to 571-bit multiplier circuits NIST specified 571-bit field... practical verification! For Composite Field circuits, verification scales to 1024-bit fields Our approach relies on Gröbner basis theory, circuit analysis and efficient symbolic computation Also described polynomial RTL equivalence checking over finite integer rings Nature loves Gröbner basis! P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 52 / 54

91 Acknowledgments Former PhD students Namrata Shekhar: Synopsys, Formality Equivalence Checker Sivaram Gopalakrishnan: Synopsys, Formality Equivalence Checker Jinpeng Lv: Cadence, Conformal Equivalence Checker Tim Pruss: Apple, Formal Verification Engineer Current PhD students Xiaojun Sun: Word-level implicit state enumeration for model checking sequential circuits Utkarsh Gupta: Boolean Gröbner Bases Collaborator: Prof. Florian Enescu Mathematics & Statistics, Georgia State Univ. Commutative Algebra & Algebraic Geometry Research Funded by the U.S. National Science Foundation P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 53 / 54

92 Questions? Thanks for listening! Questions? P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 54 / 54

93 E. Biham, Y. Carmeli, and A. Shamir, Bug Attacks, in Proceedings on Advances in Cryptology, 2008, pp T. W. Dube, The Structure of Polynomial Ideals and Gröbner bases, SIAM Journal of Computing, vol. 19, no. 4, pp , J. Lv, P. Kalla, and F. Enescu, Efficient Gröbner Basis Reductions for Formal Verification of Galois Field Arithmetic Circuits, in IEEE Trans. on CAD, vol. 32, no. 9, 2013, pp T. Pruss, P. Kalla, and F. Enescu, Equivalence Verification of Large Galois Field Arithmetic Circuits using Word-Level Abstraction via Groebner Bases, in Design Automation Conf., 2014., Efficient Symbolic Computation for Word-Level Abstraction from Combinational Circuits for Verification over Galois Fields, submitted, in review, IEEE Trans. on CAD, W. Decker, G.-M. Greuel, G. Pfister, and H. Schönemann, Singular A computer algebra system for polynomial computations, 2011, P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 54 / 54

94 X. Sun, P. Kalla, T. Pruss, and F. Enescu, Formal verification of sequential galois field arithmetic circuits using algebraic geometry, in Proc. Design, Automation and Test in Europe, S. Gao, A. Platzer, and E. Clarke, Quantifier Elimination over Finite Fields with Gröbner Bases, in Intl. Conf. Algebraic Informatics, N. Shekhar, P. Kalla, M. B. Meredith, and F. Enescu, Simulation Bounds for Equivalence Verification of Polynomial Datapaths using Finite Ring Algebra, IEEE TransactionsVLSI, vol. 16, no. 4, pp , N. Shekhar, P. Kalla, and F. Enescu, Equivalence Verification of Polynomial Datapaths using Ideal Membership Testing, IEEE Transactions on CAD, vol. 26, no. 7, pp , July P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 54 / 54