Efficient Parallel Verification of Galois Field Multipliers Cunxi - PowerPoint PPT Presentation

Efficient Parallel Verification of Galois Field Multipliers Cunxi Yu, Maciej Ciesielski ECE Department University of Massachusetts, Amherst

Why Research on Verification ? q Verification cost n 57% in 2014 • ¼ designs 61-70% n Increasing q Verification works n Debugging Percentage of Project Time Spent in Verification n Test bench n Test planning 22% 37% Debug Crea0ng Test & Simula0on 14% Other Test Planing Testbench Development 24% 3% 2 Harry D. Fos oster. “Trends in function onal verification on: A 2014 industry study”. DAC’15.

Hardware Verification always @(posedge clk) begin if ( r ) then p <= 0 else p <= p+1; end if; end Netlist HDL/C/C++ Schematic Layout IC Equivalence checking q We focus on logical implementation n Gate-level Galois Field Arithmetic Circuits • Pre-synthesized and post-synthesized multipliers • Including Montgomery and Mastrovito Multipliers 3

Galois Field q Finite Fields Number system with a finite number of elements q § Crytopgraphy systems, e.g. Advanced Encryption Standard (AES) Prime field q § GF(p) finite number of integers {1, 2, ...., p − 1} , p is prime number Extension field q § A={a0,a1} in GF (2 2 ), is A(x)=a 0 +a 1 x , a i ∈ {0,1} q Example 2-bit integer multiplication: r 0 +2r 1 +4r 2 +8r 3 q GF(2 2 ), irreducible poly P(x)=x 2 +x+1 q § Many P(x) exist in GF(2 n ) (n>=4) 4

Introduction q Hardware verification n Checking if the design meets specification • Equivalence checking ( EC ) • Property, model checking • Functional verification q Verification Techniques n Canonical diagrams ( BDDs, BMDs ), SAT/SMT • Require “bit-blasting”, memory explosion n Theorem proving ( ACL2, HOL ) § Requires domain knowledge, complex for gate-level n Computer algebraic § Finite field arithmetic [Lvov’FMCAD11] [Kalla’DAC14, TCAD’13] § Integer arithmetic [DAC’15] [TCAD’16] § Floating point arithmetic [Drechsler’FMCAD16] 5

Equivalence Checking ( EC ) q A method to check two behavior equivalence Design 1 Inputs Design 2 n Combinational Equivalence checking ( CEC ) • Exhaustive simulation • Canonical methods, e.g. BDDs, BMDs, TEDs – Poor scalability • Solve Boolean Satisfiability using SAT/SMT/ILP solvers – Build a “miter”; check if the “ miter ” is unSAT – Build a pseudo-Boolean “miter” in SMT/ILP 6

Simulation § A “ random walk ” through the state space of the design § Test bench + Scalable: applicable to designs of any size + Very robust set of tools & methodologies available for this technique + Constraint-based stimulus generation; random biasing + Clever testcase generation techniques – Explicit one-state-at-a-time nature severely limits attainable coverage – Suffers from incomplete coverage problem : often fails to expose every bug Slide from Jason Baumgartner, IBM Austin, 2011

Boolean Satisfiability using SAT/SMT q Check whether the miter is satisfiable ( clause 1 ) ∧ ( clause 2 ) ∧ (...) ∧ miter n Specifically: • SAT solvers: miniSAT , etc. Design 1 miter Inputs … Design 2 q Convert a netlist to Conjunction Normal Format (CNF) ( a ∨ ¬ x ) ∧ ( b ∨ ¬ x ) ∧ ( ¬ a ∨ ¬ b ∨ x ) n AND: ( ¬ x ∨ out ) ∧ ( ¬ c ∨ out ) ∧ ( x ∨ c ∨ ¬ out ) n OR : q Performance n More scalable than BDD/*BMD n Exponential runtime for hard problem 8

Evaluation of BDD/SAT/SMT/ABC q Evaluation of existing formal methods [Kalla’TCAD13] SAT : MiniSAT, CrytoSAT, PicoSAT q Design 1 SMT : Yices, Beaver, CVC4, Z3, Boolector miter q Inputs … BDD : CUDD Package q Design 2 ABC q 9

Transformation-based Verification i1 i1 A A q Complexity reduction i2 i2 B z0 B z0 i3 i3 n Redundancy removal z1 C z1 n Combinational rewriting D z2 D z2 • And-Inv-Graph (AIG) [11] i2 B z0 q Example: Mastrovito Mult [Kalla’TCAD13] z1 n FRAIG – Functional reduced AIG i3 • Miter of two multipliers D z2 i1 – Ideally should be reduced to an empty AIG • Percentage of AIG nodes eliminated before/after FRAIG 10

Computer Algebraic method q Computer Algebra method [Wienand’08, Pavlenko’11, Kalla’13, Drechsler’16] n Circuit represented in arithmetic bit level (ABL) • Specification F spec and implementation B defined as polynomials in Z 2 n • Reduce F spec modulo B by polynomial divisions F spec r Specification F spec n If r = 0 , the circuit is correct Implementation q Algebraic Techniques B NOR n Polynomial divisions: to check if r = 0 XOR • Otherwise, determine if r is 0-polynomial HA using canonical Groebner basis AND n Algebraic rewriting (gates, Add, Mult, etc.) • Rewriting the signature based on a topological order of the network [DAC’15] 11

Previous Work q Replace gate output by its equation f 3 = 4z 2 +2z 1 +z 0 n Substitution f 2 =4(g + e - eg) + 2z 1 + z 0 • Replace variables using algebraic model =4g + 4e - 4eg+2z 1 + z 0 n Simplification • Eliminate monomials with f 1 = 4e + 4(cd) - 4e(cd) + 2(c + d - 2cd)+z 0 coefficients “zero” = 4e + 2c +2d + z 0 – 4ecd n Must rewrite entire Signature f 0 = 4(a 1 b 1 ) + 2(a 0 b 0 ) + 2(a 1 + b 1 - 2a 1 b 1 ) b a 1 b 0 a 0 1 + (a 0 + b 0 - 2a 0 b 0 ) f 0 - 4(a 1 b 1 ) (a 0 b 0 ) (a 1 + b 1 -2a 1 b 1 ) = 2a 1 + 2b 1 + a 0 + b 0 f 1 e d c Matches the input signature . Circuit is correct. f 2 g 12 f 3 z 2 z 1 z 0

Previous Work q Expression reduction: 4-bit multiplier n Large number of reductions between each output bit 300X larger! n Output signature vs. individual bits 10000 z 0 z 1 z 2 z 3 1000 z 4 z 5 z 6 z 7 100 Sig out 10 1 0 10 20 30 40 50 60 70 80 90 #. rewriting iterations 13

Verification of GF Multipliers q Finite field multiplier n Function: A(x)*B(x) mod P(x) n Irredundant polynomial: P(x) = x 2 +x+1 • equals to A*B mod 7 q Example: 2-bit GF Multiplier n P(x) = x 2 +x+1 • s 0 = a 0 b 0 • s 1 = a 1 b 0 ⊕ a 0 b 1 • s 2 = a 1 b 1 • z 0 = s 0 ⊕ s 1 • z 1 = s 1 ⊕ s 2 n z 0 =a 0 b 0 ⊕ a 1 b 0 ⊕ a 0 b 1 n z 1 = a 1 b 0 ⊕ a 0 b 1 ⊕ a 1 b 1 14

Verification of GF(2 m ) Multipliers q Finite field multiplier n Function: A(x)*B(x) mod P(x) n Irredundant polynomial: P(x) = x 2 +x+1 • equals to A*B mod 7 q Modeling in finite field input signature: n Post-synthesized 2-bit GF multiplier a 0 n 1 A = x 1 a 0 + x 2 a 1 G1 z 0 b 0 G6 B = x 1 b 0 + x 2 b 1 a 1 n 2 G2 b 1 n 5 G8 z 1 n 3 a 1 G7 G3 output signature b 0 a 0 Z = x 1 z 0 + x 2 z 1 mod P ( x ) G5 G4 n 6 b 1 n 4 15

Verification of GF(2 m ) Multipliers q 2-bit GF(2 2 ) multiplier n Irredundant polynomial: P(x) = x 2 +x+1 n Function: Z = z 0 + z 1 *x • z 0 = a 0 b 0 ⊕ a 1 b 0 ⊕ a 0 b 1 • z 1 = a 1 b 0 ⊕ a 0 b 1 ⊕ a 1 b 1 G 1: n 1 = 1 + a 0 b 0 q Modeling in finite field { G 2: n 2 = 1 + a 1 b 1 n 1 a 0 n Post-synthesized 2-bit GF multiplier G1 G 3: n 3 = 1 + a 1 b 0 z 0 b 0 G6 G 4: n 4 = 1 + a 0 b 1 a 1 n 2 B G2 b 1 n 5 G 5: n 6 = n 3 + n 4 G8 z 1 n 3 a 1 G7 G 6: z 0 = n 1 + n 2 G3 b 0 G 7 : z 1 = n 5 + n 6 a 0 G5 G4 n 6 G 8: n 5 = 1 + n 2 b 1 n 4 16

Verification of GF(2 m ) Multipliers q 2-bit GF(2 2 ) multiplier n Irredundant polynomial: P(x) = x 2 +x+1 n Function: Z = z 0 + z 1 *x • z 0 = a 0 b 0 ⊕ a 1 b 0 ⊕ a 0 b 1 • z 1 = a 1 b 0 ⊕ a 0 b 1 ⊕ a 1 b 1 q Modeling in finite field n Each rewriting result (F 0 , F 1 , … F i ∈ GF(2 m ) ) n Theorem 1: Algebraic model ∈ GF(2) ¬ a = 1 − a ¬ a = (1 + a ) mod2 mod 2 a ∧ b = a ⋅ b a ∧ b = a ⋅ b a ∨ b = a + b − a ⋅ b a ∨ b = ( a + b + a ⋅ b )mod2 a ⊕ b = a + b − 2 a ⋅ b a ⊕ b = ( a + b )mod2 17

Verification of GF(2 m ) Multipliers q 2-bit GF(2 2 ) multiplier n Irredundant polynomial: P(x) = x 2 +x+1 n Function: Z = z 0 + z 1 *x F spec = a 0 b 0 +a 1 b 1 +(a 1 b 1 +a 1 b 0 +a 0 b 1 )*x • z 0 = a 0 b 0 ⊕ a 1 b 0 ⊕ a 0 b 1 • z 1 = a 1 b 0 ⊕ a 0 b 1 ⊕ a 1 b 1 q Modeling in finite field n Each rewriting result (F 0 , F 1 , … F i ∈ GF(2 m ) ) n Theorem 1: Algebraic model ∈ GF(2) ¬ a = 1 − a ¬ a = (1 + a ) mod2 mod 2 a ∧ b = a ⋅ b a ∧ b = a ⋅ b a ∨ b = a + b − a ⋅ b a ∨ b = ( a + b + a ⋅ b )mod2 a ⊕ b = a + b − 2 a ⋅ b a ⊕ b = ( a + b )mod2 18

Verification of GF(2 m ) Multipliers q Finite field multiplier n Function: A(x)*B(x) mod P(x) n Irredundant polynomial: P(x) = x 2 +x+1 • equals to A*B mod 7 q Modeling in finite field n Each rewriting result (F 0 , F 1 , … F i ∈ GF(2 m ) ) n Theorem 1: Algebraic model ∈ GF(2) n Theorem 2: Coefficients of each monomial ∈ GF(2) • Provides eliminations/polynomial reductions ¬ a = 1 − a ¬ a = (1 + a ) mod2 mod 2 a ∧ b = a ⋅ b a ∧ b = a ⋅ b a ∨ b = a + b − a ⋅ b a ∨ b = ( a + b + a ⋅ b )mod2 a ⊕ b = a + b − 2 a ⋅ b a ⊕ b = ( a + b )mod2 19

Verification of GF(2 m ) Multipliers q Single-thread verification n 1 a 0 G1 z 0 b 0 G6 q Order = <7,6,5,8,4,3,2,1> a 1 n 2 G2 b 1 n 5 G8 z 1 n 3 a 1 G7 G3 b 0 a 0 G5 Sig out : F 0 = z 0 +z 1 *x G4 n 6 b 1 n 4 G7: F 1 = z 0 +(n 5 +n 6 )*x G6: F 2 = n 1 +n 2 +(n 5 +n 6 )*x “+” is addition “add, mod 2” G5: F 3 = n 1 +n 2 +(n 3 +n 4 +n 5 )*x G8: F 4 = n 1 +n 2 +(n 3 +n 4 +n 2 +1)*x G4: F 5 = n 1 +n 2 +(n 2 +n 3 +a 0 b 1 )*x + 2x G3: F 6 = n 1 +n 2 +(n 2 +a 1 b 0 +a 0 b 1 )*x + x G2: F 7 = n 1 +a 1 b 1 +1+(a 1 b 1 +a 1 b 0 +a 0 b 1 )*x +2x G1: F 8 = a 0 b 0 +a 1 b 1 +(a 1 b 1 +a 1 b 0 +a 0 b 1 )*x +2 Sig in = F 9 = a 0 b 0 +a 1 b 1 +(a 1 b 1 +a 1 b 0 +a 0 b 1 )*x 20

Verification of GF(2 m ) Multipliers q Theorem 3: Reductions exist only within each output element Regardless of logic sharing q 21