# Rectification of Finite Field Arithmetic Circuits using Computer Algebra Techniques

VIKAS RAO, University of Utah, USA HADEN ONDRICEK, University of Utah, USA PRIYANK KALLA, University of Utah, USA FLORIAN ENESCU, Georgia State University, USA

This paper presents a symbolic computer algebra based approach for rectification of faulty finite field arithmetic circuits at multiple nets. Contemporary approaches that utilize SAT solving and Craig interpolation are infeasible in rectifying arithmetic circuits. Our approach employs techniques from polynomial algebra to compute rectification patches. Given a set of m nets as targets for rectification, first, we utilize algebra-based techniques to ascertain existence of a rectification function at the targets, and subsequently compute a rectification function. Further, we show how the algebraic computing model allows to explore the space of admissible rectification patches, collectively, for the m targets. The model also enables exploitation of don't care conditions across the m targets for synthesis of rectification patches. Experiments conducted over finite field circuits used in cryptography applications demonstrate the efficacy of our approach.

CCS Concepts: • Hardware  $\rightarrow$  Electronic design automation.

Additional Key Words and Phrases: Logic Synthesis, Rectification, Arithmetic Circuits

#### 1 INTRODUCTION

Debugging and rectification of digital logic circuits aims to correct a given defective circuit implementation to match its intended specification. The process constitutes identifying candidate nets in the circuit as targets for rectification, followed by a check to determine whether the circuit can be patched at these targets. If the targets admit correction, corresponding rectification functions are computed and synthesized to fix the circuit at these targets. It is akin to performing synthesis for Engineering Change Order (ECO), wherein a highly optimized implementation is minimally modified to match the updated specification in a cost effective way. This is achieved by reusing prior design efforts and avoiding rerunning the entire synthesis flow, while adhering to the resource constraints and the physical design limitations.

The rectification problem has witnessed a lot of research over the years – some of the earliest being [13, 21, 23]. Owing to a manifold improvement in the efficiency of SAT solvers, there has been a renewed interest in the problem over the last decade from the logic synthesis, testing and verification communities [5, 7, 8, 24]. These techniques generally employ SAT, Quantified Boolean Formula (QBF) solving, and Craig Interpolation (CI) based techniques for rectification. While successful for control-dominated applications, these techniques are computationally infeasible for rectification of arithmetic circuits. Symbolic Computer Algebra (SCA) techniques are found to be more suitable for formal analysis and verification of arithmetic circuits. However, utilization of the various facets and capabilities of the SCA techniques for post-verification debugging and rectification has only recently begun to be addressed [6, 9, 15, 18–20].

This paper addresses the problem of *rectification of faulty finite field arithmetic circuits* at a given set of *m* targets. Rectification is performed against a given polynomial specification over finite fields. Such circuits find application in cryptography and error-control codes. As arithmetic bugs may lead to security vulnerabilities in crypto-systems [2], their rectification is of utmost importance. Our

Authors' addresses: Vikas Rao, University of Utah, Salt Lake City, USA, vikas.k.rao@utah.edu; Haden Ondricek, University of Utah, Salt Lake City, USA, haden.ondricek@utah.edu; Priyank Kalla, University of Utah, Salt Lake City, USA, kalla@ece. utah.edu; Florian Enescu, Georgia State University, Atlanta, USA, fenescu@gsu.edu.

approach uses Symbolic computer algebra and algebraic geometry based techniques to derive the necessary and sufficient condition for the existence of a rectification function, computes rectification patches as polynomials for the given targets, and synthesizes them into logic sub-circuits.

 Problem Statement and Objective: We are given the following: i) as the specification, a multivariate polynomial f with coefficients in a finite field of  $2^n$  elements (denoted  $\mathbb{F}_{2^n}$ ), for a given  $n \in \mathbb{Z}_{>0}$ ; ii) an irreducible polynomial  $P_n(x)$  of degree n with coefficients in  $\{0,1\}$  used to construct  $\mathbb{F}_{2^n}$ ; iii) a faulty circuit implementation C, with no assumptions on the number or the type of bugs present in C; and iv) a set  $W = (w_1, \ldots, w_m)$  of m targets from C, pre-specified or selected using contemporary signal selection heuristics [5, 11, 12]. The objective of our approach is to: i) ascertain that C admits rectification at these m targets ii) compute a set of individual rectification functions  $U = (u_1, \ldots, u_m)$  for the corresponding targets. Here, each  $u_i$  is a polynomial function  $u_i : \mathbb{F}_2^{|X_{PI}|} \to \mathbb{F}_2$ , where  $\mathbb{F}_2 = \{0, 1\}$ , and  $X_{PI}$  denotes the set of primary inputs; iii) derive don't care conditions corresponding to the m rectification functions; and iv) synthesize the rectification polynomials into logic sub-circuit patches.

Prior Work: Contemporary approaches formulate rectification using QBF solving [8], using CI or iterative SAT solving [24]. The rectification techniques in [11, 24, 25] iteratively and incrementally compute multiple single-fix functions that partially patch the circuit in each iteration. They ensure that, in each iteration, erroneous minterms are resolved and no new errors are introduced, eventually converging the circuit to the given specification. The more recent techniques further include more resource awareness in patch generation by reusing existing logic [5], employ improved heuristics for target selection [11]. A robust ECO approach to derive patches with minimal impact on the heavily optimized existing implementation against a structurally dissimilar ECO-evolved specification has been presented in [12]. The authors [12] propose enumerating rectification points functionally by simulation and match the circuitry of patches implicitly to maximize reuse of existing logic in the implementation. To achieve scalability, the method proposes modeling and analyzing its computations in symbolic sampling domain. While successful for control-dominated applications, these techniques are computationally infeasible for rectification of arithmetic circuits.

In the context of arithmetic circuits, Symbolic computer algebra techniques for integer arithmetic [6, 15] and finite field circuits [9, 18] have been considered for rectification. However, these algebraic approaches address only *single-fix rectification* – where irrespective of the type or number of bugs in the circuit, rectification is attempted at a single net. This is too restrictive and depending on the nature of the bugs, the circuit may not admit single-fix rectification at all. In such cases, correction has to be attempted at multiple targets, i.e. MFR is required. Recently, [19] proposes an SCA based approach to *decide m-target rectifiability*. Given a set of *m*-targets, the approach can only ascertain whether *there exists* a set of patch functions that can patch the circuit at those targets. As it is only a decision procedure, the proposed approach cannot *compute* rectification functions. Thus the problem of multi-fix rectification of data-path circuits remains unsolved, and theoretical and algorithmic solutions to compute and synthesize rectification patches for arithmetic circuits are still desired.

Approach and Contribution: The specification and implementation are modeled in terms of polynomial ideals, and the rectification functions are computed using the Gröbner bases of these ideals [1]. We model this computation as a quantification procedure by utilizing concepts from computer algebra and algebraic geometry. In this regard, our approach goes beyond the Nullstellensatz-based results produced from the *m*-target rectifiability check presented in [19], and *computes m* individual rectification functions altogether. This allows us to efficiently explore the space of various admissible rectification functions, in turn, computing subsets of don't care conditions which help in simplifying the rectification patches. Synthesis of the corresponding polynomial patch functions,

along with don't cares, demonstrates the efficacy of our approach in terms of improved area and delay characteristics of the patches. Overall, the the computation of rectification functions at multiple targets, and modeling don't cares for MFR in polynomial algebra, are our novel contributions not presented in prior literature.

We reason about the presence or absence of solutions and other properties of a system of polynomials without explicitly solving them. In contrast, the contemporary approaches explicitly solve for a solution at each step and hence are infeasible towards rectification of arithmetic circuits. We present theoretical concepts and algorithms, and their efficient implementations, for finite field arithmetic circuit debug and rectification. The logic corrections are computed as polynomial functions in primary input variables, which are synthesized into rectification patches for the corresponding targets. Our algebraic approach provides a scalable solution for rectification of finite field arithmetic circuits.

Paper Organization: The following section covers preliminary background. Section 2.1 reviews the polynomial modeling concepts. Rectification check formulation is described in Section 3, followed by the rectification function and don't care computations in Section 4. Section 5 discusses the implementation details, and experimental results are described in Section 6, and Section 7 concludes the paper.

## 2 PRELIMINARIES

 This section reviews some basic concepts from symbolic computer algebra and associated algorithms that are utilized in this paper.

Finite fields: Let  $\mathbb B$  denote the Boolean domain, and  $\neg, \land, \lor, \oplus$  the NOT, AND, OR and XOR operators, respectively. Let  $\mathbb F_2=\{0,1\}$  be the field of 2 elements, and let  $\mathbb F_q=\mathbb F_{2^n}$  denote the finite field of  $q=2^n$  elements, for a given  $n\in\mathbb Z_{>0}$ .  $\mathbb F_{2^n}$  is the n-dimensional extension of  $\mathbb F_2$ , and it is constructed as  $\mathbb F_{2^n}=\mathbb F_2[x]$  (mod  $P_n(x)$ ). Here  $P_n(x)\in\mathbb F_2[x]$  is a given degree-n polynomial, irreducible in  $\mathbb F_2$ , with a root  $\gamma$ , i.e.  $P_n(\gamma)=0$ , which is a generator of  $\mathbb F_{2^n}$ . Then  $\gamma$  is called a primitive element (PE) of  $\mathbb F_{2^n}$  and it generates the entire field:  $\mathbb F_{2^n}=\{0,1=\gamma^{2^n-1},\gamma,\gamma^2,\ldots,\gamma^{2^n-2}\}$ . Note:  $\forall \gamma\in\mathbb F_{2^n},\gamma^{2^n-1}=1$ . An element  $A\in\mathbb F_{2^n}$  can be written as  $A=a_0+a_1\cdot\gamma+\cdots+a_{n-1}\cdot\gamma^{n-1}$ , where  $a_0,\ldots,a_{n-1}\in\mathbb F_2$ . In  $\mathbb F_{2^n}$ , the addition ("+") and multiplication ("·'") operations are performed in the base field  $\mathbb F_2$  and reduced modulo the corresponding primitive polynomial  $P_n(x)$ . For  $n,k\in\mathbb Z_{>0}$ , if n divides k, then  $\mathbb F_{2^n}\subset\mathbb F_{2^k}$ . Thus,  $\mathbb F_2\subset\mathbb F_{2^n},\forall n>1$ . All fields of the type  $\mathbb F_{2^n}$  have characteristic 2, and therefore -1=+1 in  $\mathbb F_{2^n}$ .

Polynomial representation: Let  $R = \mathbb{F}_q[x_1,\ldots,x_d]$  be the polynomial ring in variables  $x_1,\ldots,x_d$  with coefficients in  $\mathbb{F}_q$ . A polynomial  $f \in R$  is written as a finite sum of terms  $f = c_1M_1 + c_2M_2 + \cdots + c_pM_p$ , where  $c_1,\ldots,c_p$  are coefficients from  $\mathbb{F}_q$  and  $M_1,\ldots,M_p$  are monomials, i.e. power products of the type  $x_1^{e_1} \cdot x_2^{e_2} \cdot \cdots x_d^{e_d}$ ,  $e_j \in \mathbb{Z}_{\geq 0}$ . To systematically manipulate the polynomials, a monomial order > (or a term order) is imposed on R such that the monomials of all polynomials are ordered according to >. Subject to >, we have that  $M_1 > M_2 > \cdots > M_p$ . Then,  $lm(f) = M_1$  denotes the leading monomial of f, and  $lt(f) = c_1M_1$  the leading term of f. Also, for  $f \in R$ , tail(f) = f - lt(f). This work employs lexicographic (lex) term orders.

*Polynomial Reduction:* Let  $F = \{f_1, \ldots, f_s\}$  be a set of polynomials in R and  $f \in R$  be another polynomial. Then  $f \xrightarrow{F}_+ r$  denotes the *reduction* of f modulo the set of polynomials F resulting in a remainder r, obtained by iteratively canceling terms in f by  $lt(f_j), f_j \in F$ , via polynomial division. The remainder r is said to be *reduced* such that no term in r is divisible by the leading term of any  $f_j \in F$ .

Algorithm 1 (Alg. 1.5.1 [1]) presents the procedure which performs polynomial reduction by iteratively canceling one monomial at a time. Along with the remainder r, the algorithm also

returns the set of quotients  $\{u_1, \ldots, u_s\}$  of division of f by  $\{f_1, \ldots, f_s\}$ , respectively, such that  $f = u_1 \cdot f_1 + \cdots + u_s \cdot f_s + r$ .

# **Algorithm 1** Multivariate Reduction of f by $F = \{f_1, \dots, f_s\}$

148

149 150

151 152

153

154

155

156

157

158 159

160

161

162

163

164 165

167

168

170

171

172

173

174

175

176

177178

179

180

181

182

183 184

185

186

187 188

189

190

191

192

193

194

195 196

```
1: procedure multi\_var\_division(f, \{f_1, ..., f_s\}, f_i \neq 0)
           u_i \leftarrow 0; \ r \leftarrow 0, \ h \leftarrow f
 2:
           while h \neq 0 do
 3:
                 if \exists j \text{ s.t. } lm(f_i) \mid lm(h) \text{ then}
 4:
                       choose j least s.t. lm(f_i) \mid lm(h)
 5:
                      u_j = u_j + \frac{lt(h)}{lt(f_j)}h = h - \frac{lt(h)}{lt(f_j)}f_j
 6:
 7:
                 else
 8:
                       r = r + lt(h)
                       h = h - lt(h)
10:
           return (\{u_1,\ldots,u_s\},r)
11:
```

Ideals and varieties: A given set of polynomials  $F = \{f_1, \ldots, f_s\}$  from R, generates the **ideal**  $J = \langle F \rangle \subseteq R$ , defined as  $J = \langle f_1, \ldots, f_s \rangle = \{h_1 \cdot f_1 + \cdots + h_s \cdot f_s \mid h_1, \ldots, h_s \in R\}$ . Polynomials  $f_1, \ldots, f_s$  form the generators or the basis of ideal J.

Let  $\mathbf{a} = (a_1, \dots, a_d) \in \mathbb{F}_q^d$  be a point in the affine space, and f a polynomial in R. If  $f(\mathbf{a}) = 0$ , we say that f vanishes on  $\mathbf{a}$ . In this work, we have to analyze the set of all common zeros of the polynomials of  $F = \{f_1, \dots, f_s\}$  that lie within the field  $\mathbb{F}_q$  - i.e. the set of all point  $\mathbf{a} \in \mathbb{F}_q^d$  such that  $f_1(\mathbf{a}) = \dots = f_s(\mathbf{a}) = 0$ . This zero set is called the **variety**, which depends not just on the given set of polynomials in F, but rather on the ideal generated by polynomials. We denote it by V(J), where:  $V(J) = V_{\mathbb{F}_q}(J) = V_{\mathbb{F}_q}(f_1, \dots, f_s) = \{\mathbf{a} \in \mathbb{F}_q^d : \forall f \in J, f(\mathbf{a}) = 0\}.$ 

An ideal may have many different sets of generators such that their varieties are the same. A *Gröbner basis* (GB) is one such generating set with special properties that allows to solve many polynomial decision and quantification problems.

DEFINITION 2.1. [Gröbner Basis] [1]: For a monomial ordering >, a set of non-zero polynomials  $G = \{g_1, g_2, \dots, g_t\}$  contained in an ideal J, is called a Gröbner Basis (GB) of  $J \iff \forall f \in J$ ,  $f \xrightarrow{g_1, \dots, g_t} \downarrow 0$ .

A polynomial f is a member of ideal J iff division of f by GB(J) gives the remainder 0. If  $f \notin J$ , then division by GB(J),  $f \xrightarrow{GB(J)}_+ r$ , results in a non-zero remainder r that is unique. A Gröbner basis can be computed using Buchberger's algorithm (cf. Alg. 1.7.1 in [1]). A Gröbner basis can be further reduced. A reduced Gröbner basis (redGB) is canonical representation of the ideal J.

DEFINITION 2.2. [Reduced Gröbner Basis]: A redGB for a polynomial ideal J is a GB  $G = \{g_1, \ldots, g_t\}$  such that:

- $lc(g_i) = 1, \forall g_i \in G$
- $\forall g_i \in G$ , no monomial of  $g_i$  lies in  $\langle lt(G \{g_i\}) \rangle$

Vanishing Polynomials: For any element  $\varphi \in \mathbb{F}_q$ ,  $\varphi^q = \varphi$  holds. Therefore, the polynomial  $x^q - x$  vanishes everywhere in  $\mathbb{F}_q$ , and we call it a vanishing polynomial. We denote by  $F_0 = \{x_1^q - x_1, \dots, x_d^q - x_d\}$  the set of all vanishing polynomials in R, and  $J_0 = \langle F_0 \rangle$  denotes the ideal of all vanishing polynomials in R. Then  $V_{\mathbb{F}_q}(J_0) = \mathbb{F}_q^d$ , and for any ideal J, we have that  $V_{\mathbb{F}_q}(J) = V_{\mathbb{F}_q}(J + J_0)$ .

Ideal-Variety Correspondences: Given two ideals  $J_1 = \langle f_1, \ldots, f_s \rangle$ ,  $J_2 = \langle h_1, \ldots, h_r \rangle$ , the **sum of ideals** is denoted as  $J_1 + J_2 = \langle f_1, \ldots, f_s, h_1, \ldots, h_r \rangle$ , their **product** is given as  $J_1 \cdot J_2 = \langle f_i \cdot h_j : 1 \leq i \leq s, 1 \leq j \leq r \rangle$ , and a **colon ideal** operation is defined as  $J_1 : J_2 = \{f \in R \mid f \cdot g \in J_1, \forall g \in J_2\}$ . Ideals and varieties are dual concepts:  $V(J_1 + J_2) = V(J_1) \cap V(J_2)$ , whereas  $V(J_1 \cdot J_2) = V(J_1) \cup V(J_2)$ . A colon ideal operation corresponds the set difference of two varieties,  $V_{\mathbb{F}_q}(J_1 : J_2) = V_{\mathbb{F}_q}(J_1) \setminus V_{\mathbb{F}_q}(J_2)$ . The complement of a variety  $V_{\mathbb{F}_q}(J_1)$  denoted  $\overline{V_{\mathbb{F}_q}(J_1)}$ , can be computed using the colon ideal with vanishing polynomials as:  $\overline{V_{\mathbb{F}_q}(J_1)} = \mathbb{F}_q^d \setminus V_{\mathbb{F}_q}(J_1) = V_{\mathbb{F}_q}(J_0) \setminus V_{\mathbb{F}_q}(J_1) = V_{\mathbb{F}_q}(J_0 : J_1)$ .

As varieties over finite fields are a finite set of points in  $\mathbb{F}_q^d$ , in this work we interpret the desired rectification functions as varieties. Thus, we use the above concepts of intersection, union, and complement of varieties to operate on functions; however, we compute them algebraically using the Gröbner bases of corresponding ideals.

The computational complexity of GB algorithm is exponential in the number of variables *d*. For efficient GB computations on polynomials derived from a circuit, [14] proposed the use of a specialized term order that exploits the topology of the circuit and renders the set of polynomials for the gates of the circuit, a Gröbner basis itself. This term order '> ' is called the *Reverse Topological Term Order (RTTO)*.

DEFINITION 2.3. [Reverse Topological Term Order] [14]: Let C be an arbitrary combinational circuit. Let  $\{x_1, \ldots, x_d\}$  denote the set of all variables (signals) in C. Starting from the primary outputs, perform a reverse topological traversal of the circuit and order the variables such that  $x_k > x_j$  if  $x_k$  appears earlier in the reverse topological order. Impose a lex term order C to represent each gate as a polynomial  $f_j$ , s.t.  $f_j = x_k + tail(f_j)$ . Then set of polynomials  $\{f_1, \ldots, f_s\}$  corresponding to the gates of the circuits is a Gröbner basis when RTTO is used for ordering.

## 2.1 Modeling Circuits with Polynomial Ideals

A multivariate polynomial f over  $\mathbb{F}_{2^n}$  is given as a *Spec*, where n is the operand word-length (data-path size). A combinational circuit C is given as its (faulty) implementation. The function implemented by C is modeled with a system of polynomials over  $R = \mathbb{F}_{2^n}[Z,A,X]$ , where  $X = \{x_1,\ldots,x_d\}$  corresponds to all the bit-level variables (nets) in the circuit. Let  $X_{PO} \subset X$ , and  $X_{PI} \subset X$  denote the set of all primary output variables, and primary input variables from C, respectively. Further,  $Z = \{z_0,\ldots,z_{n-1}\}$  and  $A = \{a_0,\ldots,a_{n-1}\}$  represent the output and input operand words of the circuit, respectively, where  $z_i \in X_{PO}$  and  $a_i \in X_{PI}$ . As C comprises Boolean logic gates, the gates are represented by polynomials (mod 2), i.e. over  $\mathbb{F}_2(\subset \mathbb{F}_{2^n})$ , using the mapping  $\mathbb{B} \mapsto \mathbb{F}_2$ :

$$z = \neg a \mapsto z + a + 1; \qquad z = a \land b \mapsto z + a \cdot b;$$
  

$$z = a \lor b \mapsto z + a + b + a \cdot b; \qquad z = a \oplus b \mapsto z + a + b;$$
(1)

Algebraically, the correspondences between the bit-level and word-level variables of the circuit are represented as:

$$f_1: Z = z_0 + \gamma \cdot z_1 + \dots + \gamma^{n-1} \cdot z_{n-1},$$
  

$$f_2: A = a_0 + \gamma \cdot a_1 + \dots + \gamma^{n-1} \cdot a_{n-1},$$
(2)

where  $P_n(\gamma) = 0$ . Since  $\mathbb{F}_2 \subset \mathbb{F}_{2^n}$ , the polynomials in Eqn. (1) can also be interpreted as polynomials over  $\mathbb{F}_{2^n}$ . Thus, the circuit is represented by a set of polynomials  $F = \{f_1, \ldots, f_s\} \subset R$ . Let  $J = \langle F \rangle$  be the ideal generated by this set. Let  $F_0 = \{x_i^2 - x_i, Y^{2^n} - Y \mid x_i \in \text{bit-level variables}, Y \in \text{word-level variables}\}$  be the set of all vanishing polynomials, and  $J_0 = \langle F_0 \rangle$  the corresponding ideal. Then, ideal  $J + J_0 = \langle F \cup F_0 \rangle$  models the functionality of  $Impl\ C$ .

One can verify the correctness of the circuit C by checking if the given Spec is implied by the ideal representing C. In other words,  $f \equiv C \iff f \xrightarrow{GB(J+J_0)} 0$  [14]. In the manuscript, we use the circuit of Fig. 1, which is borrowed from [19], as a running example to demonstrate our algebraic approach for MFR.

Example 2.1. The circuit C in Fig. 1 is a faulty implementation of a 3-bit (n=3) Mastrovito multiplier. The field  $\mathbb{F}_{2^3}$  is constructed using  $P_3(x) = x^3 + x + 1$  with  $\gamma$  as a root, i.e.  $P_3(\gamma) = 0$ . The Spec polynomial is  $f: Z + A \cdot B$ , where Z is the output word, and A, B the input words. Impose RTTO > on the polynomials, i.e. a lex term order on all polynomials with the variables of C ordered reverse topologically from POs to PIs:  $\{Z\} > \{A > B\} > \{z_0 > z_1 > z_2\} > \cdots > \{d_1 > d_2 > d_3 > r_0 > d_5 > rr_1\} > \{r_1 > rr_3 > rr_2\} > \{r_2 > r_3 > rr_4\} > \{r_4 > d_4\} > \{a_0 > a_1 > a_2 > b_0 > b_1 > b_2\}.$ 

*Under RTTO* >, the following polynomials represent C:

```
\begin{split} f_1: Z + z_0 + \gamma \cdot z_1 + \gamma^2 \cdot z_2; & f_{22}: rr_1 + rr_3 + rr_2; \\ f_2: A + a_0 + \gamma \cdot a_1 + \gamma^2 \cdot a_2; & f_{23}: r_1 + r_2 + r_3; \\ f_3: B + b_0 + \gamma \cdot b_1 + \gamma^2 \cdot b_2; & f_{26}: r_3 + r_4 + d_4; \\ & f_4: z_0 + d_0 + e_1; & f_{27}: rr_3 + rr_4 + b_2; \dots \\ & \dots & f_{30}: rr_4 + a_2 + b_2 + a_2b_2; \end{split}
```

where the polynomials  $f_{26}$ ,  $f_{27}$  correspond to the introduced bugs. Then  $F = \{f_1, \ldots, f_{30}\}$ ,  $F_0 = \{a_0^2 - a_0, \ldots, z_2^2 - z_2, A^8 - A, B^8 - B, Z^8 - Z\}$ . So, ideal  $J + J_0 = \langle F \cup F_0 \rangle$  encapsulates the function implemented by C. Computing  $f: Z + A \cdot B \xrightarrow{F, F_0} + r$  results in  $r = \gamma^2 (a_1 a_2 b_1 b_2 + a_1 a_2 b_2 + a_2 b_1 b_2) + \gamma^1 (a_1 a_2 b_1 b_2 + a_1 a_2 b_2) + \gamma^0 (a_2 b_1 b_2)$ . Since  $r \neq 0$ , the circuit is buggy.



Fig. 1. A faulty Impl of the circuit C: a 3-bit finite field multiplier (n=3) with bugs introduced at net  $r_3$  (AND gate replaced with an XOR gate and one of the inputs mis-connected to  $d_4$  instead of  $b_2$ ) and net  $rr_3$  (AND gate replaced with an XOR gate).

#### RECTIFICATION CHECK

295 296

297

298

299

300

301

302

303

304

305

306

307

308 309

310

311 312

313

314 315

316

317

318

319

320

322

324

326

328

330

331

332 333

334

335

336

337

338

339

340

341

342 343 In [19], the authors presented techniques which utilize the aforementioned polynomial ideal setup to derive the necessary and sufficient conditions for the existence of a multi-fix rectification at the given set of targets. We rephrase and restate Thm. V.1 from [19], and briefly discuss its key aspects. Subsequently, we formulate the computation of rectification functions by utilizing the outcome of their decision procedure.

THEOREM 3.1. [Multi-fix Rectification Theorem] A Spec polynomial f, a faulty Impl C represented using the ideal  $J + J_0 = \langle F \cup F_0 \rangle \subset R$ , and a set of targets  $W = (w_1, \dots, w_m) \subset \{X - X_{PI}\}$  are given. RTTO > is imposed on R. Let  $W_c = \{(0,0,..,0),...,(1,1,..,1)\}, |W_c| = 2^m$ , denote the set of all possible {0,1} assignments to targets W. This is akin to computing cofactors of the circuit functions with respect to the targets W. Each cofactor tuple  $W_c[l]$  serves as one set of assignments to m targets at their respective indexes in W. The following ideals are constructed:

```
• J_l = \langle F_l \rangle = \langle f_1, \dots, f_{w_1} : w_1 + W_c[l][1], \dots, f_{w_m} : w_m + W_c[l][m], \dots, f_s \rangle, \forall l \in 1, \dots 2^m.
```

Reduce f by  $F_l \cup F_0$  to obtain remainders  $rem_l$ :  $f \xrightarrow{F_l \cup F_0} rem_l$ , for  $1 \le l \le 2^m$ . Then, the circuit Cis rectifiable at the target set W if and only if union of varieties  $\bigcup_{l=1}^{2^m} V(rem_l) = \mathbb{F}_2^{|X_{PI}|}$ .

The above check for union of varieties can be performed as product of ideals, i.e. by checking if  $\prod_{l=1}^{2^m} rem_l \xrightarrow{\int_0} 0$ . RTTO > is known to have the property that makes the division  $f \xrightarrow{F_l \cup F_0} rem_l$ mimic gate level substitution in polynomial algebra. Thus, after reduction, all non-primary input variables in the circuit are canceled and the final remainder has only  $X_{PI}$  variables in its support.

EXAMPLE 3.1. Continuing on with the Ex. 2.1, we demonstrate the rectification check presented in [19] for  $W = (r_3, rr_3)$ .

Constructing the  $I_1$  ideals:

```
• J_1 = \langle F_1 \rangle, where F_1[f_{26}: r_3 + 0], F_1[f_{27}: rr_3 + 0], (r_3 = 0, rr_3 = 0)
```

• 
$$J_2 = \langle F_2 \rangle$$
, where  $F_2[f_{26}: r_3 + 0]$ ,  $F_2[f_{27}: rr_3 + 1]$ ,  $(r_3 = 0, rr_3 = 1)$ 

• 
$$J_3 = \langle F_3 \rangle$$
, where  $F_3[f_{26}: r_3 + 1]$ ,  $F_3[f_{27}: rr_3 + 0]$ ,  $(r_3 = 1, rr_3 = 0)$ 

•  $J_4 = \langle F_4 \rangle$ , where  $F_4[f_{26}: r_3 + 1]$ ,  $F_4[f_{27}: rr_3 + 1]$ ,  $(r_3 = 1, rr_3 = 1)$ 

Reducing the Spec  $f: Z + A \cdot B$  modulo these ideals, we get:

```
• rem_1 = f \xrightarrow{F_1 \cup F_0} (\gamma + 1)a_2b_1b_2 + (\gamma^2 + \gamma)a_2b_2
• rem_2 = f \xrightarrow{F_2 \cup F_0} (\gamma + 1)a_2b_1b_2
```

• 
$$rem_2 = f \xrightarrow{F_2 \cup F_0} (\gamma + 1)a_2b_1b_2$$

• 
$$rem_3 = f \xrightarrow{F_3 \cup F_0} (\gamma + 1)a_2b_1b_2 + a_2b_1 + (\gamma^2 + \gamma)a_2b_2$$

• 
$$rem_4 = f \xrightarrow{F_4 \cup F_0} (\gamma + 1)a_2b_1b_2 + a_2b_1$$

When we compute  $\prod_{l=1}^{2^m} rem_l \xrightarrow{J_0}$ , we obtain remainder 0, thus confirming that the target set  $W = (r_3, rr_3)$  indeed admits correction.

The concepts presented in [19] are limited to proving the existence of rectification functions. However, our investigation further reveals that their result can be extended to characterize the desired rectification functions. Intuitively, the concept can be elaborated as follows. The variety of  $rem_l$  for any l corresponds to the set of all assignments to primary inputs  $X_{Pl}$  (minterms) where the Spec f agrees with the Impl C. Thus, the condition of Thm. 3.1 implies that the union of individual varieties of  $rem_l$ 's comprises the set of all minterms where f and C evaluate the same. Thus, for every primary input assignment, there exists a cofactor tuple assignment  $W_c[l]$  to W such that f and C match. Consequently, there exists a set of functions  $U = (u_1, \dots, u_m)$  that can be computed to

rectify every error minterm. We exploit and explore this concept to compute rectification functions in the following section.

## 4 COMPUTING RECTIFICATION FUNCTIONS

For a given set of targets W, due to the presence of don't cares (DC), there may exist more than one set U of rectification functions which will rectify the circuit. In this section, we describe the notion of DC in the MFR setup which can be exploited for the simplification of rectification patches. Exploring all the DC conditions for m targets might be computationally infeasible; we present two different approaches to overcome this. First, we present an approach to compute an on- and off-set for each rectification function by heuristically resolving all the DC conditions. Following this, we present an approach to explore and compute a subset of the DC conditions, along with on- and off-sets, for each rectification function.

# 4.1 Greedy Approach for MFR

 To illustrate the greedy approach, consider the case with m = 2, where  $W_c = \{(0,0), (0,1), (1,0), (1,1)\}$ , and we must compute rectification functions  $u_1$  and  $u_2$ . For brevity, let  $V_{W_c[i]} = V(rem_i)$ , for  $1 \le i \le 2^m$ ; in this case,  $V_{(0,0)} = V(rem_1)$ ,  $V_{(0,1)} = V(rem_2)$ , and so on.

Recall that  $V_{(0,0)}$  comprises the set of points where the Impl and Spec evaluate the same for the corresponding assignments (0,0) to the targets. This implies that at these points, the rectification functions  $u_1$  and  $u_2$  should evaluate to 0. Table 1 shows the required evaluations of  $u_1$  and  $u_2$  for the points in each variety, following the same reasoning. The on-set of the rectification function for a target corresponds to the union of the varieties (sets) where the function evaluates to 1, and the off-set corresponds to the union of the varieties (sets) where the function evaluates to 0. In this case, the on-set of  $u_1$  consists of the set of points in  $V_{(1,0)} \cup V_{(1,1)}$ , and the off-set of  $u_1$  consists of the set of points in  $V_{(0,0)} \cup V_{(0,1)}$ . Similarly, the on-set and off-set of  $u_2$  consists of the points in  $V_{(0,1)} \cup V_{(1,1)}$  and  $V_{(0,0)} \cup V_{(1,0)}$ , respectively. The functions  $u_1$  and  $u_2$  could be synthesized using these on- and off-sets.

Table 1. Function evaluations

| Variety     | $u_1$ | $u_2$ |
|-------------|-------|-------|
| $V_{(0,0)}$ | 0     | 0     |
| $V_{(0,1)}$ | 0     | 1     |
| $V_{(1,0)}$ | 1     | 0     |
| $V_{(1,1)}$ | 1     | 1     |

However, the above argument is only correct when  $V_{(0,0)}$ ,  $V_{(0,1)}$ ,  $V_{(1,0)}$ ,  $V_{(1,1)}$  are pairwise disjoint, which may not be true in practice. For example, for a point contained in  $V_{(0,0)} \cap V_{(0,1)}$ ,  $(u_1, u_2)$  must evaluate either to (0,0), or to (0,1) in order for the Impl to evaluate to the same value as the Spec; this point would be in both the on- and off-set of  $u_2$  in the method previously described. A decision procedure is necessary to determine the evaluation of  $(u_1, u_2)$  at these intersections. We present a greedy approach which resolves such ambiguities by imposing an order on the sets. An example of our greedy approach to evaluate  $(u_1, u_2)$  for an order  $V_{(0,0)} > V_{(0,1)} > V_{(1,0)} > V_{(1,1)}$  is as follows:

First, we place all the points from  $V_{(0,0)}$  into the off-sets of  $(u_1, u_2)$ . Next, we place all the points from  $V_{(0,1)} \setminus V_{(0,0)}$  into the off-set of  $u_1$  and the on-set of  $u_2$ . We perform the set difference to avoid placing the points in  $V_{(0,0)} \cap V_{(0,1)}$  into both the on-set and off-set of  $u_2$ . Next, we place all the points from  $V_{(1,0)} \setminus (V_{(0,0)} \cup V_{(0,1)})$  into the on-set of  $u_1$ , and the off-set of  $u_2$ . Finally, we place the

remaining points from  $V_{(1,1)} \setminus (V_{(0,0)} \cup V_{(0,1)} \cup V_{(1,0)})$  into the on-set of  $(u_1, u_2)$ . The resulting onand off-sets for  $u_1$  and  $u_2$  are shown below.

$$\begin{split} &V(u_{1_{on}}) = (V_{(1,1)} \setminus (V_{(0,0)} \cup V_{(0,1)} \cup V_{(1,0)})) \cup (V_{(1,0)} \setminus (V_{(0,0)} \cup V_{(0,1)})) \\ &V(u_{1_{off}}) = (V_{(0,0)}) \cup (V_{(0,1)} \setminus V_{(0,0)}) \\ &V(u_{2_{on}}) = (V_{(0,1)} \setminus V_{(0,0)}) \cup (V_{(1,1)} \setminus (V_{(0,0)} \cup V_{(0,1)} \cup V_{(1,0)})) \\ &V(u_{2_{off}}) = (V_{(0,0)}) \cup (V_{(1,0)} \setminus (V_{(0,0)} \cup V_{(0,1)})) \end{split}$$

This approach with the given order greedily places points into the off-sets of the rectification functions  $(u_1, u_2)$  where possible, and only places points into the on-sets of the rectification functions when necessary. Subject to the given order, the on-sets of the rectification functions are thus minimized. For the experiments in this paper, we always use the order  $V_{W_c[i]} > V_{W_c[j]}$  for i < j, as in the above example, though any order would yield valid rectification functions.

Generalizing our greedy approach for *m* targets, we first construct the following composite sets (varieties):

$$S_{l} = \begin{cases} V_{W_{c}[1]}, & \text{if } l = 1\\ V_{W_{c}[l]} \setminus (\bigcup_{j=1}^{l-1} V_{W_{c}[j]}), & 2 \le l \le 2^{m} \end{cases}$$
(3)

The resulting on-set and off-set functions for each target *i*, where  $1 \le i \le m$  are:

$$V(u_{i_{on}}) = \bigcup S_l, \ \forall l \mid W_c[l][i] = 1$$

$$V(u_{i_{off}}) = \bigcup S_l, \ \forall l \mid W_c[l][i] = 0$$

$$(4)$$

#### 4.2 Don't Care Conditions for MFR

 Let  $U_d \subseteq U$  denote a subset of the target rectification functions. We are interested in the DC conditions which arise for these functions at points where they may evaluate to any value, for some fixed evaluation of the remaining functions in the set  $\{U \setminus U_d\}$ . For example, consider a point in  $V_{(0,0)} \cap V_{(0,1)}$  for a circuit with two targets. As discussed previously,  $u_1$  must evaluate to 0 at this point, but  $U_d = \{u_2\}$  may evaluate either to 0 or to 1, so this is a DC point for  $u_2$ .

Not every intersection of varieties yields DC points which follow the conditions described above. Consider a point in  $V_{(0,0)} \cap V_{(1,1)}$ . Here,  $(u_1,u_2)$  must evaluate either to (0,0) or to (1,1). If this point were assigned to the DC set of  $u_2$ , for example, the Spec and Impl would only evaluate the same if  $u_1$  evaluated to the same value as  $u_2$ . Thus,  $u_1$  would become a function of  $u_2$  at this point. This point cannot be placed into the on-set, off-set, or DC-set of  $u_1$  before  $u_2$  is evaluated. To avoid inter-dependencies between the rectification functions, we do not classify points in such intersections as DC points. We rely on our greedy heuristic to evaluate these points.

Finally, consider a point in  $V_{(0,0)} \cap V_{(0,1)} \cap V_{(1,0)}$ . This point cannot be a DC point for both targets simultaneously since the evaluation (1,1) here will result in an incorrect rectification function. However, because  $V_{(0,0)} \cap V_{(0,1)} \cap V_{(1,0)} \subset V_{(0,0)} \cap V_{(0,1)}$ , we could treat this point as a DC point for  $u_2$  and evaluate  $u_1$  to 0. Alternatively, because  $V_{(0,0)} \cap V_{(0,1)} \cap V_{(1,0)} \subset V_{(0,0)} \cap V_{(1,0)}$ , we could treat this point as a DC point for  $u_1$  and evaluate  $u_2$  to 0. Thus, we have a choice to place this point in the DC-set of either targets, but not both.

Finding every intersection containing DC points for every target can be very expensive for circuits with more than a few targets. We therefore propose an approach to compute a subset of the DC points by considering only the set of pairwise intersections of varieties which contain DC points for exactly one target, denoted as  $DC_{pair}$ .

Let  $d(W_c[j], W_c[k])$  denote the Hamming distance between the cofactor tuples  $W_c[j]$  and  $W_c[k]$ . We compute the set of varieties which contain DC points for one target, denoted  $DC_{pair}$ , from the equation below, where  $1 \le j, k \le 2^m$ .

$$DC_{pair} = \{V_{W_c[j]} \cap V_{W_c[k]} \mid d(W_c[j], W_c[k]) = 1\}$$
(5)

Since the Hamming distance d=1 between the cofactor tuples  $W_c[j]$  and  $W_c[k]$  for each intersection of varieties in  $DC_{pair}$ , exactly one rectification function may evaluate either to 0 or to 1. The remaining rectification functions require fixed evaluations of 1 or 0. Therefore, each intersection of varieties in  $DC_{pair}$  yields DC points for exactly one rectification function in U, and either on- or off-set points for the remaining rectification functions in U. We use  $DC_{pair}$  to compute the DC points for each rectification function, as described in the next section.

4.2.1 Computing Rectification Functions with Don't Cares. Once the set  $DC_{pair}$  has been found, a few steps remain to compute the on-, off-, and don't-care sets for each target. First, we follow an approach identical to the greedy approach to evaluate points not located inside  $DC_{pair}$ . We construct new composite sets  $S_l^d$  for  $1 \le l \le 2^m$ , which are identical to the composite sets (varieties) created for the previous approach, except that all the points from  $DC_{pair}$  set are removed.

$$S_{l}^{d} = \begin{cases} V_{W_{c}[1]} \setminus DC_{pair}, & \text{if } l = 1\\ V_{W_{c}[l]} \setminus ((\bigcup_{j=1}^{l-1} V_{W_{c}[j]}) \cup DC_{pair}), & 2 \le l \le 2^{m} \end{cases}$$
 (6)

Points in these composite sets are assigned to the on- and off-set for each rectification function in the same way as Eqn. (4), substituting  $S_l$  with  $S_l^d$ .

Next, we must evaluate points within  $DC_{pair}$  as on-, off-, or DC points for each rectification function. We select the first pairwise intersection of varieties in  $DC_{pair}$  and assign the points according to the cofactor tuples, as described previously. Since the intersections within  $DC_{pair}$  may not be disjoint, we then take the next pairwise intersection, remove the points from the first intersection which have already been assigned, then assign these points according to the cofactor tuples. We continue this for each subsequent intersection of varieties from  $DC_{pair}$ , remembering to remove all previously assigned points at each step.

For example, for a circuit with two targets,  $DC_{pair} = \{V_{(0,0)} \cap V_{(0,1)}, V_{(0,0)} \cap V_{(1,0)}, V_{(0,1)} \cap V_{(1,1)}, V_{(1,0)} \cap V_{(1,1)}\}$ . We place the points in  $V_{(0,0)} \cap V_{(0,1)}$  into the off-set of  $u_1$  and the DC set of  $u_2$ . We then place the points in  $V_{(0,0)} \cap V_{(1,0)} \setminus V_{(0,0)} \cap V_{(0,1)}$  into the DC set of  $u_1$  and the off-set of  $u_2$ . We place points in  $V_{(0,1)} \cap V_{(1,1)} \setminus ((V_{(0,0)} \cap V_{(0,1)}) \cup (V_{(0,0)} \cap V_{(1,0)}))$  into the DC set of  $u_1$  and the on-set of  $u_2$ . Finally, we place points in  $V_{(1,0)} \cap V_{(1,1)} \setminus ((V_{(0,0)} \cap V_{(0,1)}) \cup (V_{(0,0)} \cap V_{(1,0)}) \cup (V_{(0,1)} \cap V_{(1,1)}))$  into the on-set of  $u_1$  and the DC set of  $u_2$ . Following this approach, we calculate on- off- and DC sets for each rectification function.

# 4.3 Synthesizing Rectification Functions

 The above techniques show how to construct a rectification function by reasoning about the varieties of  $rem_l$ . However, algebraically, we compute these functions using their corresponding ideals. Specifically, we show how the remainders computed in Thm. 3.1 can be utilized for rectification function computation. Even though the remainders  $rem_l$  have coefficients in  $\mathbb{F}_{2^n}$  (higher field), their varieties are in  $\mathbb{F}_{2^n}^{|X_{PI}|}$  as they correspond to bit-level assignments to  $X_{PI}$ . However, in [9], it was shown that it is a property of such ideals ( $\langle rem_l, J_0 \rangle$ ) that their reduced Gröbner bases (Def. 2.2) have coefficients only in  $\mathbb{F}_2$ . Further, it was shown that, given an ideal I with coefficients in  $\mathbb{F}_2$  with generators  $\{g_1, \ldots, g_t\}$ , a polynomial p can always be constructed as  $p = (1+g_1)(1+g_2) \ldots (1+g_t)+1$ ,

such that V(p) = V(I). Consequently, the rectification function operations are restricted to algebraic computations in  $\mathbb{F}_2[X_{PI}] \equiv \mathbb{B}$ .

To compute the patch  $u_i$ , we perform the following steps:

- Compute reduced Gröbner bases of ⟨rem<sub>l</sub>, J<sub>0</sub>⟩.
- Construct a singleton polynomial p such that  $V(p) = V(\langle rem_l, J_0 \rangle)$ .
- Impose an order on the sets for  $DC_{pair}$  and composite set computations.
- Compute  $DC_{pair}$  using Eqn. (5), and then obtain the composite sets in Eqn. (6) which are then assigned to DC-, on- and off-sets of the rectification functions (Sec. 4.2).
- In order to perform the variety union, intersection, and difference operations, we use ideal product, sum, and colon operations, respectively, on the singleton polynomial *p* representation of the ideal.
- The above procedure delivers  $u_{i_{DC}}$  and  $u_{i_{on}}$  as singleton polynomials in  $\mathbb{F}_2[X_{PI}]$ . Translate  $u_{i_{DC}}$  and  $u_{i_{on}}$  into Boolean functions by interpreting the product, sum, and '+1' as Boolean AND, XOR, and INV gates, respectively. Optimize the on-set  $u_{i_{on}}$  w.r.t. to the DC-set  $u_{i_{DC}}$ .

Example 4.1. Continuing with Ex. 3.1:

- $rem_3 = (\gamma + 1)a_2b_1b_2 + a_2b_1 + (\gamma^2 + \gamma)a_2b_2$
- $redGB(\langle rem_3, J_0 \rangle) = \{a_2b_1, a_2b_2\}$
- $p_{rem_3} = (1 + a_2b_1) * (1 + a_2b_2) + 1 = a_2b_1b_2 + a_2b_1 + a_2b_2$ -  $Here, V(p_{rem_3}) = V(\langle rem_3, J_0 \rangle)$
- Similarly, polynomials  $p_{rem_l}$  for each  $rem_l$  can be computed.

The rectification polynomials for the targets  $(r_3, rr_3)$  computed using the greedy approach (Sec. 4.1)

$$u_{1on} = a_2b_1b_2;$$
  $u_{1off} = a_2b_1b_2 + 1;$   $r_3 = u_{1patch} = (a_2 \wedge b_1 \wedge b_2);$   $u_{2on} = a_2b_2;$   $u_{2off} = a_2b_2 + 1;$   $rr_3 = u_{2patch} = (a_2 \wedge b_2).$ 

The rectification polynomials for the targets  $(r_3, rr_3)$  computed using the on-set and don't care simplification (Sec. 4.2.1)

$$\begin{array}{ll} u_{1_{dc}} = a_2b_1b_2 + a_2b_2; & u_{1_{on}} = a_2b_1b_2; & r_3 = u_{1_{patch}} = a_2 \wedge b_2; \\ u_{2_{dc}} = a_2b_2 + 1; & u_{2_{on}} = a_2b_2; & rr_3 = u_{2_{patch}} = 1. \end{array}$$

The techniques described in rectification check and function computation predominantly involve Gröbner basis computations and polynomial reductions. Despite avoiding the GB computation can be especially prohibitive when applied to circuits with large size operands. Hence, there is a need for efficient representation and to overcome the infeasibility of these operations using conventional computer algebra tools.

to overcome this complexity. As the GB algorithms are employed to compute rectification function patches via CI on the circuit, we analyze the circuit and its topology to derive specific information which we use to efficiently guide the computation of patches. Moreover, we further show how this information can be effectively utilized by our ZDD based algorithms to compute rectification patches. By combining our theories and algorithms we can explore the space of all possible rectification functions through their ON-set, OFF-set and DC-set of corresponding Boolean functions.

## 5 IMPROVING RECTIFICATION SETUP EFFICIENCY USING ZDDS

Taking inspiration from [10], we utilize PolyBori's [4] reduction procedure with ZDDs [16, 17] as the underlying data structure to improve our proposed approach. PolyBori proposed the use of ZDDs to compute Gröbner bases for Boolean polynomials. PolyBori is a generic Boolean GB

Table 2. Time is in seconds; I = Benchmark Index, n = Datapath Size, m = target word size, AM = Maximum resident memory utilization in Mega Bytes (Average across benchmarks),  $\#G = \text{Number of gates} \times 10^3$ ,  $\#G = \text{Number of gates} \times 10^3$ , #G = Number of faulty outputs, #G = Required time for PolyBori setup (ring declaration/poly collection/spec collection), #G = Required time for verification, #G = Required time for PolyBori setup (ring declaration/poly collection/spec collection), #G = Required time for verification, #G = Required time for PolyBori setup (ring declaration/poly collection/spec collection), #G = Required time for verification, #G = Required time for PolyBori setup (ring declaration/poly collection/spec collection), #G = Required time for verification, #G = Required time for PolyBori setup (ring declaration/poly collection/spec collection), #G = Required time for verification, #G = Required time for PolyBori setup (ring declaration/poly collection/spec collection), #G = Required time for verification, #G = Required time for PolyBori setup (ring declaration/poly collection/spec collection), #G = Required time for PolyBori setup (ring declaration/poly collection/spec collection), #G = Required time for PolyBori setup (ring declaration/poly collection/spec collection), #G = Required time for PolyBori setup (ring declaration/poly collection/spec collection), #G = Required time for PolyBori setup (ring declaration/poly collection/spec collection)

| Mastrovito |     |   |      |      |     |      |      |     | Montg | omery |     | Point Addition |      |     |      |      |     |      |      |     |     |
|------------|-----|---|------|------|-----|------|------|-----|-------|-------|-----|----------------|------|-----|------|------|-----|------|------|-----|-----|
| Ι          | n   | m | AM   | #G   | #BO | PBS  | RC   | GFC | DFC   | #G    | #BO | PBS            | RC   | GFC | DFC  | #G   | #BO | PBS  | RC   | GFC | DFC |
| 1          | 16  | 5 | 100  | 0.8  | 6   | 0.05 | 0.01 | 1.7 | 4.7   | 0.9   | 16  | 0.05           | 0.44 | 190 | 277* | 0.9  | 7   | 0.07 | 0.02 | 6.6 | 20  |
| 2          | 32  | 5 | 120  | 2.8  | 8   | 0.14 | 0.02 | 2   | 8     | 2.8   | 32  | 0.16           | 0.1  | 114 | 180* | 2.9  | 13  | 0.2  | 0.06 | 36  | 85* |
| 3          | 64  | 3 | 160  | 11.2 | 5   | 0.61 | 3.59 | 5   | 15    | 9.6   | 47  | 0.53           | 0.14 | 7   | 14   | 10.6 | 64  | 0.8  | 0.18 | 10  | 35  |
| 4          | 96  | 2 | 240  | 24.5 | 5   | 1.45 | 0.12 | 0.4 | 0.7   | 21    | 96  | 1.35           | 3.14 | 87  | 111* | 24.8 | 96  | 2.53 | 0.5  | 7.7 | 90  |
| 5          | 128 | 2 | 370  | 43.2 | 5   | 3.23 | 0.24 | 0.8 | 1.2   | 35.8  | 128 | 2.92           | 2.06 | 28  | 393* | 43.2 | 128 | 6.42 | 4.38 | 49  | 62* |
| 6          | 163 | 5 | 550  | 69.8 | 6   | 6.21 | 0.4  | 4.4 | 7.7   | 57.5  | 128 | 5.38           | 1.53 | 131 | 220* | 71.6 | 22  | 15.9 | 1.53 | 3.2 | 8   |
| 7          | 233 | 2 | 750  | 119  | 3   | 12.7 | 0.66 | 0.3 | 1.7   | 112   | 233 | 12.6           | 2.69 | 6   | 40   | 122  | 233 | 19.7 | 1.44 | 6.4 | 32  |
| 8          | 409 | 2 | 2400 | 384  | 2   | 190  | 2.22 | 0.3 | 9     | 340   | 409 | 136            | 6.15 | 2.7 | 5.2  | 368  | 409 | 224  | 5.3  | 7.7 | 8*  |
| 9          | 571 | 2 | 5000 | 827  | 5   | 2143 | 5.96 | 0.3 | 26    | 663   | 427 | 1386           | 49   | 1.6 | 30   | 813  | 5   | 2492 | 13.2 | 1.2 | 20  |

computational engine that caters to many permissible term orders. Its division algorithm is also generally based on the conventional concept of canceling one monomial in every step of reduction. In contrast, our algorithms are tailored for GB-reduction under the RTTO > . The efficiency of our approach stems from the observation that the RTTO > imposes a special structure on the ZDDs, which allows for multiple monomials to be canceled in one division-step, along with simplifying the search for divisors. The efficiency is derived by treating the polynomials as unate cube sets and checking isomorphism between the implementation and specification graphs. We reason about the presence or absence of solutions and other properties of a system of polynomials without explicitly solving them. The Boolean values of the nets of a circuit for all possible input assignments is a set of points, which can be construed as solutions to a set of polynomials. We further improve upon the rectification approach by exploiting the circuit topology and ZDD based GB reductions.

## **6 EXPERIMENTAL RESULTS**

 The benchmark suit includes two modular multipliers (Mastrovito and Montgomery), and a circuit that performs Point Addition over NIST standard Elliptic curves. These benchmarks are taken from [14] and synthesized using the abc tool with a gate library comprising two input gates. Table 2 presents the results of our approach when performing MFR against their respective polynomial specifications. We introduce bugs by means of gate and wiring modifications in the synthesized netlists such that multiple output bits are affected in the design (column #BO). We introduce multiple such modifications at various topological levels: some closer to PIs, some in the middle of the circuit, and some near POs. In our experiments, the number of targets is chosen from  $m = \{2, 3, 5\}$ . Our approach isn't limited by this set m and can perform MFR for any given number of targets.

Our approach is implemented as a custom software in Python programming language. We use PolyBori's [4] ZDD based API to implement the division,  $f \xrightarrow{F_l' \cup F_0'} rem_l$ ,  $1 \le l \le 2^m$ . Subsequently, the remainders generated from these divisions are utilized in the decision procedure, as well as the function computations. Further, we use sis [22] and abc [3] to perform logic optimization and synthesis. Specifically, in sis we run a script to perform  $kernel\ extraction$  and  $full\ simplify$  to optimize the rectification functions computed in Sec.4.2. We use abc to perform  $structural\ hashing,\ balancing,\ refactoring,\ rewriting,\ etc.$  Finally, we map the computed functions using a library of AND-XOR-INV gates and extract the synthesis results for area and delay. The experiments are performed on a 3.5GHz Intel(R) Core<sup>TM</sup> i7-4770K Quad-Core CPU with 32 GB RAM.

Table 2 presents the characteristics of the benchmark suit and the execution time for the computations using our approach. Column PBS denotes the time taken to build the respective ZDD

 models (commensurates with the operand word-length n). Execution time for rectification check (RC) and function computation (GFC and DFC) depend on various factors such as: i) the number of bugs; ii) the number of targets; iii) location of the bugs; iv) location of the targets; v) the number of affected outputs; and vi) size of the patch function being computed in terms of number of gates. Collectively, these factors decide the size of the remainder  $rem_l$ , and the number of remainders l. We omit the comparison with the contemporary approaches as they fail (timeout = 3 hrs) to rectify circuits beyond 16-bits, which is the smallest benchmark from our results table.

Table 3 presents the synthesis results post *abc* mapping for GFC and DFC approaches in terms of area (number of gates) and the longest topological delay. The asterisk (\*) in the DFC columns denotes the cases where *full simplify* (*sis*) fails to utilize the pairwise intersection don't care network for the on-set function simplification. In these cases, *sis* aborts simplification as the BDD size exceeds 480,000 nodes. For these entries, the patch functions are synthesized using *abc* which ignores the don't care network. The time taken for GFC is less than the time taken for DFC computations. However, synthesis results computed using DFC where *sis* completed simplification successfully are of better quality than the one computed using GFC for most of the cases.

Table 3. Synthesis results for mapped patch network; I = Benchmark Index, GFC = Greedy function computation, DFC-on = Function computation with don't care optimization of on-set, DFC-off = Function computation with don't care optimization of complement of off-set, A = Area in terms of number of gates, D = Longest delay

|   |      | Mastro             | vito |    |            |   | Montgom | Point Addition |        |       |     |   |       |         |        |     |   |   |
|---|------|--------------------|------|----|------------|---|---------|----------------|--------|-------|-----|---|-------|---------|--------|-----|---|---|
|   | GF   | GFC DFC-on DFC-off |      |    | GFC DFC-or |   |         | on             | DF     | C-off | GFC | 2 | DFC-  | DFC-off |        |     |   |   |
| I | A    | D                  | A    | D  | A          | D | A       | D              | A      | D     | A   | D | A     | D       | A      | D   | A | D |
| 1 | 19   | 3                  | 17   | 3  |            |   | 27788   | 50             | 27941* | 62*   |     |   | 761   | 40      | 265    | 12  |   |   |
| 2 | 34   | 5                  | 35   | 4  |            |   | 19340   | 65             | 19384* | 57*   |     |   | 8882  | 69      | 9063*  | 60* |   |   |
| 3 | 1675 | 29                 | 1577 | 46 |            |   | 1511    | 30             | 560    | 18    |     |   | 3040  | 32      | 3733   | 41  |   |   |
| 4 | 86   | 11                 | 21   | 5  |            |   | 55085   | 50             | 55568* | 52*   |     |   | 6642  | 89      | 6193   | 70  |   |   |
| 5 | 283  | 21                 | 103  | 12 |            |   | 25819   | 44             | 26744* | 35*   |     |   | 27544 | 36      | 27289* | 35* |   |   |
| 6 | 222  | 17                 | 99   | 7  |            |   | 27035   | 68             | 27409* | 61*   |     |   | 66    | 8       | 39     | 7   |   |   |
| 7 | 9    | 4                  | 9    | 4  |            |   | 8094    | 25             | 4948   | 28    |     |   | 4345  | 30      | 5169   | 34  |   |   |
| 8 | 16   | 4                  | 11   | 4  |            |   | 844     | 13             | 4      | 2     |     |   | 2707  | 24      | 2611*  | 23* |   |   |
| 9 | 21   | 7                  | 18   | 6  |            |   | 299     | 19             | 287    | 19    |     |   | 622   | 22      | 210    | 16  |   |   |

#### 7 CONCLUSION

This paper presents an automated symbolic computer algebra approach to perform MFR of faulty finite field arithmetic circuits at a given set of targets. Our approach reasons about the rectification functions by means of algebraic varieties in finite fields, and computes these functions using Gröbner bases of ideals corresponding to the circuit. We present two MFR approaches, a heuristic which greedily tries to resolve the rectification functions for the targets, and a variety intersection heuristic that explores a subset of don't cares condition for the target functions. Our approach is able to compute rectification functions for circuits with large (NIST-standard) operand widths n. As part of future work, we are working on function computation in terms of internal nets. Further, we are also investigating the extension of this approach to integer arithmetic circuits.

## REFERENCES

- [1] W. W. Adams and P. Loustaunau. 1994. An Introduction to Gröbner Bases. American Mathematical Society.
- [2] E. Biham, Y. Carmeli, and A. Shamir. 2008. Bug Attacks. In Proceedings on Advances in Cryptology. 221-240.
- [3] Robert Brayton and Alan Mishchenko. 2010. ABC: An Academic Industrial-strength Verification Tool. In *Computer Aided Verification (CAV)*. Springer, 24–40.

[4] M. Brickenstein and A. Dreyer. 2009. PolyBoRi: A framework for Gröbner-basis computations with Boolean polynomials.
 Journal of Symbolic Computation 44 (2009), 1326–1345.

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

657

659

665

667

669

670

671

673

674

675

676 677

679

681

683

685 686

- [5] Ai Quoc Dao, Nian-Ze Lee, Li-Cheng Chen, Mark Po-Hung Lin, Jie-Hong R. Jiang, Alan Mishchenko, and Robert Brayton. 2018. Efficient Computation of ECO Patch Functions. In Design Automation Conference (DAC). ACM, 51:1–51:6.
- [6] F. Farahmandi and P. Mishra. 2017. Automated Debugging of Arithmetic Circuits Using Incremental Gröbner Basis Reduction. In International Conference on Computer Design (ICCD). 193–200.
- [7] A. M. Gharehbaghi and M. Fujita. 2017. A new approach for selecting inputs of logic functions during debug. In International Symposium on Quality Electronic Design (ISQED). 166–173.
- [8] K. Gitina, S. Reimer, M. Sauer, R. Wimmer, C. Scholl, and B. Becker. 2013. Equivalence Checking of Partial Designs Using Dependency Quantified Boolean Formulae. In IEEE International Conference on Computer Design (ICCD). 396–403.
- [9] U. Gupta, I. Ilioaea, V. Rao, A. Srinath, P. Kalla, and F. Enescu. 2018. On the Rectifiability of Arithmetic Circuits using Craig Interpolants in Finite Fields. In *International Conference on Very Large Scale Integration (VLSI-Soc)*. 49–54.
- [10] Utkarsh Gupta, Priyank Kalla, and Vikas Rao. 2019. Boolean Gröbner Basis Reductions on Finite Field Datapath Circuits Using the Unate Cube Set Algebra. IEEE Trans. CAD (TCAD) (2019).
- [11] Y. Kimura, A. M. Gharehbaghi, and M. Fujita. 2019. Signal Selection Methods for Efficient Multi-Target Correction. In IEEE International Symposium on Circuits and Systems (ISCAS). 1–5.
- [12] V. N. Kravets, N. Lee, and J. R. Jiang. 2019. Comprehensive Search for ECO Rectification Using Symbolic Sampling. In Design Automation Conference (DAC). 1–6.
- [13] C. C. Lin, K. C. Chen, S. C. Chang, and M. Marek-Sadowska. 1995. Logic Synthesis for Engineering Change. In Proc. Design Automation Conf. (DAC). 647–652.
- [14] J. Lv, P. Kalla, and F. Enescu. 2013. Efficient Gröbner Basis Reductions for Formal Verification of Galois Field Arithmetic Circuits. In IEEE Trans. on CAD (TCAD). 1409–1420.
- [15] Alireza Mahzoon, Daniel Große, and Rolf Drechsler. 2018. Combining Symbolic Computer Algebra and Boolean Satisfiability for Automatic Debugging and Fixing of Complex Multipliers. In IEEE Computer Society Annual Symposium on VLSI (ISVLSI). 351–356.
- [16] Shin-ichi Minato. 1993. Zero-suppressed BDDs for Set Manipulation in Combinatorial Problems. In Design Automation Conference (DAC). 272–277.
- [17] Shin-ichi Minato. 1994. Calculation of Unate Cube Set Algebra Using Zero-suppressed BDDs. In Design Automation Conference (DAC). 420–424.
- [18] V. Rao, U. Gupta, A. Srinath, I. Ilioaea, P. Kalla, and F. Enescu. 2018. Post-Verification Debugging and Rectification of Finite Field Arithmetic Circuits using Computer Algebra Techniques. In Formal Methods in Computer-Aided Design (FMCAD). 1–9.
- [19] V. Rao, I. Ilioaea, H. Ondricek, P. Kalla, and F. Enescu. 2021. Word-Level Multi-Fix Rectifiability of Finite Field Arithmetic Circuits. In *International Symposium on Quality Electronic Design (ISQED)*. To Appear.
- [20] V. Rao, H. Ondricek, P. Kalla, and F. Enescu. 2021. Computing Rectification Functions for Finite Field Arithmetic Circuits using Computer Algebra Techniques. In ACM Great Lakes Symposium on VLSI (GLSVLSI). To Appear.
- [21] C. Scholl and B. Becker. 2001. Checking Equivalence for Partial Implementations. In *Design Automation Conference* (*DAC*).
- [22] E. Sentovich et al. 1992. SIS: A System for Sequential Circuit Synthesis. Technical Report UCB/ERL M92/41. ERL, Dept. of EECS, Univ. of California, Berkeley.
- [23] A. Smith, A. Veneris, M. F. Ali, and A. Viglas. 2005. Fault Diagnosis and Logic Debugging using Boolean Satisfiability. *IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems* (2005).
- [24] K. F. Tang, P. K. Huang, C. N. Chou, and C. Y. Huang. 2012. Multi-patch Generation for Multi-error Logic Rectification by Interpolation with Cofactor Reduction. In Design, Automation Test in Europe Conference Exhibition (DATE). 1567–1572.
- [25] H. T. Zhang and J. H. R. Jiang. 2018. Cost-Aware Patch Generation for Multi-Target Function Rectification of Engineering Change Orders. In Design Automation Conference (DAC). 1–6.