SAT, COMPUTER ALGEBRA, MULTIPLIERS Armin Biere joint work with Daniela Kaufmann and Manuel Kauers 6 th Vampire Workshop Lisbon, Portugal, July 7, 2019
SAT, COMPUTER ALGEBRA, MULTIPLIERS
Armin Biere joint work with Daniela Kaufmann and Manuel Kauers
6th Vampire Workshop
Lisbon, Portugal, July 7, 2019
Multiplication
1 3 · 1 5
Multiplication
1 3 · 1 5
6 5
Multiplication
1 3 · 1 5
6 5
1 3
Multiplication
1 3 · 1 5
6 5
1 30
5
Multiplication
1 3 · 1 5
6 5
1 30 0
9 5
Multiplication
1 3 · 1 5
6 5
1 30 0 0
1 9 5
Binary multiplication
1 1 0 1 · 1 1 1 1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
1 1 0 1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
1 1 0 1
1 1 0 1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
1 1 0 1
1 1 0 1
1 1 0 1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
1 1 0 1
1 1 0 1
1 1 0 10
1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
1 1 0 1
1 1 0 1
1 1 0 10 0
1 1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
1 1 0 1
1 1 0 1
1 1 0 11 0 0
0 1 1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
1 1 0 1
1 1 0 1
1 1 0 12 1 0 0
0 0 1 1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
1 1 0 1
1 1 0 1
1 1 0 12 2 1 0 0
0 0 0 1 1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
1 1 0 1
1 1 0 1
1 1 0 12 2 2 1 0 0
0 0 0 0 1 1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
1 1 0 1
1 1 0 1
1 1 0 11 2 2 2 1 0 0
1 0 0 0 0 1 1
13 · 15 = 195
Binary multiplication
1 1 0 1 · 1 1 1 1
1 1 0 1
1 1 0 1
1 1 0 1
1 1 0 11 2 2 2 1 0 0
1 1 0 0 0 0 1 1
13 · 15 = 195
Example: 2 Bit - Binary Multiplication
1 1 · 1 1
1 1
1 11 1 0
1 0 0 1
3 · 3 = 9
1 1 1 1 1 1 1 1
1 1 1
1
1001
Example: 2 Bit - Binary Multiplication
gf
y
gf
y
AND-Gatef g y
0 0 0
0 1 0
1 0 0
1 1 1
XOR-Gatef g y
0 0 0
0 1 1
1 0 1
1 1 0
1 1 1 1 1 1 1 1
1 1 1
1
1001
Motivation & Solving Techniques
Given: Gate-level multiplier for fixed bit-width n.
Question: For all possible ai, bi ∈ B :
(2a1 + a0) ∗ (2b1 + b0) = 8s3 + 4s2 + 2s1 + s0?
Solving Techniques
� SAT using CNF encoding
� Binary Moment Diagrams (BMD)
� Algebraic reasoning
a1b1 a0b1 a1b0 a0b0
g1 g2 g3
g4
s0s1s2s3
Previous Work� SAT using CNF encoding
� A. Biere. Weakness of CDCL solvers. SAT Solving Workshop, 2016.� P. Beame and V. Liew. Towards verifying nonlinear integer arithmetic. In CAV, 2017.
� Binary moment diagrams� Y.-A. Chen and R.E. Bryant. Verification of arithmetic circuits with binary moment
diagrams. In DAC, 1995.� Algebraic reasoning
� O. Wienand, M. Wedler, D. Stoffel, W. Kunz, and G.-M. Greuel. An algebraic approach forproving data correctness in arithmetic data paths. In CAV, 2008.
� J. Lv, P. Kalla, and F. Enescu. Efficient Gröbner basis reductions for formal verification ofGalois field arithmetic circuits. In IEEE TCAD, 2013.
� C. Yu, W. Brown, D. Liu, A. Rossi, and M. Ciesielski. Formal verification of arithmeticcircuits by function extraction. In IEEE TCAD, 2016.
� A.A.R. Sayed-Ahmed, D. Große, U. Kühne, M. Soeken, and R. Drechsler. Formalverification of integer multipliers by combining Gröbner basis with logic reduction.In DATE, 2016.
Recent Work� D. Ritirc, A. Biere, and M. Kauers. Column-wise verification of multipliers using computer algebra.
In FMCAD’17.
� D. Ritirc, A. Biere, and M. Kauers. A Practical Polynomial Calculus for Arithmetic Circuit Verification.In 3rd International Workshop on Satisfiability Checking and Symbolic Computation (SC2’18).CEUR-WS, 2018.
� D. Kaufmann, A. Biere, and M. Kauers. Incremental Column-wise verification of arithmetic circuits usingcomputer algebra. FMSD, Feb 2019
� D. Kaufmann, M. Kauers, A. Biere, and D. Cok. Arithmetic Verification Problems Submitted to the SATRace 2019. In Proc. of SAT Race 2019, 2019.
� D. Kaufmann, A. Biere, and M. Kauers. Verifying Large Multipliers by Combining SAT and ComputerAlgebra. In FMCAD’19.
� M. Ciesielski, T. Su, A. Yasin, and C. Yu. Understanding Algebraic Rewriting for Arithmetic CircuitVerification: a Bit-Flow Model. IEEE TCAD, 2019.
� A. Mahzoon, D. Große, and R. Drechsler. PolyCleaner: clean your polynomials before backwardrewriting to verify million-gate multipliers. In ICCAD’18.
� A. Mahzoon, D. Große, and R. Drechsler. RevSCA: Using Reverse Engineering to Bring Light intoBackward Rewriting for Big and Dirty Multipliers. In DAC’19.
Basic Idea of Algebraic Approach
Multipliera1 b1 a0 b1 a1 b0 a0 b0
g1 g2 g3
g4
s0s1s2s3
Polynomials
B = {x− a0 ∗ b0,y − a1 ∗ b1,s0 − x ∗ y,. . .
}
Ideal Membership Test
6= 0 7
= 0 3
Specification
2n−1∑i=0
2isi−
(n−1∑i=0
2iai
)(n−1∑i=0
2ibi)
Polynomials
p = c1τ1 + . . .+ cmτm ∈ Q[X] = Q[x1, . . . , xn]
� Q[X] is the ring of polynomials with variables X = x1, . . . , xn and coefficients in Q.
� A term τi is a product xe11 · · ·xenn with ej ≥ 0.
� A monomial ciτi is a constant multiple of a term with ci ∈ Q.
� A polynomial p is a finite sum of monomials.
Polynomials
p = c1τ1 + . . .+ cmτm ∈ Q[X] = Q[x1, . . . , xn]
� We fix a term order such that for all terms τ, σ1, σ2 we havex01 · · ·x0n = 1 ≤ τ and σ1 ≤ σ2 ⇒ τσ1 ≤ τσ2.
� An order is a lexicographic term order if for all σ1 = xu11 · · ·xun
n , σ2 = xv11 · · ·xvnn we
have σ1 < σ2 iff there exists an index i with uj = vj for all j < i, and ui < vi.
� lm(p) = c1τ1 is the leading monomial of p.
� lt(p) = τ1 is the leading term of p.
� p− lm(p) is the tail of p.
Ideals
Ideal. A nonempty subset I ⊆ Q[X] is called an ideal if
∀ p, q ∈ I : p+ q ∈ I and ∀ p ∈ Q[X] ∀ q ∈ I : pq ∈ I
Basis. A set P = {p1, . . . , pm} ⊆ Q[X] is called a basis of an ideal I if
I = {q1p1 + · · ·+ qmpm | q1, . . . , qm ∈ Q[X]} = 〈P 〉
I is the set of polynomials which become zero, when the elements of P become zero.
Circuit Polynomials
Gate Polynomials.
s3 = g1 ∧ g4 −s3 + g1g4,
s2 = g1 ⊕ g4 −s2 + g1 + g4 − 2g1g4,
g4 = g2 ∧ g3 −g4 + g2g3,
s1 = g2 ⊕ g3 −s1 + g2 + g3 − 2g2g3,
g1 = a1 ∧ b1 −g1 + a1b1,
g2 = a0 ∧ b1 −g2 + a0b1,
g3 = a1 ∧ b0 −g3 + a1b0,
s0 = a0 ∧ b0 −s0 + a0b0
Boolean Value Polynomials.
a1, a0 ∈ B a1(1− a1), a0(1− a0),
b1, b0 ∈ B b1(1− b1), b0(1− b0)
a1b1 a0b1 a1b0 a0b0
g1 g2 g3
g4
s0s1s2s3
Ideals associated to Circuits
Polynomial Circuit Constraints (PCCs).
A polynomial p ∈ Q[X] such that for all
(a0, . . . , an−1, b0, . . . , bn−1) ∈ {0, 1}2n
and resulting values g1, . . . , gk, s0, . . . , s2n−1 im-plied by the gates of the circuit C the substitutionof these values into p gives zero.
� The set of all PCCs is denoted by I(C).
� I(C) contains all relations of the circuit.
� I(C) is an ideal.
a1b1 a0b1 a1b0 a0b0
g1 g2 g3
g4
s0s1s2s3
Ideals associated to CircuitsExamples for PCCs:
� s0 − a0b0 and gate
� a21 − a1 a1 boolean
� g22 − g2 g2 boolean
� s1g4 xor-and constraint
� . . .
Multiplier. A circuit C is called a multiplier if
2n−1∑i=0
2isi −(n−1∑
i=0
2iai
)(n−1∑i=0
2ibi
)∈ I(C).
a1b1 a0b1 a1b0 a0b0
g1 g2 g3
g4
s0s1s2s3
Ideal Membership Test
Ideal membership problem. Given a polynomial f ∈ Q[X] and an idealI = 〈g1, . . . , gm〉 = 〈G〉 ⊆ Q[X], determine if f ∈ I.
Given arbitrary basis G of I it is not obvious how to solve ideal membership problem.
Lemma (Ideal membership test)Let G = {g1, . . . , gm} ⊆ Q[X] be a Gröbner basis, and let f ∈ Q[X]. Then f is containedin the ideal I = 〈G〉 iff the unique remainder of f with respect to G is zero.
Gröbner basis
� Every ideal I ⊆ Q[X] has a Gröbner basis w.r.t. a fixed term order.
� Construction algorithm by Buchberger which given an arbitrary basis of an ideal Icomputes a Gröbner basis of it (double exponential)
� Algorithm is based on repeated reduction of so-called S-polynomials (spol).
� A basis G is a Gröbner basis of I = 〈G〉 if for all p, q ∈ G : spol(p, q) reduces to zero.
� Product criterion. If p, q ∈ Q[X] \ {0} are such that the leading terms are coprime,i.e., lcm(lt(p), lt(q)) = lt(p) lt(q), then spol(p, q) reduces to zero.
Circuit Gröbner basis
We can deduce at least some elements of I(C):
� G = Gate Polynomials + Boolean Value Polynomials
� Let J(C) = 〈G〉.� Lexicographic term order: output variable of a gate is greater than input variables
TheoremG is a Gröbner basis for J(C).
Proof idea: Application of Buchberger’s Product criterion.
Circuit Polynomials
Gate Polynomials.
s3 = g1 ∧ g4 −s3 + g1g4,
s2 = g1 ⊕ g4 −s2 − 2g1g4 + g4 + g1,
g4 = g2 ∧ g3 −g4 + g2g3,
s1 = g2 ⊕ g3 −s1 − 2g2g3 + g2 + g3,
g1 = a1 ∧ b1 −g1 + a1b1,
g2 = a0 ∧ b1 −g2 + a0b1,
g3 = a1 ∧ b0 −g3 + a1b0,
s0 = a0 ∧ b0 −s0 + a0b0
Boolean Value Polynomials.
a1, a0 ∈ B −a21 + a1, −a2
0 + a0,
b1, b0 ∈ B −b21 + b1, −b20 + b0
a1b1 a0b1 a1b0 a0b0
g1 g2 g3
g4
s0s1s2s3
Soundness and completeness
Theorem (Soundness and completeness)
For all acyclic circuits C, we have J(C) = I(C).
� J(C) ⊂ I(C): soundness
� I(C) ⊂ J(C): completeness
Non-Incremental Checking Algorithm
Non-Incremental Checking Algorithm.
Divide polynomial2n−1∑i=0
2isi −(n−1∑i=0
2iai)(n−1∑
i=0
2ibi)
by elements of G until no further
reduction is possible, then C is a multiplier iff remainder is zero.
Implications:
� Leading term is one variable, division is actually substitution by tail.
� Leading coefficient ±1 of all gate polynomials, computation stays in Z.
� Still can use rational coefficients Q (important for Singular).
� Completeness proof allows to derive input assignment if C is incorrect.
Example: 2 Bit - Binary Multiplication
G = {−s3 + g1g4,
−s2 + g1 + g4 − 2g1g4,
−g4 + g2g3,
−s1 + g2 + g3 − 2g2g3,
−g1 + a1b1,
−g2 + a0b1,
−g3 + a1b0,
−s0 + a0b0,
−a21 + a1,
−a20 + a0,
−b21 + b1,
−b20 + b0}
8s3 + 4s2 + 2s1 + s0 − 4a1b1 − 2a1b0 − 2a0b1 − a0b0
Example: 2 Bit - Binary Multiplication
G = {−s3 + g1g4,
−s2 + g1 + g4 − 2g1g4,
−g4 + g2g3,
−s1 + g2 + g3 − 2g2g3,
−g1 + a1b1,
−g2 + a0b1,
−g3 + a1b0,
−s0 + a0b0,
−a21 + a1,
−a20 + a0,
−b21 + b1,
−b20 + b0}
8s3 + 4s2 + 2s1 + s0 − 4a1b1 − 2a1b0 − 2a0b1 − a0b0
8g1g4 + 4s2 + 2s1 + s0 − 4a1b1 − 2a1b0 − 2a0b1 − a0b0
Example: 2 Bit - Binary Multiplication
G = {−s3 + g1g4,
−s2 + g1 + g4 − 2g1g4,
−g4 + g2g3,
−s1 + g2 + g3 − 2g2g3,
−g1 + a1b1,
−g2 + a0b1,
−g3 + a1b0,
−s0 + a0b0,
−a21 + a1,
−a20 + a0,
−b21 + b1,
−b20 + b0}
8s3 + 4s2 + 2s1 + s0 − 4a1b1 − 2a1b0 − 2a0b1 − a0b0
8g1g4 + 4s2 + 2s1 + s0 − 4a1b1 − 2a1b0 − 2a0b1 − a0b0
8g1g4 + 4(g1 + g4 − 2g1g4) + 2s1 + s0
− 4a1b1 − 2a1b0 − 2a0b1 − a0b0
Example: 2 Bit - Binary Multiplication
G = {−s3 + g1g4,
−s2 + g1 + g4 − 2g1g4,
−g4 + g2g3,
−s1 + g2 + g3 − 2g2g3,
−g1 + a1b1,
−g2 + a0b1,
−g3 + a1b0,
−s0 + a0b0,
−a21 + a1,
−a20 + a0,
−b21 + b1,
−b20 + b0}
8s3 + 4s2 + 2s1 + s0 − 4a1b1 − 2a1b0 − 2a0b1 − a0b0
8g1g4 + 4s2 + 2s1 + s0 − 4a1b1 − 2a1b0 − 2a0b1 − a0b0
8g1g4 + 4(g1 + g4 − 2g1g4) + 2s1 + s0
− 4a1b1 − 2a1b0 − 2a0b1 − a0b0
...
0
Computational Issues
Generally the number of monomials in the intermediate results increases drastically:
� 8-bit multiplier can not be verified within 20 minutes.
Tailored heuristics become very important:
� Choose appropriate term order.
� Divide verification problem into smaller sub-problems.
� Rewrite and thus simplify Gröbner basis G.
Order
Row-Wise
a0 ·B
a1 ·B
a2 ·B
987
654
321
32s5 16s4 8s3 4s2 2s1 1s0+++++
0
0
0 00
0
a0b0a0b1a0b2
a1b0a1b1a1b2
a2b0a2b1a2b2
(4a2 + 2a1 + 1a0) ∗ (4b2 + 2b1 + 1b0)
Column-Wise
986
753
421
32s5 16s4 8s3 4s2 2s1 1s0+++++
0
0
0 00
0
a0b0a0b1a0b2
a1b0a1b1a1b2
a2b0a2b1a2b2
(4a2 + 2a1 + 1a0) ∗ (4b2 + 2b1 + 1b0)
∑i+j=0
aibj
∑i+j=1
aibj
∑i+j=2
aibj∑
i+j=3
aibj∑
i+j=4
aibj
Slicing
Partial Products. Let Pk =∑
k= i+j
aibj .
Input Cone. For each output bit si we determine its input cone
Ii = {gate g | g is in input cone of output si}
Slice. Slices Si are defined as the difference of consecutive cones Ii:
S0 = I0 Si+1 = Ii+1 \i⋃
j=0
Sj
Sliced Gröbner Bases. Let Gi be the set of gate and boolean value polynomials in Si.
Carry Recurrence Relation
Carry Recurrence Relation.A sequence of 2n+ 1 polynomials C0, . . . , C2n is called a carry sequence if
−Ci + 2Ci+1 + si − Pi ∈ I(C) for all 0 ≤ i < 2n+ 1.
Then Ri = −Ci + 2Ci+1 + si − Pi are the carry recurrence relations for C0, . . . , C2n.
TheoremLet C be a circuit where all carry recurrence relations are contained in I(C).Then C is a multiplier, iff C0 − 22nC2n ∈ I(C).
Incremental Algorithm
Incremental Checking Algorithm.
input: Circuit C with sliced Gröbner bases Gi
output: Determine whether C is a multiplier
C2n ← 0
for i← 2n− 1 to 0
Ci ← Remainder ( 2Ci+1 + si − Pi, Gi )
return C0 = 0
Multipliers as And-Inverter-Graph
Multipliers as And-Inverter-Graph
FulladderHalfadderXOR-GateSingle Gates
Variable Elimination
Identify sub-circuits CS in the AIG and eliminate internal variables:
� Full-adder rewriting
� Half-adder rewriting
� XOR- Rewriting
� Common-Rewriting
Variable elimination is based on elimination theory of Gröbner bases.
Elimination theory of Gröbner bases
Elimination order. Let X = Y·∪ Z and we want to eliminate Z. Order the terms such that
for all terms σ, τ where a variable from Z is contained in σ but not in τ , we obtain τ < σ.
Elimination ideal. The elimination ideal J where the Z-variables are eliminated ofI ⊆ Q[X] = Q[Y, Z] is defined by
J = I ∩Q[Y ].
Elimination theorem. Given an ideal I ⊆ Q[X] = Q[Y, Z]. Further let G be a Gröbnerbasis of I with respect to an elimination order Y < Z. Then the set
H = G ∩Q[Y ]
is a Gröbner basis of the elimination ideal J = I ∩Q[Y ], in particular 〈H〉 = J .
Elimination procedure
Problem: Computing a Gröbner basis H for I(C) w.r.t an elimination order is costly.
Solution: Split G into two parts.
G
GA GB
HB
HY HZ
H
Step 1: original Gröbner basis G
Step 2: split G into two subbases
Step 3: change order of <G to <H
Step 4: eliminate the variables of Z
Step 5: rejoin bases H = GA ∪HY
Elimination procedure
TheoremLet G ⊆ Q[X] = Q[Y,Z] be a Gröbner basis with respect to some term order <G. LetGA = G∩Q[Y ] and GB = G\GA. Let <H be an elimination order for Z which agrees with<G for all terms that are free of Z, i.e., terms free of Z are equally ordered in <G and <H .Suppose that 〈GB〉 has a Gröbner basis HB with respect to <H which is such that everyleading term in HB is free of Z or free of Y . Then 〈G〉 ∩Q[Y ] = (〈GA〉+ 〈GB〉) ∩Q[Y ] =
〈GA〉+ (〈GB〉 ∩Q[Y ]).
TheoremLet G,GA, GB , HB , HY , HZ , <H , <G be as before. Then H = GA ∪ HY is a Gröbnerbasis w.r.t. the ordering <H .
Example: Full-Adder Rewriting
a0 b0a0 b1a1 b0a1 b1a2 b0a2 b1
p00p01p10p11p20p21
c1
g1
g2
g0
c2
c3s0s1s2s3s4
GA = G\GB
GB = { −g0 + p20 + p11 − 2p20p11, −g1 + p20p11, −g2 + c1g0,
−s2 + c1 + g0 − 2c1g0, −c2 + g1 + g2 − g1g2}
Original lexicographic term ordering <G:
b0 < b1 < a0 < a1 < a2 < p00 < s0 < p01 < p10 < s1 < c1 <
p11 < p20 < g0 < g1 < g2 < s2 < c2 < p21 < s3 < c3 < s4
Elimination order <H :
b0 < b1 < a0 < a1 < a2 < p00 < s0 < p01 < p10 < s1 < c1 <
p11 < p20 < s2 < c2 < p21 < s3 < c3 < s4 < g0 < g1 < g2
Gröbner basis HB w.r.t. elimination order <H :
HB = {g0 + 2p20p11 − p20 − p11, g1 − p20p11,
g2 + 2p20p11c1 − p20c1 − p11c1,
s2 − 4p20p11c1 + 2p20p11 + 2p20c1 − p20 + 2p11c1 − p11 − c1,
2c2 + s2 − p20 − p11 − c1}
Experiments
Multiplier
AIG AIGMULTOPOLY
Polynomials
CAS-File
B = {x− a0 ∗ b0,y − a1 ∗ b1,s0 − x ∗ y,. . .
}
Ideal Membership
C0 6= 0 7
C0 = 0 3
MATHEMATICA
SINGULAR
Experiments
HAFAFAHA
HAFAFAFA
HAFAFAFA
s7 s6 s5 s4 s3 s2 s1 s0
p00p01p10p11p20p21p30p31
p02p12p22p32
p03p13p23p33
HAFAFAHA
HAFAFAFA
HAFAFAFA
s7 s6 s5 s4 s3 s2 s1 s0
p00p01p10p02p11p20p12p21p30p22p31
p03p13p23p32
p33
Experiments
mult n
Mathematica Singularnon-inc incremental non-inc incremental
+xor +xor +add +xor +xor +addbtor 16 3 5 2 1 1 1 1 1btor 32 56 31 14 2 42 28 10 1btor 64 MO 292 131 11 MO MO MO 14btor 128 TO TO TO 101 EE EE EE EE
sp-ar-rc 16 9 7 4 1 TO 6 1 0sp-ar-rc 32 326 171 30 2 TO 242 28 2sp-ar-rc 64 MO TO 300 11 MO EE MO 16sp-ar-rc 128 TO TO TO 102 EE EE EE EE
Table: time in sec; TO = 1200 sec, MO = 14GB, EE=more than 32767 variables
ProofsMultiplier
a1 b1 a0 b1 a1 b0 a0 b0
g1 g2 g3
g4
s0s1s2s3
Polynomials
B = {x− a0 ∗ b0,y − a1 ∗ b1,s0 − x ∗ y,. . .
}
Verification
6= 0 7
= 0 3
Specification
2n−1∑i=0
2isi−
(n−1∑i=0
2iai
)(n−1∑i=0
2ibi)
Correct?
Problem:
� Can we trust the CAS?
� Can we trust our own implementation ofthe optimizations?
Solution:Validate result of verification process [SC2’18]
� Generate machine-checkable proofs
� Check by independent proof checkers
ProofsMultiplier
a1 b1 a0 b1 a1 b0 a0 b0
g1 g2 g3
g4
s0s1s2s3
Polynomials
B = {x− a0 ∗ b0,y − a1 ∗ b1,s0 − x ∗ y,. . .
}
Verification
6= 0 7
= 0 3
Specification
2n−1∑i=0
2isi−
(n−1∑i=0
2iai
)(n−1∑i=0
2ibi)
Correct?
Problem:
� Can we trust the CAS?
� Can we trust our own implementation ofthe optimizations?
Solution:Validate result of verification process [SC2’18]
� Generate machine-checkable proofs
� Check by independent proof checkers
Proofs
Polynomial calculus: Sequence P = (p1, . . . pn), where each pk is obtained by:
Additionpi pjpi + pj
∀ pi, pj ∈ 〈G〉 : pi + pj ∈ 〈G〉
Multiplicationpiqpi
∀ q ∈ Q[X] ∀ pi ∈ 〈G〉 : qpi ∈ 〈G〉
If pn = f we write G ` f or in algebraic terms f ∈ 〈G〉.
Refutation: G ` 1 or 1 ∈ 〈G〉.
Proofs
Polynomial calculus: Sequence P = (p1, . . . pn), where each pk is obtained by:
Additionpi pjpi + pj
∀ pi, pj ∈ 〈G〉 : pi + pj ∈ 〈G〉
Multiplicationpiqpi
∀ q ∈ Q[X] ∀ pi ∈ 〈G〉 : qpi ∈ 〈G〉
If pn = f we write G ` f or in algebraic terms f ∈ 〈G〉.
Refutation: G ` 1 or 1 ∈ 〈G〉.
Example
a c
b
G = { −b+ 1− a, b = ¬a−c+ ab, c = a ∧ b = a ∧ ¬aa2 − a} a ∈ B
f = c
redG(f) = 0
−b+ 1− a∗−ab+ a− a2 a2 − a
+ −ab −c+ ab+ −c∗ c
P = (−ab+ a− a2, −ab, −c, c)
We translate the polynomial calculus into a concrete proof format:
� given gate and boolean value polynomials serve as axioms
� instances of addition or multiplication rule derive polynomials
Practical Algebraic Calculus (PAC)allows automated proof checking
PAC Syntax
letter ::= ‘a ’ | ‘b ’ | . . . | ‘z ’ | ‘A ’ | ‘B ’ | . . . | ‘Z ’number ::= ‘0 ’ | ‘1 ’ | . . . | ‘9 ’
constant ::= (number)+
variable ::= letter (letter | number)∗
power ::= variable [ ‘^ ’ constant ]term ::= power (‘* ’ power)∗
monomial ::= constant | [ constant ‘* ’ ] termoperator ::= ‘+ ’ | ‘- ’
polynomial ::= [ ‘- ’ ] monomial (operator monomial)∗
given ::= (polynomial ‘; ’)∗
rule ::= (‘+ ’ | ‘* ’) ‘: ’ polynomial ‘, ’ polynomial ‘, ’ polynomial ‘; ’proof ::= (rule ‘; ’)∗
Example - PAC
a c
b
G = { −b+ 1− a,−c+ ab,
a2 − a}
f = c
* : -b+1-a, a, -a*b+a-a^2;+ : -a*b+a-a^2, a^2-a, -a*b;+ : -a*b, -c+a*b, -c;* : -c, -1, c;
Proof Checking
A proof rule contains four components:
o : v, w, p;
Proof checking:
� Connection property: v, w are given polynomials or conclusions pi of previous rules
� Inference property: verify correctness of each rule, e.g. p = v + w for o = “+”
� Refutation check: at least one pi is a non-zero constant
Proof Checking Algorithm
input G sequence of given polynomialsr1 · · · rk sequence of PAC proof rules
output “incorrect”, “correct-proof”, or “correct-refutation”
P0 ←G
for i ← 1 . . . k
let ri = (oi, vi, wi, pi)
case oi = +
if vi ∈ Pi−1 ∧ wi ∈ Pi−1 ∧ pi = vi + wi then Pi← append(Pi−1, pi)else return “incorrect”
case oi = ∗if vi ∈ Pi−1 ∧ pi = vi ∗ wi then Pi← append(Pi−1, pi)else return “incorrect”
for i ← 1 . . . k
if pi is a non zero constant polynomial then return “correct-refutation”return “correct-proof”
Verifying Correctness of FMCAD’17 and DATE’18 Results
n mult optionproof
verification generation PACTRIM length16 btor incrm+elim 1 37 0 1273832 btor incrm+elim 2 801 1 5312264 btor incrm+elim 11 22378 4 21683416 sparrc incrm+elim 1 112 20 1780432 sparrc incrm+elim 2 2611 2 7524464 sparrc incrm+elim 11 80906 12 309164
Array Ripple Carry Multiplier
2
IN1[0]
4
IN1[1]
6
IN1[2]
8
IN1[3]
10
IN1[4]
12
IN1[5]
14
IN1[6]
16
IN1[7]18
IN2[0]
20
IN2[1]
22
IN2[2]
24
IN2[3]
26
IN2[4]
28
IN2[5]
30
IN2[6]
32
IN2[7]
34 3638
4042
44
46
4850
52 54
56
58
6062
64
66 68
70
72
74
76 78
80
82
84
86 88
90
9294
9698
100
102
104106
108
110112
114
116 118
120
122
124
126
128
130
132
134
136 138
140
142
144 146
148
150
152
154156
158
160162
164 166
168
170
172 174
176
178 180
182
184186
188
190192
194
196
198
200 202
204
206
208
210 212
214
216
218
220
222
224
226
228 230
232
234
236 238
240
242
244
246248
250
252 254
256258
260
262
264 266
268
270 272
274
276278
280
282284
286
288290
292
294
296
298
300
302
304
306
308 310
312
314
316 318
320
322
324
326 328
330
332
334
336
338
340
342
344346
348
350
352354
356
358
360
362364
366
368 370
372 374
376
378
380382
384
386388
390
392 394
396
398400
402
404406
408
410 412
414
416
418
420 422
424
426
428
430 432
434
436
438
440
442
444
446
448 450
452
454
456 458
460
462
464
466468
470
472
474
476
478
480
482
484486
488
490
492494
496
498
500
502504
506
508510
512 514
516
518
520 522
524
526528
530
532534
536
538 540
542
544546
548
550552
554
556558
560
562
564
566
568
570
572
574 576
578
580
582
584 586
588
590
592
594
596
598
600
602 604
606
608
610 612
614
616
618
620622
624
626
628
630
632
634
636
638 640
642
644
646
648
650
652
654
656 658
660
662664
666668
670
672674
676
678680
682
684686
688
690 692
694
696698
700
702 704
706
708
710 712
714
716
718
720
722
724
726
728 730
732
734
736
738740
742
744
746
748
750
752
754
756 758
760
762
764
766
768
770
772
774776
778
780
782 784
786
788
790
792 794
796
798800
802804
806
808
810812
814
816 818
820
822824
826
828830
832
834 836
838
840 842
844
846
848
850
852
854
856 858
860
862
864
866
868
870
872
874
876
878
880
882
884886
888
890
892 894
896
898
900
902 904
906
908
910 912
914
916
918
920 922
924
926
928 930
932
934
936
938940
942
944
946948
950
952 954
956
958 960
962
964 966
968
970972
974
976
978
980
982
984
986988
990
992 994
996
998
1000
1002
1004 1006
1008
1010
1012
1014 1016
1018
1020
1022
1024
1026
1028
1030
10321034
1036
1038
1040 1042
1044
1046
1048
10501052
1054
1056
1058 1060
1062
10641066
1068
10701072
1074
10761078
1080
1082
1084
1086
1088
1090
1092 1094
1096
1098
1100
1102
1104
1106
1108
1110 1112
1114
1116
1118
11201122
1124
1126
11281130
1132
1134
1136
1138 1140
1142
1144
1146 1148
1150
1152 1154
1156
1158 1160
1162
1164
1166
1168
1170
1172
1174 1176
1178
1180
1182
1184
1186
1188
1190
1192 1194
1196
1198
1200
12021204
1206
1208
1210 1212
1214
12161218
1220
1222
1224
1226
1228
1230
1232 1234
1236
12381240
1242
1244
12461248
1250 1252
1254
1256
1258
1260
1262
1264
12661268
1270
1272
1274
1276
1278
1280
P[0]
P[1]
P[2]
P[3]
P[4]
P[5]
P[6]
P[7]
P[8]
P[9]
P[10]
P[11]
P[12]
P[13]
P[14]
P[15]
Wallace-Tree Carry-Lookahead Multiplier
2
IN1[0]
4
IN1[1]
6
IN1[2] 8
IN1[3] 10
IN1[4]
12
IN1[5]
14
IN1[6]
16
IN1[7]
18
IN2[0]
20
IN2[1]
22
IN2[2]
24
IN2[3]
26
IN2[4]
28
IN2[5]
30
IN2[6]
32
IN2[7]
34 36 38
40 42
44
46
4850
5254
56
58
60 62
64
66 68
70
72
74
76 78
80
82
84
8688
90
92 94
96 98
100
102
104 106
108
110 112
114
116118
120 122
124
126
128
130
132
134 136
138140
142
144 146
148
150
152
154 156
158
160162
164 166
168
170
172 174
176
178180
182
184186
188
190 192
194
196
198
200
202
204
206
208
210
212214
216
218220
222 224
226
228
230232
234
236 238
240
242
244
246 248
250
252254
256 258
260
262
264266
268
270 272
274
276278
280
282284
286
288290
292
294
296
298
300
302
304
306
308
310 312
314
316
318
320 322
324
326 328
330
332
334
336338
340
342344
346348
350
352
354 356
358
360362
364
366
368
370 372
374
376 378
380382
384
386
388 390
392
394396
398
400402
404
406408
410
412414
416
418 420
422
424
426
428
430
432
434
436
438
440
442
444 446
448
450 452
454 456
458
460 462
464
466
468
470472
474
476 478
480
482
484
486488
490
492494
496 498
500
502
504506
508
510 512
514
516
518
520522
524
526 528
530532
534
536
538 540
542
544546
548
550 552
554
556 558
560
562564
566
568 570
572
574
576
578
580
582
584
586 588
590
592
594
596
598
600
602
604
606
608
610
612
614
616 618
620
622 624
626628
630
632 634
636
638
640
642 644
646
648 650
652
654
656
658 660
662
664 666
668 670
672
674
676 678
680
682684
686
688
690
692 694
696
698 700
702 704
706
708710
712
714 716
718
720722
724
726728
730
732 734
736
738
740
742
744
746
748
750
752
754
756 758
760
762
764
766
768
770
772
774
776 778
780
782
784
786788
790
792794
796 798
800
802
804
806
808
810
812814
816
818 820
822
824
826
828 830
832
834836
838840
842 844
846 848
850852
854 856
858
860
862864
866
868870
872
874 876
878
880882
884
886 888
890
892
894
896
898
900
902
904
906
908
910
912
914
916 918
920
922
924
926
928
930
932
934
936 938
940
942
944
946948
950
952954
956 958
960
962
964
966
968
970
972974
976
978 980
982
984
986
988 990
992
994996
998 1000
1002
1004
10061008
1010
1012 1014
1016
1018 1020
1022
10241026
1028
1030 1032
1034
1036
1038
1040
1042
1044
1046
1048
1050
1052
1054
1056
1058
1060
1062
1064
1066 1068
1070
1072
1074
1076
1078
1080
1082
1084
1086 1088
1090
1092
1094
10961098
1100
1102 1104
1106 1108
1110
1112 1114
1116
1118
1120
1122 1124
1126
1128 1130
11321134
1136
1138 1140
1142
1144 1146
1148
11501152
1154
11561158
1160
1162
1164
1166
1168
1170
1172
1174
1176
1178
1180
1182
1184
1186
1188
1190
1192
1194
1196
1198 1200
1202
1204
1206
1208
1210
1212
1214
12161218
12201222
1224
12261228
1230 1232
1234
1236
12381240
1242 1244
1246 1248
1250
1252 1254
1256
12581260
1262
1264 1266
1268
1270
1272
1274
1276
1278
1280
1282
1284
1286
1288
1290
1292
1294
1296
1298
1300
1302
1304
1306
1308
1310
1312
1314
1316
1318
1320
1322 1324
1326
1328
13301332
13341336
1338
13401342
1344 1346
1348
1350 1352
1354
13561358
1360
1362 1364
1366
1368
1370
13721374
1376
1378
1380
1382
1384
1386
1388
1390
1392
1394
1396
1398
1400
1402
1404
1406
1408
1410
1412
1414
1416 1418
1420
1422
1424
1426 1428
1430 1432
1434
14361438
1440
14421444
1446
1448
1450
14521454
1456
1458
1460
1462
1464
1466
1468
1470
1472
1474
1476
1478
1480
1482
1484
1486
1488
1490
1492
1494
1496
1498
1500 1502
15041506
1508
P[0]
P[1]
P[2]
P[3]
P[4]
P[5]
P[6]
P[7] P[8] P[9] P[10] P[11] P[12] P[13] P[14] P[15]
Checking Commutativity of Multiplication with SAT
12 core1 core 1 core cube-and-conquer 12 core
bits Glucose Lingeling March|iLingeling Treengeling
01 0.00 0.00 0.00 0.0102 0.00 0.00 0.00 0.0103 0.00 0.00 0.00 0.0104 0.00 0.00 0.02 0.03 (set-logic QF_BV)05 0.00 0.01 0.05 0.13 (declare-fun x () (_ BitVec 12))06 0.02 0.03 0.36 0.31 (declare-fun y () (_ BitVec 12))07 0.14 0.27 0.63 0.72 (assert (distinct (bvmul x y) (bvmul y x)))08 1.18 1.98 1.38 2.47 (check-sat)09 7.85 10.98 2.63 4.6510 37.16 41.49 5.02 10.8611 147.62 214.98 15.72 21.9612 833.62 649.49 56.57 61.4813 –––––– –––––– 238.10 263.44
limit of 900 seconds wall clock time
Crux of Multiplier Verification for SAT
zero
varx00
concat
1 2
varx01
concat
1 2
varx02
concat
1 2
add
12
varx03
concat
12
varx04
concat
12
varx05
concat
12
add
12
add
1 2
add
12
varx06
concat
12
varx07
concat
12
varx08
concat
12
add
12
add
12
varx09
concat
12
varx10
concat
12
add
1 2
add
12
add
12
add
12
varx11
concat
12
varx12
concat
1 2
varx13
concat
1 2
varx14
concat
1 2
varx15
concat
1 2
add
1 2
add
12
add
1 2
add1
2
add
1 2
add1
2
add
12
add
12
add
1 2
add
1 2
add
12
add
2 1
add
12
add
1 2
add
12
add
12
add
12
add
12
add
1
2
eq
12
Adder Substitution [KaufmannBiereKauers-FMCAD’19]
Partial Product Generation
Partial Product Accumulation
Final Stage Adder
Input
Output
Adder substitution
Partial Product Generation
Partial Product Accumulation
Final Stage Adder
Input
Output
Verification and Certification Flow
Verify
AMuletsubstition
AMuletverify
CaDiCaL
.aig
.cnf
7 | 3
7 | 3
.aig
Certify
Check
AMuletsubstitution
AMuletcertify
CaDiCaL
PacTrimdrat-trim
.aig
.cnf
.proof
.polys
.pac
.spec
.aig 7 | 3
7 | 3 7 | 3
Verification and Certification Timearchitecture n SPEC nosat nomod noelim
Verify MGD YCM CSYY RBK Certify Checktotal
proof sizesub sat aig tot DAC19 TCAD17 TCAD19 FMCAD17 sub sat aig tot sat aig tot sat (drat) aig (pac)
sp-ar-rc 32 u 0 0 0 0 0 0 0 NA2 NA4 0 8 0 0 1 1 0 1 1 2 0 46 018sp-dt-lf 32 u TO 0 1 0 0 0 0 3 TO NA4 TO 0 0 1 1 0 1 1 2 2 614 44 986sp-wt-cl 32 u TO TO 1 0 1 0 1 6 TO NA4 TO 0 1 1 2 1 1 2 4 52 390 47 017sp-bd-ks 32 u TO TO TO 0 0 0 1 12 TO NA4 TO 0 0 1 1 0 1 1 2 21 188 46 971sp-ar-ck 32 u TO 0 0 0 0 0 0 5 TO NA4 TO 0 0 1 1 0 1 1 2 663 45 514bp-ar-rc 32 u 0 TO 264 0 0 0 0 4 0 NA4 TO 0 0 1 1 0 1 1 2 0 41 935bp-ct-bk 32 u TO TO 210 0 0 0 0 9 TO NA4 TO 0 0 1 1 0 1 1 2 1 832 35 803bp-os-cu 32 u 0 TO 272 0 0 0 0 7 TO NA4 TO 0 0 1 1 0 1 1 2 0 44 528bp-wt-cs 32 u 0 TO 257 0 0 0 0 5 TO NA4 TO 0 0 1 1 0 1 1 2 0 42 963sp-ar-rc 64 u 2 1 5 0 0 2 2 NA2 NA4 0 133 0 0 13 13 0 6 6 19 0 188 290sp-dt-lf 64 u TO 2 13 0 0 3 3 31 TO NA4 TO 0 0 17 17 0 8 8 25 34 423 186 170sp-wt-cl 64 u TO TO 9 0 9 2 11 96 TO NA4 TO 0 9 14 23 7 6 13 37 264 471 191 621sp-bd-ks 64 u TO TO 7 0 1 2 3 162 TO NA4 TO 0 2 14 16 1 6 7 23 78 567 190 911sp-ar-ck 64 u TO 1 5 0 0 2 2 143 TO NA4 TO 0 0 13 13 0 6 6 19 1 432 187 251bp-ar-rc 64 u 2 TO TO 0 0 2 2 53 0 NA4 TO 0 0 15 15 0 5 5 20 0 161 935bp-ct-bk 64 u TO TO TO 0 0 2 3 119 TO NA4 TO 0 0 16 17 0 5 5 22 27 552 138 179bp-os-cu 64 u 3 TO TO 0 0 3 4 95 TO NA4 TO 0 0 18 18 0 6 7 25 0 166 963bp-wt-cs 64 u 3 TO TO 0 0 3 3 75 TO NA4 TO 0 0 15 15 0 5 5 20 0 161 745
sp-ar-rc 32 s 0 0 0 0 0 0 0 NA1 NA1 NA1 NA1 0 0 1 1 0 1 1 2 0 46 090bp-wt-cl 32 s TO 0 245 0 1 0 1 NA1 NA1 NA1 NA1 0 1 1 2 1 1 2 4 50 620 38 097btor 32 t 0 NA3 0 0 0 0 0 NA1 NA1 NA1 NA1 0 0 0 0 0 0 1 1 0 16 633sp-ar-rc 64 s 2 1 5 0 0 2 2 NA1 NA1 NA1 NA1 0 0 13 13 0 6 6 19 0 188 426bp-wt-cl 64 s TO 47 TO 0 10 3 12 NA1 NA1 NA1 NA1 0 10 17 26 7 5 12 38 261 650 151 355btor 64 t 1 NA3 1 0 0 1 1 NA1 NA1 NA1 NA1 0 0 4 4 0 3 4 8 0 69 068
NA1 : tool not applicable to type SPEC NA2 : tool not yet available NA3 : would lead to incompleteness NA4 : not reproducible
Large Multipliers
architecture n SPECVerify MGD CSYY
AIG sizesub sat aig tot DAC19 TCAD19
btor 128 u 0 0 34 34 NA2 0 129 920kjvnkv 128 u 0 0 19 19 NA2 NA4 194 560sp-ar-rc 128 u 0 0 19 19 349 2 194 560sp-dt-lf 128 u 0 2 48 50 490 NA4 193 550sp-wt-bk 128 u 0 1 54 56 746 NA4 197 518btor 256 u 1 0 536 537 NA2 NA4 521 984kjvnkv 256 u 1 0 252 253 NA2 NA4 782 336sp-ar-rc 256 u 2 0 254 255 8 720 NA4 782 336sp-dt-lf 256 u 4 6 901 911 12 874 NA4 780 302sp-wt-bk 256 u 3 3 985 992 21 454 NA4 790 098btor 512 u 7 0 10 458 10 465 NA2 NA4 2 092 544kjvnkv 512 u 9 0 4 592 4 601 NA2 NA4 3 137 536sp-ar-rc 512 u 10 0 4 541 4 551 192 640 NA4 3 137 536sp-dt-lf 512 u 26 21 21 563 21 609 240 051 NA4 3 133 454sp-wt-bk 512 u 25 9 48 197 48 231 492 320 NA4 3 156 866btor 1024 u 96 0 306 157 306 253 NA2 NA4 8 379 392kjvnkv 1024 u 107 0 97 670 97 777 NA2 NA4 12 566 528
NA1 : tool not applicable to type SPEC NA2 : tool not yet availableNA3 : would lead to incompleteness NA4 : not reproducible
Future Work
Circuit Verification
� other word-level operators (shift, division, . . . )
� floating point operators (addition, . . . )
� synthesized multipliers
Proof Generation
� connection to clausal proof systems
� certified proof checker “really really correct”
� boolean proofs
SAT, COMPUTER ALGEBRA, MULTIPLIERS
Armin Biere joint work with Daniela Kaufmann and Manuel Kauers
6th Vampire Workshop
Lisbon, Portugal, July 7, 2019