Hardware Datapath Verification using Commutative Algebra and Algebraic Geometry Priyank Kalla Associate Professor Electrical and Computer Engineering, University of Utah [email protected] http://www.ece.utah.edu/~kalla A tutorial presented at the joint session of SAT, DIFTS and FMCAD 2015 Research funded in part by the US National Science Foundation The Core Message of the Tutorial Modern Algebraic Geometry Study of the zeros of multivariate polynomials Infeasible to enumerate the solutions Reason about various properties of the solution-sets Employ techniques that lie at the cross-roads of number-theory, commutative algebra, geometry Use of Gr¨obner bases as a powerful reasoning engine Hardware datapaths possess structure and symmetry in the problem Gr¨obner bases help identify this structure/symmetry Exploit this structure/symmetry to engineer domain-specific implementations for datapath verification Enables verification of hard datapath verification problems P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 2 / 54 Tutorial Objective and Agenda Formal verification of datapath implementations (RTL) Word-level abstractions from designs, symbolic techniques Model bit-precise semantics at word-level Applications: Cryptography, Error Control Circuits, Signal Processing P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 3 / 54 Tutorial Objective and Agenda Formal verification of datapath implementations (RTL) Word-level abstractions from designs, symbolic techniques Model bit-precise semantics at word-level Applications: Cryptography, Error Control Circuits, Signal Processing Equivalence check: specification (Spec) vs implementation (Impl) Spec and Impl: same function? RTL: functions over k-bit vectors k-bit vector 7→ Boolean domain Bk k 7→ k Z -bit vector integers (mod 2 )= 2k k 7→ F -bit vector Galois (Finite) field 2k P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 3 / 54 Tutorial Objective and Agenda Formal verification of datapath implementations (RTL) Word-level abstractions from designs, symbolic techniques Model bit-precise semantics at word-level Applications: Cryptography, Error Control Circuits, Signal Processing Equivalence check: specification (Spec) vs implementation (Impl) Spec and Impl: same function? RTL: functions over k-bit vectors k-bit vector 7→ Boolean domain Bk k 7→ k Z -bit vector integers (mod 2 )= 2k k 7→ F -bit vector Galois (Finite) field 2k Approach: Computer Algebra Techniques Z Z F F Model: Polynomial functions over f : 2k 2k or f : 2k 2k Devise decision procedures for polynomial→ function equivalence→ Commutative algebra, algebraic geometry + contemporary verification P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 3 / 54 Verification of Galois field circuits Wide applications of Galois field (GF) circuits Cryptography: RSA, Elliptic Curve Cryptography (ECC) Error Correcting Codes, Digital Signal Processing, etc. P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 4 / 54 Verification of Galois field circuits Wide applications of Galois field (GF) circuits Cryptography: RSA, Elliptic Curve Cryptography (ECC) Error Correcting Codes, Digital Signal Processing, etc. Bugs in GF arithmetic circuits can leak secret keys Biham et al., “Bug Attacks”, Crypto 2008 [1] P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 4 / 54 Verification of Galois field circuits Wide applications of Galois field (GF) circuits Cryptography: RSA, Elliptic Curve Cryptography (ECC) Error Correcting Codes, Digital Signal Processing, etc. Bugs in GF arithmetic circuits can leak secret keys Biham et al., “Bug Attacks”, Crypto 2008 [1] Target problems F Given Galois field 2k , polynomial f , and circuit C Verify: circuit C implements f ; or find the bug Given circuit C, with k-bit inputs and outputs C f F → F Derive a polynomial representation for over : 2k 2k Word-level abstraction as a canonical polynomial representation P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 4 / 54 Verification of Galois field circuits Wide applications of Galois field (GF) circuits Cryptography: RSA, Elliptic Curve Cryptography (ECC) Error Correcting Codes, Digital Signal Processing, etc. Bugs in GF arithmetic circuits can leak secret keys Biham et al., “Bug Attacks”, Crypto 2008 [1] Target problems F Given Galois field 2k , polynomial f , and circuit C Verify: circuit C implements f ; or find the bug Given circuit C, with k-bit inputs and outputs C f F → F Derive a polynomial representation for over : 2k 2k Word-level abstraction as a canonical polynomial representation F Solutions employing Nullstellensatz over 2k + Gr¨obner Basis methods Focus: Techniques and implementations to address scalability Term-orders, custom F4-style reduction P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 4 / 54 Galois Field Overview k Galois field Fq is a finite field with q elements, q = p , p = prime 0, 1 elements, associate, commutative, distributive laws Closure property: +, , , inverse ( ) − × ÷ F F k Our interest: q = 2k (q = 2 ) F k : k-dimensional extension of F = 0, 1 2 2 { } k-bit bit-vector, AND/XOR arithmetic Efficient crypto-hardware implementations F To construct 2k F k F [x] (mod P(x)) 2 ≡ 2 P(x) F [x], irreducible polynomial of degree k ∈ 2 Operations performed (mod P(x)) and coefficients reduced (mod 2) P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 5 / 54 Example Field Construction: F8 F F 3 Construct: 23 = 2[x] (mod P(x)= x + x + 1) Consider any polynomial A(x) F2[x] 3 2∈ A(x) (mod x + x +1) = a2x + a1x + a0. Let P(α) = 0: a , a , a = 0, 0, 0 = 0 h 2 1 0i h i a , a , a = 0, 0, 1 = 1 h 2 1 0i h i a , a , a = 0, 1, 0 = α h 2 1 0i h i a , a , a = 0, 1, 1 = α + 1 h 2 1 0i h i a , a , a = 1, 0, 0 = α2 h 2 1 0i h i a , a , a = 1, 0, 1 = α2 + 1 h 2 1 0i h i a , a , a = 1, 1, 0 = α2 + α h 2 1 0i h i a , a , a = 1, 1, 1 = α2 + α + 1 h 2 1 0i h i P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 6 / 54 Polynomial Functions f : Fq Fq → Every function is a polynomial function over Fq Consider 1-bit right-shift operation Z[2 : 0] = A[2 : 0] >> 1 a a a A z z z Z { 2 1 0} → { 2 1 0} 000 0 000 0 → 001 1 000 0 → 010 α 001 1 → 011 α + 1 001 1 → 100 α2 010 α → 101 α2 + 1 010 α → 110 α2 + α 011 α + 1 → 111 α2 + α + 1 011 α + 1 → P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 7 / 54 Polynomial Functions f : Fq Fq → Every function is a polynomial function over Fq Consider 1-bit right-shift operation Z[2 : 0] = A[2 : 0] >> 1 a a a A z z z Z { 2 1 0} → { 2 1 0} 000 0 000 0 → 001 1 000 0 → 010 α 001 1 → 011 α + 1 001 1 → 100 α2 010 α → 101 α2 + 1 010 α → 110 α2 + α 011 α + 1 → 111 α2 + α + 1 011 α + 1 → 2 4 2 2 F 3 Z = (α + 1)A + (α + 1)A over 23 where α + α +1=0 P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 7 / 54 Verification Application: Elliptic Curve Cryptography Encryption, Decryption & Authentication using point addition: P + Q = R 2 3 2 F y + xy = x + ax + b over 2k y y −R Compute Slope: 2 − 1 x2 x1 R = P + Q − Q Computation of F inverses over 2k is P expensive R P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 8 / 54 Point addition using Projective Co-ordinates 2 3 2 2 4 F Curve: Y + XYZ = X Z + aX Z + bZ over 2k Let (X3, Y3, Z3) = (X1, Y1, Z1) + (X2, Y2, 1) 2 A = Y2 Z + Y1 E = A C · 1 · 2 B = X2 Z1 + X1 X = A + D + E · 3 C = Z1 B F = X + X Z · 3 2 · 3 D = B2 (C + aZ 2) G = X + Y Z · 1 3 2 · 3 Z = C 2 Y = E F + Z G 3 3 · 3 · P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 9 / 54 Point addition using Projective Co-ordinates 2 3 2 2 4 F Curve: Y + XYZ = X Z + aX Z + bZ over 2k Let (X3, Y3, Z3) = (X1, Y1, Z1) + (X2, Y2, 1) 2 A = Y2 Z + Y1 E = A C · 1 · 2 B = X2 Z1 + X1 X = A + D + E · 3 C = Z1 B F = X + X Z · 3 2 · 3 D = B2 (C + aZ 2) G = X + Y Z · 1 3 2 · 3 Z = C 2 Y = E F + Z G 3 3 · 3 · No inverses, just addition and multiplication Verify ECC hardware primitives: circuits for GF Multiplication and exponentiation Challenge: Large datapath size, from k = 163-bits to 1000+ bits P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 9 / 54 Field polynomials of Fq Theorem (Fermat’s Little Theorem over Fq) q For any element α Fq, then α = α. ∈ Vanishing Polynomials q The polynomial (x x) vanishes (= 0) on all points in Fq. We call q − (x x) a vanishing polynomial of Fq. − P. Kalla (Univ. of Utah) Verify Datapath using Algebra & Geometry 10 / 54 Computer Algebra Terminology k Let Fq = GF (2 ), and Fq be its closure Fq[x1,..., xn]: ring of all polynomials with coefficients in Fq Polynomial f = c1X1 + c2X2 + + ct Xt · · ·α1 α2 αn Coefficients ci , monomial X = x x x , αi Z≥ 1 · 2 ··· n ∈ 0 A monomial ordering is imposed on the ring, so f : X > X > > Xt 1 2 ··· Leading term lt(f )= c X , tail(f )= c X + + ct Xt 1 1 2 2 ··· Leading coefficient lt(f )= c1 and leading monomial lm(f )= X1 P.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages94 Page
-
File Size-