Verification of a GF(2supra(m)) multiplier-circuit for digital signal processing by Hoffmann, Dirk W. & Kropf, Thomas
Verication of a GF  
m
 MultiplierCircuit
for Digital Signal Processing
 
Dirk W Homann Thomas Kropf
Universitat Karlsruhe
Institut fur Rechnerstrukturen und Fehlertoleranz
Prof DrIng D Schmid
	
 Karlsruhe Germany
hoffiraukade kropfiraukade
httpgoetheiraukadehvg
Abstract
Hardwired solutions for Finite Field Arithmetic have become increas
ingly important in recent years and are mostly part of domain specic
Digital Signal Processors DSPs We have specied and veried a real
life example of an arraytype multiplier for Finite Field multiplication in
GF 
m
 	
 The multiplier has been specied in higherorder logic and
correctness has been proven using the HOL theorem prover Since our
model is generic the correctness results hold for arbitrary scaled circuits
  Introduction
Finite Field Arithmetic has various applications in telecommunication ie cod
ing theory and cryptography In the past dierent approaches for performing
multiplication in Finite Fields have been presented   	
 mostly based on
sequential algorithms shiftregister type multipliers Since the application
domain for Finite Field Arithmetic is steadily increasing hardwired non
sequential solutions have been proposed Most of them are realized in form of
domain specic Digital Signal Processors DSPs Due to their lack in speed
sequential algorithms are not well suited for DSP integration where eciency
is by far the most important issue Since it has become possible to integrate
large circuits on a single chip without having an explosion in production costs
hardwired nonsequential algorithms become more and more important
In 
 a DSP multiplier unit has been proposed based on a two dimensional
array structure The circuit is user programmable and can therefore be applied
to a much broader range of applications at the same time This is in contrast
to shiftregister type multipliers that can only perform multiplications based on
a xed primitive irreducible polynomial see Section 
 
This work is supported by the ESPRIT LTR Project 

In this paper we have completely specied the multipliercircuit as de
scribed in 
 using higherorder logic The circuit description is generic and
the proved theorems hold for multipliers of arbitrary size All proofs have been
derived using the HOL theorem prover 
 While constructing the proofs we
have discovered an error in the circuit architecture The error was due to a
missing gate in the layout for a single multipliercell Fig  in 

Our paper is organized as follows In Section  we give a brief introduction
to Finite Field Theory Section  presents the multiplier architecture and Sec
tion  describes how verication has been performed We close our paper with
a summary in Section  and some remarks about further research
 Finite Field Theory
Every eld containing a nite number of elements is called a Finite Field or
Galois Field Let F denote an arbitrary Finite Field It can be shown that
jFj  p
m

holds for some prime number p and integer mm   Moreover given any
prime p and integer mm   there exists a Finite Field with exactly p
m
elements
Two Finite Fields F and G with jFj  jGj can always proven to be isomor
phic Thus we dene GF p
m
 to be the Finite Field with p
m
elements
If m   GF p
m
 is isomorphic to f     pg with
a b  a b mod p 
a b  a  b mod p 
However for m   the set f     p
m
g does no longer form a eld with stan
dard addition and multiplication modulo p
m
 In particular the multiplicative
group of GF p
m
 turns out to become slightly harder to characterize
It can be shown 
 that GF p
m
 is an extension eld of GF p and
GF p
m



GF px
f 
where f  GF px
 is a primitive irreducible polynomial of the form
fx  x
m
 f
m  
x
m  
     f
 
x f


Thus GF p
m
 is isomorphic to the set of polynomials over GF p reduced mod
ulo f  Addition and multiplication are the standard operators for polynomials
Moreover it turns out that every root  of f has the property that it
generates GF p
m
 Thus every element of GF p
m
 can be represented as a
power of  Using the fact that f   we get

m
 f
m  

m  
    f
 
 f

 
Therefore we can represent every element of GF p
m
 with a polynomial in 
having a degree less thanm Successively applying equation  to a polynomial

of degree greater or equal m nally yields in a polynomial of degree less than
m which is element of GF p
m
 In other words equation  can be exploited
to perform modulo computation
For the rest of this paper we restrict ourselves to Galois Fields GF 
m

extension elds of GF  which are mostly used in digital systems
Let
a  a

 a
 
    a
m  

m  
b  b

 b
 
    b
m  

m  
denote two elements of GF 
m
 Then we get
a b 
m  
X
i
a
i

i

m  
X
i
b
i

i


m  
X
i
a
i
 b
i

i

m  
X
i
a
i
XOR b
i

i
	
Hence addition in GF 
m
 is equivalent to componentwise application of the
XORoperation and can be implemented by a chain of independent XORgates
In the more complicated case of multiplication we get
a  b 

a 
m  
X
i
b
i

i

mod f 
m  
X
i

a  b
i

i

mod f 
 a  b
m  
 mod f  a  b
m 
 mod f     mod f  a  b


In  multiplication in GF 
m
 has been reduced to a formula only involving
multiplication of a polynomial with  multiplication with a scalar value and
modulo computation
Multiplication with  is just a left shift and scalar multiplication with v 
GF  can be computed as follows
a  v 

m  
X
i
a
i

i

v 
m  
X
i
a
i
 v
i

m  
X
i
a
i
	 v
i

According to  scalar multiplication is nothing else than componentwise
conjunction with v and can be performed with a chain of independent AND
gates
A closer look to equation  also shows that the involved modulooperation
is only applied to polynomials with degree less or equal m In the former case
the polynomial is already reduced If the degree equals m we can perform
modulo computation according to equation  as shown below


m

m  
X
i
a
i

i

mod f 
m  
X
i
f
i

i

m  
X
i
a
i

i


m  
X
i
f

 a
i

i

m  
X
i
f

XOR a
i

i

Again modulo computation of polynomials of degree m can be achieved by
simply adding the minimal irreducible polynomial f 
For a more detailed introduction to Finite Field Arithmetic see 
 or 


 Circuit Architecture
The circuit architecture presented in 
 can be viewed as a straightforward
realization of the theoretical results presented in Section  The circuit is shown
in Figure 
c0
b
hb
f
a
0
0
0
0
a0
b0
b1
a1...
...
c1
Figure  Architecture of the array multiplier
The multiplier consists of input vectors a f  hb b and output vector c which
contains the computed result a and b store the operands to be multiplied while
the rightmost cell in a contains coecient a

and the uppermost cell of b contains
b
m  
 f contains the coecients of the primitive irreducible polynomial and hb
is functioning as a highestbitlocator If f has degree m hb is true in column
m and false everywhere else Finally vector c returns the coecients of the
product a  b
The main component of the multiplier is the two dimensional cellarray

in the middle of Fig  Each cell has ve input wires a b d hb yi and
two output wires yo and c Fig  shows the architecture of a single cell in
more detail The two XORgates and the ANDgate in the lower right corner
perform componentwise multiplication and addition respectively The gates in
the upper left corner form an overow detector and determine when the modulo
operation has to be applied Once an overow has been detected the output
yo propagates the signal through all other cells in the same row
  
 
  
  
   
 
 
 
 


c
yi yo
d  afhb
Figure  A single multiplier cell
 Specication and Verication
In this section we rst describe how the circuit proposed in Section  has been
specied in higherorder logic Then we formulate the specication stating the
behavioral correctness of the circuit and briey explain how correctness has
been proven using the HOL	 theorem prover
  Implementation Description
In HOL we represent elements of GF  by variables of type bool while ele
ments of GF 
m
 are modeled with type numbool The circuit is described in
a modular way see Fig  according to the architecture denition in Section

We dene three predicates

 CELL

 ROW and

ARRAY
CELLROW
Figure  Hierarchy of the array multiplier

 ARRAY
stating the relationship between input and output values of the specic com
ponent
  Cell
The CELLpredicate is dened as follows
CELL abool bbool dbool f  bool hb  bool
yibool yobool cbool
 s	 s
 s s s s
ANDGATE hb d s	 
ORGATE yi s	 yo 
ANDGATE a b s
 
XORGATE s
 d s 
ANDGATE f yo s 
XORGATE s s s 
NOTGATE hb s 
ANDGATE s s c

The denition exactly mirrors the circuit layout given in Fig  The existen
tially quantied variables s	 to s represent intermediate signals connecting
the dierent gates The predicates NOTGATE ANDGATE ORGATE XORGATE
are dened as usual eg XORGATE is dened as
XORGATE X Y Z  Z  X  Y  X  Y
  Row
The ROWpredicate characterizes one single horizontal chain of cells and states
the relationship between coecient vectors a d f  hb c and single coecient
b
i


ROW anumbool b bool dnumbool fnumbool
hbnumbool cnumbool
 ynumbool nnum
CELL a n b d n f n hb n y SUC n y n c n
The existentially quantied variable y represents the intermediate signals
connecting output yo of cell n  with input yi of cell n
  Array
The ARRAYpredicate represents the whole multiplier array according to Fig 
array  a b f hb c
 ROW a b  nF f hb c 
array SUC n a b f hb c
 c
numbool cnumbool
array n a b f hb c
 
LEFTSHIFT c
 c 
ROW a b SUC n c f hb c
ARRAY is recursively dened with recursion variable n measuring the number
of rows in the circuit The base case n   corresponds to a multiplier array
containing one single row of cells Predicate LEFTSHIFT is used to specify the
connecting wires between outputs of row n and inputs of row n 
  Specication Description
To specify the correct behavior of the multiplier circuit we dene four functions
GFadd  numboolnumboolnumbool
GFscalarmult  numboolboolnumbool
GFmultX  numboolnumbool
GFmodf  numbool numbool num
performing addition multiplication with scalar values multiplication with 
and modulo computation respectively Function GFmodf takes an additional
variable of type num containing the degree of f  All function denitions are
fairly straightforward and based on the derived equations in Section  For ex
ample addition in GF 
m
 corresponds to a bitwise XORoperation according
to equation 	 In HOL we dene
val GFadd  newdefinition
GFadd
GFadd Xnumbool Ynumbool
 nnum X n  Y n  X n  Y n
Multiplication with a scalar value multiplication with x and modulo compu
tation are expressed similarly
The main theorem we want to prove about the multiplier is

Theorem 
Let c
m
denote the output of row number m m   Then
c
m
 a  b
m  
 mod f  a  b
m 
 mod f     mod f  a  b


In terms of HOLlogic the right side of formula  can be expressed re
cursively as shown below
GFproduct 
anumbool bnumbool fnumbool mnum
 GFscalarmult a b  
GFproduct SUC n
anumbool bnumbool fnumbool mnum
 GFadd GFmodf GFmultX GFproduct n a b f m f m
GFscalarmult a b SUC n
Hence theorem  can be stated as
n a b f hb m ASS  array n a b f hb GFproduct n a b f m
where ASS is a list of assumptions we have to make about the input vectors a
f  and hb More precisely for computations in GF 
m
 we need to postulate
the following assumptions

 the highest coecient of f is m

 hb
n
equals  if and only if n  m

 a
n
  for n  m
Using HOL the assumptions are written as
f m  T 
n  n  m  f n  F 
hb m  T 
n n  m  hb n  F 
n n  m  hb n  F 
a m  F 
n n  m  a m  F
Theorem  can be proven by induction on parameter n We get two major
subgoals
a b f hb m ASS  array  a b f hb GFproduct  a b f m
and
a b f hb m ASS  array n a b f hb GFproduct n a b f m
 a b f hb m ASS 
array SUC n a b f hb GFproduct SUC n a b f m
	
For both the base case and the induction step we make use of an interme
diate lemma about the ROWpredicate
Lemma 
For each row with inputs a f hb  GF 
m
 b  GF  and output c
c  d mod f  a  b 
Lemma  is equivalent to the following HOL theorem
a b d f hb m ASS 
ROW a b d f hb GFadd GFmodf d f m GFscalarmult a b
The proof of lemma  mainly consists of term rewrites and two user guided
case splits At the end most subgoals are statements about the CELL predicate
that can be solved automatically by applying a user dened HOL tactic
While working on the proofs we have captured an error in the circuit design
due a missing NOTgate in the celllayout
 

If we have a closer look at the assumption list we note that a m is as
sumed to store F In theory for computations in GF 
m
 only the coecients
a

to a
m  
have to be taken into account since a is considered to be a reduced
polynomial However given the celllayout in Fig  the contents of a
m
inu
ences the computed result and the assumption a m  F is indispensable for
the correct circuit behavior Otherwise theorem  does no longer hold
An important property of our specication is its generic nature The circuit
has been specied for arbitrary size ie even for innite input vectors a
We have made the observation that the unconstraint size of the array has
considerably simplied the proof instead of making it more complicated Similar
experiences with other theorem provers have been reported in 

 Summary
In this paper we have formally specied and proven a reallife DSP multiplier
circuit presented in 
 performing multiplication in Finite Fields GF 
m
 Un
like conventional shiftregister type multipliers the circuit is user programmable
and well suited for DSP integration due to its very high eciency
The circuit has been specied in higherorder logic using the HOL	 theorem
prover While proving the behavioral correctness we have captured a missing
gate in the circuit architecture
Our specication is generic and the correctness results hold for multipliers
of arbitrary size
Although a lot of subgoals can be proven automatically because of their
propositional nature a fairly high amount of user guidance is still needed
The PROSPER project

aims on the integration of dierent proof tools in a
higherorder logic environment to achieve a higher degree of automation The
 
Fig  already shows the xed cell architecture with the missing NOTgate added

http	

wwwdcsglaacuk
prosper


multiplier circuit has been chosen to serve as one of the benchmark examples
for PROSPER to evaluate its practical strength
Furthermore we plan to apply our verication approach to more com
plex circuits for Finite Field Arithmetic like inversion division or GCD
computation
References
	
 Wolfram Drescher and Gerhard Fettweis VLSI architectures for multiplication in
GF 
m
 for application tailored digital signal processors In Workshop on VLSI
Signal Processing IX San Francisco  CA 	

 RJ Mc Eliece Finite Fields for Computer Scientists and Engineers Kluwer
Academic Publishers Boston MA 	

 MJC Gordon and TF Melham Introduction to HOL A Theorem Proving En
vironment for Higher Order Logic Cambridge University Press 	

 S Lin and DJ Costello Jr Error Control Coding Fundamentals and Applications
Prentice Hall 	

 J Lipson editor Elements of Algebra and Algebraic Computing The Ben
jaminCummings Publishing Company Inc 		

 JS Moore Ongoing commercial applications of the ACL theorem prover In
Alan J Hu and Moshe Y Vardi editors Proceedings of the th International
Conference on ComputerAided Verication 	CAV 
 volume 	 of Lecture
Notes in Computer Scienc pages  SpringerVerlag August 	

 CC Wang TK Troung HM Shao LJ Deutsch and ISReed VLSI architec
tures for computing multiplications and inverses in GF 
m
 IEEE Transactions
on Computers c	 August 	

 CS Yeh IS Reed and TK Troung Systolic multipliers for nite elds GF 
m

IEEE Transactions on Computers cpp  April 	

A Appendix HOL ProofScript
  
 Verification of an multipliercircuit 
 for finite fields GF
m 
 
 Dirk Hoffmann 
 Institut fuer Rechnerentwurf und Fehlertoleranz 
 Universitaet Karlsruhe 
 hoffiraukade 
 httpgoetheiraukadehvg 
 
 	 
 
 requires HOL 
  
app load !decisionLibtautLib"
open decisionLib
open tautLib
val numAxiom  primrecTheorynumAxiom
val INDUCTTAC  INDUCTTHEN numTheoryINDUCTION ASSUMETAC
newtheory GFmult
  
 Circuit description 
  
val NOTGATE  newdefinition
NOTGATE
NOTGATE X Y  Y  X
val ANDGATE  newdefinition
ANDGATE
ANDGATE X Y Z  Z  X  Y
val ORGATE  newdefinition
ORGATE
ORGATE X Y Z  Z  X  Y
val XORGATE  newdefinition
XORGATE

XORGATE X Y Z  Z  X  Y  X  Y
val LEFTSHIFT  newdefinition
LEFTSHIFT
LEFTSHIFT Xnumbool Ynumbool 
n Y   F  Y SUC n  X n
val CELL  newdefinition
CELL
CELL abool bbool dbool f  bool
hb  bool yibool yobool cbool
 s	 s
 s s s sANDGATE hb d s	 
ORGATE yi s	 yo 
ANDGATE a b s
 
XORGATE s
 d s 
ANDGATE f yo s 
XORGATE s s s 
NOTGATE hb s 
ANDGATE s s c
val ROW  newdefinition
ROW
ROW anumbool b bool dnumbool
fnumbool hbnumbool cnumbool
 ynumbool nnum
CELL a n b d n f n hb n y SUC n
y n c n
val array  newrecursivedefinition
#namearray
fixityPrefix
recaxiom numAxiom
def 
array  a b f hb c  ROW a b  nF f hb c 
array SUC n a b f hb c
 c
numbool cnumbool
array n a b f hb c
 
LEFTSHIFT c
 c 
ROW a b SUC n c f hb c$
  
 Specification 
  
 A R I T H M E T I C F U N C T I O N S 

 Addition in GF
n  componentwise XOR 
val GFadd  newdefinition
GFadd
GFadd Xnumbool Ynumbool
 nnum X n  Y n  X n  Y n
 Scalar multiplication in GF
n  componentwise AND 
val GFscalarmult  newdefinition
GFscalarmult
GFscalarmult Xnumbool scalar  bool
 nnum X n  scalar
 Multiplication with %x%  left shift 
val GFmultX  newdefinition
GFmultX
GFmultX Anumbool
 nnum n    F & A PRE n
val GFmodf  newdefinition
GFmodf
GFmodf Xnumbool fnumbool degreefnum
 X degreef  GFadd X f & X
val GFproduct  newrecursivedefinition
#nameGFproduct
fixity  Prefix
recaxiomnumAxiom
def  GFproduct  anumbool bnumbool
fnumbool mnum
 GFscalarmult a b  
GFproduct SUC n anumbool bnumbool
fnumbool mnum
 GFadd GFmodf GFmultX GFproduct n a b f m f m
GFscalarmult a b SUC n$
  
 A S S U M P T I O N S 
  
val asm  f m  T 
n  n  m  f n  F 

hb m  T 
n n  m  hb n  F 
n n  m  hb n  F 
a m  F 
n n  m  a n  F
  
 T H E O R E M S 
  
val mod  provef m GFmodf nF f m  nF
REWRITETAC!GFmodf"
val add  provexnumbool GFadd nF x  x
STRIPTAC
THEN REWRITETAC!GFadd
ETACONVTerm nxnumbool n"
val LEFTSHIFTlemma 
let
val stdrw  DECIDE n PRE SUC n  n 
n SUC n    F
in
prove Xnumbool LEFTSHIFT X GFmultX X
REWRITETAC!LEFTSHIFTGFmultX"
THEN BETATAC
THEN REWRITETAC !stdrw"
end
fun MYSPLITTAC cond 
let
val condthm  DECIDE cond
in
ASSUMETAC condthm
THEN UNDISCHTAC cond
THEN STRIPTAC
end
fun CELLTAC a b d f hb yi 
let
val XOR  newdefinition
XOR XOR a b  a  b  a  b
in
REWRITETAC!CELL"
THEN EXISTSTAC Term hb  d

THEN EXISTSTAC Term a  b
THEN EXISTSTAC Term XOR a  b d
THEN EXISTSTAC Term f  yi  d  hb
THEN EXISTSTAC Term XOR XOR a  b d
f  yi  d  hb
THEN EXISTSTAC Term hb
THEN REWRITETAC!XORNOTGATEANDGATEXORGATEORGATE"
THEN TAUTTAC
end
val ROWlemma 
let
val t  T
val f  F
val b  bbool
val an  anumbool n
val fn  fnumbool n
val dn  dnumbool n
val witness  nnum n  m  F & d m
val num	  prove n m n  m  SUC n  m  F
DECIDETAC
val num
  prove n m n  m  n  m  F
DECIDETAC
val num  prove n m n  m  SUC n  m
DECIDETAC
val stdrw  prove SUC n  n  T 
n  n  F 
n  n  FDECIDETAC
in
storethm ROWlemma
a b d f hb m asm  ROW a b d f hb
GFadd GFmodf d f m GFscalarmult a b
REPEAT STRIPTAC
THEN REWRITETAC!ROW"
THEN EXISTSTAC witness
THEN STRIPTAC
THEN MYSPLITTAC
Term n  m  n  m  n  m
THEN MYSPLITTAC
Term d mnum  T  d mnum  F
THEN ASMREWRITETAC!stdrwGFmodfGFscalarmultGFadd"
THEN BETATAC

THEN ASMREWRITETAC!stdrw"
THEN ASSUMETAC num	
THEN ASSUMETAC num

THEN ASSUMETAC num
THEN RESTAC
THEN ASMREWRITETAC!"
THENL !CELLTAC f b t t t f
CELLTAC f b f t t f
CELLTAC an b dn fn f t
CELLTAC an b dn fn f f
CELLTAC f b dn f f f
CELLTAC f b dn f f f"
end
val MAINTHM 
let
val ROWlemspec	  PUREREWRITERULE !modadd"
SPECL !Term anumbool
Term bnumbool 
Term nnumF
Term fnumbool
Term hbnumbool
Term mnum"
ROWlemma
val ROWlemspec
  SPECL !Term anumbool
Term bnumbool SUC n
Term GFmultX
GFproduct n a b f m
Term fnumbool
Term hbnumbool
Term mnum"
ROWlemma
val witness	  GFproduct n a b f m
val witness
  GFmultX GFproduct n a b f m
in
storethmMAINTHM
n a b f hb m
asm  array n a b f hb GFproduct n a b f m
INDUCTTAC
THEN REPEAT STRIPTAC
THEN REWRITETAC!arrayGFproduct"
THENL !ASSUMETAC ROWlemspec	
THEN RESTAC
EXISTSTAC witness	

THEN EXISTSTAC witness

THEN REPEAT STRIPTAC"
THENL !RESTAC
ASSUMETAC LEFTSHIFTlemma
ASSUMETAC ROWlemspec

THEN RESTAC"
THEN ASMREWRITETAC!"
end
printtheory 
exporttheory 

