Invariants play critical roles in restricting the search space during Sequential Equivalence Checking (SEC), especially for those instances with few internal equivalent points. For large circuits, there can be too many potential invariants relating signals between the two circuits, thereby requiring much time to prove. However, we observe that a large portion of the potential invariants may not even contribute to equivalence checking. Moreover, equivalence checking can be significantly helped if there exists a method to check if a subset of potential invariants would be sufficient (e.g., whether two-nodes are enough or multi-nodes are also needed) prior to the verification step. In this paper, we address these problems and propose a sufficiency-based approach to identify useful invariants out of the initial potential invariants for SEC. Experimental results show that our approach can either demonstrate insufficiency of the invariants or select a small portion of them to successfully prove the equivalence property.
I. INTRODUCTION
O VER the years, the Integrated Circuit industry has been driven by the goals of speed, size, power effi ciency, reliability, etc., most of which can be attributed to the successes in logic synthesis and optimization. Equiva lence checking aims to verify if two circuits have the same input/output behavior and plays an essential and critical role for successful synthesis and optimization. For exam ple, if we have no sequential equivalence checking (SEC) capability and all we have is Combinational Equivalence Checking (CEC), sequential optimizations that require al teration on state encoding would be shunned since there would not be a viable way to check if the optimized design preserves the original function of the circuit. SEC checks the preservation of the circuit function after sequential op timizations, and the fact that the current SEC techniques remain to be rather rudimentary makes aggressive sequen tial optimizations difficult.
Although different notions of SEC have been suggested, including Reset Equivalence, Sequential Hardware Equivalence(SHE) [1] , Safe Replacement and Delay Replacement [2] , Three-valued Safe Equivalence [3] , etc., SEC funda mentally is to check whether two circuits produce the same outputs for any input sequences applied. The different no tions of SEC mentioned above can be broadly divided into two categories: equivalence that requires a specific initial state and equivalence that does not. Equivalence that re quires a specific initial state only needs to guarantee two circuits behaves the same after they are brought into a specified state and is thus an easier notion.
supported in part by NSF grant 1016675
978-1-4577-1743-7/11/$26.00 ©2011 IEEE The difficulty of SEC lies in the exponential number of states that the product machine of the two designs can have, which brings 3 major problems to purely simulationbased approaches: i) Excessive number of testbenches need to be built and evaluated according to different input sce narios; ii) Much time is needed for simulation; iii) 100 per cent coverage is hardly achieved. On the other hand, for mal methods (and some semi-formal methods) based on mathematical reasoning do not have these problems and have the potential of proving the equivalence of the two designs. However, formal techniques currently have prob lems of their own; in particular, they suffer from potential state space explosion.
In [4] , a BDD-based assume and verify induction over two-time-frame model was used to demonstrate the vali dation of the suspected redundant signals, therefore elimi nating the need of state traversal during SEC. The work is recently extended by [5] which utilizes a SAT-based tech nique and target on both retiming and resynthesis opti mizations. In [6] , a if-th invariant based SEC framework is suggested with a combination of a Bounded Model Checker to ensure equivalence in first K time-frames and an IProver to prove equivalence after K-th time-frame. A recent in dustrially successful approach was suggested in [7] , where the authors incorporated multiple algorithms into their own SEC toolset-Sixthsense-and the tool was able to explore equivalent signal pairs for redundancy removal on designs with up to 10,000 state elements.
Despite the success of SEC techniques targeting on Reset Equivalence, an initial state of a hardware design is not al ways available in practice. Although [8] [9] have proposed SAT-based methods for computing reset states, deriving them remains a hard problem. Therefore, techniques tar geting on equivalence without a specific initial state have also been proposed over the years.
In [10] , a SAT-based method is proposed to use dual-rail encoding to represent X as initial states, converting the problem to a 2-valued equivalence problem with a known initial state. Although techniques that require a reset state can then be applied, the approach essentially doubles the number of signals. Recently, more work has emerged on ap proximately computing the reachable state space by induc tively proving invariants based on SAT. These approaches target on the equivalence that only requires initial states to be in reachable states. In [11] , equivalent flip-flop pairs be tween circuits are explored. Potential equivalent flip-flops were first derived by random simulation, then a modified s-graph that only has flip-flops and outputs as its nodes is created to reduce the flip-flop pairs for final induction. 1 k timeframes A recent data-mining based approach proposed in [12] tar gets on hard-to-verify circuits. Through mining Boolean relationships among flip-flops using the data-mining tool BLOSSOM [13] , powerful complex multi-node relationships are derived, verified and proven to be able to constrain the search space enough to verify the equivalence of the cir cuits. Approaches have also been suggested to efficiently verify invariants. In [14] the authors suggested an oper ation CMERGE during the assumption step to efficiently reduce number of clauses while avoiding unnecessary loss of constraint. During the verify step, they refine candidate groups by performing solution-based simulation whenever an invariant is proven to be false.
In this paper, we target equivalence checking without the need of a specific initial state and propose a filter ing technique to reduce the number of potential invariants before they are proven/verified. For many circuits, there can be too many potential invariants requiring much time to prove. In addition, we observed that a large portion of them may not even contribute to equivalence checking. Our filtering scheme thus can select a subset of powerful potential invariants towards the target-equivalence check ing based on an over-approximation model that judges the sufficiency of invariants selected. The approach is highly flexible and can be applied on circuits with very differ ent state encodings and/or combined with other synthesis techniques. Experimental results show that our approach can either demonstrate insufficiency of the invariants or select a small portion of them to successfully prove the equivalence property. To the best of our knowledge, no similar work has been done before.
The rest of the paper is organized as follows. In Section 2 we go over some basics in SAT-based SEC. In Section 3 we introduce the first filtering model and in Section 4 we introduce the second filtering model that can combine with the first model. In Section 5 we explain the whole SEC framework. In Section 6 we discuss experimental results to illustrate the power of the techniques. In Section 7 we conclude the paper.
II. BACKGROUND

A. Miter Circuit and Circuit Unrolling
A miter circuit is created from two circuits. Suppose equivalence is being checked for circuits Ci and C#, the miter circuit C m iter (Fig. 1) can be constructed by: 1) Ty ing the corresponding primary inputs (Pis) of Ci and C% together, and 2) joining the corresponding primary outputs(POs) of d and C 2 by XOR gates. For sequential circuits, a fc-time-frame unrolled circuit as shown in Fig. 2 The equivalence property of the two designs is denoted by the XOR gate in the miter being constant 0. If the problem is being solved by a Satisfiability (SAT)-based ap proach, after converting the (unrolled) miter circuit to a CNF formula, a unit clause is added to force the XOR gate 1, meaning the corresponding output-pair gets differ ent values. When there are multiple outputs in each cir cuit, an OR gate can be used to connect all XOR gates and is forced 1 in CNF instead of the individual XOR gates. If a SAT solver proves that no assignment exists for this CNF formula, the equivalence of the designs is proved. A two-time-frame-unrolled circuit model is the basis of the two-time-frame model used for proving inductive invari ants, and the multi-time-frame filtering model is used in this paper for our filtering algorithm. We note that differ ent SAT solvers exist, including MiniSat [15] and zChaff [16] . We use zChaff as the underlying SAT solver in our approach, but any SAT solver can be used.
B. Invariants and Assume-then-Verify
Approach During SAT-based formal verification for sequential cir cuits, the relationships of signals that remain unchanged during circuit transition are denoted by invariants and can be represented by clauses. For example, suppose in a cir cuit, a 1 on signal A always implies a 0 on signal B, then a clause (->A V ->B) can be added to the CNF formula as an invariant constraint. Identification of a sufficient number of true invariants can effectively restrict the state space, thus proving certain properties-which is equivalence of the two circuits in our case-that holds in the restricted state space. Consider Fig. 3 , the state space inside the circle with the thickest border represents the states where the equivalence property holds, and the inner gray area in dicates the actual set of reachable states. Suppose all four invariants (Invariant A, B, C and D) labeled in the figure are true, then it is easily observed that without the need of computing the exact reachable states, the state space constrained by these four invariants is enough to prove the equivalence property. In other words, although the con strained state space is larger than the exact set of reach able states, it is well within the state set for which the equivalence property holds.
Fig. 3: Constraining Power of Invariants on the State Space
To categorize invariants, we need to categorize the state space first. We first denote the group of states that a design can reach starting from an unknown state as the reachable states. Then we denote all the other states as unreachable states. We further divide unreachable states: there is a group of states that can be reached from some some un reachable states, and the rest of states cannot be reached from any state. We denote these states that cannot be reached from any state as invalid states. Based on the cat egorization of these three groups, we can divide invariants to two kinds: static invariants that represent static signal relationships that exists in reachable, unreachable, or in valid states, and inductive invariants that represent signal relationships that hold in the reachable states but may not hold in the unreachable states. Static invariants are au tomatically enforced by the circuit structure, and they do not need to be added as clauses explicitly (although adding some of them have been shown in [17] to be useful in speed ing up SAT calls during CEC). For example, Invariant D (the outer-most constraint) in Fig. 3 is an example of a static invariant as it does not restrict search space any further. On the other hand, Invariants A, B, C are ex amples of inductive invariants and they define a smaller search space than that imposed by the circuit structure itself.
Lemma 1: For a sequential miter circuit Cmiter, if there exists a group of potential invariants I group among flipflops that satisfies (i) an input sequence I seq can take the circuit from an unknown state to a state Si n u where all invariants in I gr0 up are true, and (ii) for all states that do not violate any invariants in I group, all invariants in I group remain true in the subsequent time-frames, then all invariants in I gr0 up hold true in all reachable states.
Proof: We prove this inductively. First, since Sinit is reached by applying I seq from an unknown state, Si n u is reachable. We are also given that all invariants in I gr0 up are true in Si n u-Next, since we are also given that any state that holds invariants in I gr0 up continues to hold them in any next state that can be transitioned, starting from Sinn that holds I group, all subsequent states reachable after Sinn with any input sequence will also hold them. Finally, since the set of reachable states forms a strongly connected component, there exists a path from Si n u to all reachable states. Hence, all reachable states would hold I group-H In practice, to satisfy condition (i), potential invari ants can be derived by random simulation to any reached state(s). To satisfy condition (ii), a fix-point calculation (based on an iterative assume-then-verify approach) can be used. The fix-point computation can be executed based on an unrolled two-time-frame model as indicated in Fig.  2 when k is set to 2. We denote this model as M sirnp i e .
In the approach, all potential invariants from the invari ant group are assumed to be true in the first time-frame, and the negation of one of the candidate invariants is im posed on the second time-frame to check if it hold or not. If not, the corresponding candidate is removed from the group. The approach needs to be iterated until a fix point is reached, where all invariants that remain in the group have been proved to be true.
III. INVARIANT FILTERING MODEL I
A. Motivation Consider Fig. 3 , among Invariants A, B, C, D, we are only interested in inductive invariants A, B, C, since D is a static invariant and does not contribute to restricting the state space. Next, invariants A and B are of our utmost interest because combining A and B alone is sufficient to restrict the state space to be inside the space where the equivalence property holds. Although a direct intuition of finding powerful invariants like A and B is to compute the search space that each invariant restricts first and then select an optimal group of them algorithmically, the com putation of the space that each invariant restricts can be too complicated, making it very difficult to be put into practice. On the other hand, we observe that during SEC, whenever a SAT solver returns a satisfiable solution on the unrolled miter (with an unconstrained initial state) that indicates equivalence has not been proved, the assignment returned by the SAT solver can be extremely valuable since they represent one or more (starting) states that can vi olate the equivalence property. Therefore, invariants that can block out the satisfiable assignments have more po tential in restricting state space towards the space where equivalence holds.
For example, suppose there are 3 invariants: I\\ (~>AV B), I 2 : (AVB) and J 3 : (-.£ V-.C). In addition, the SAT solver returns a satisfiable solution for the unrolled miter (initial state unconstrained) with assignment 101 on sig nals A, B, C, respectively. Out of all 3 invariants, we say that I\ has more value than the other two since it prevents the SAT solver from deriving this assignment by prevent ing A and B to be 1 and 0 simultaneously. Based on this observation, we start with a simple algorithm to select in variants as indicated in Algorithm 1.
The problem of this simple algorithm lies in the fact that the selected invariants are applied before they are proved. Many of these invariants might be false in the first place. Or if they are true, the truthfulness may depend on some other invariants and can only be proved when these invari ants are present. As a result, after proving the invariants, the invariants that are true may often be a small subset of the original set of potential invariants selected by Al gorithm 1, which is insufficient to prove the equivalence property. Therefore, we propose the filtering technique next.
B. The Proposed Filtering Technique
In this technique, a miter for the two circuits under ver ification is first created and unrolled for k time-frames. During selection, the invariants are only applied to the first time-frame and the goal is to select enough invariants that makes it impossible for any output-pair to be distinguished in any of the k time-frames. Consider the unrolled miter illustrated in Fig. 4 . This is essentially to select those potential invariants that would make all the Oi signals 0, starting from any initial state of the unrolled instance. Proof: We prove this by contradiction. Suppose there exists a reachable state Si n a that can lead to s unreac h a bie, ^unreachable must also be reachable since reachable states form a terminally strongly connected component. How ever, this contradicts with the fact that s unreac h a bie is known to be unreachable. ■ In the invariant selection scheme listed in Algorithm 2, whenever there is a SAT solution for M, it means that OcurrentVerifyTF = 1 must be satisfiable, indicating that there exists an initial state that can distinguish at least one output pair. We add all potential invariants to I filtered that can block each SAT solution. If the two circuits are in deed equivalent, according to Lemma 2, the states leading up to currentVerifyTF must also be invalid. Theoretically we can select invariants according to signal assignments from time-frames 1 to currentVerifyTF. However, since we are only applying invariants on the first time-frame, we find that it is more effective to select invariants only ac cording to the signal assignments on the first time-frame. Next, we increment currentVerifyTF whenever the SAT solver returns UNSAT. This allows us to include more po tential invariants to falsify the formula deeper in M. In so doing, we will eventually include all those potential invari-ants which can set the Miter output to 1 in any of the k time-frames.
Proposition 1: In the invariant selection scheme listed in Algorithm 2, a large portion of static invariants are avoided implicitly.
Proof: [Argument] In Algorithm 2, we are selecting in variants based on signal assignments which comply with the circuit structure. Therefore, static invariants that rep resent signal relationships based on circuit structure will never be selected to falsify the Satisnable solution. How ever, we need to point out that since the initial state is unconstrained in our filtering model, some static invari ants whose truthfulness is based on state space transition might still get selected. ■ Proposition 1 is worth mentioning considering how diffi cult it is to compute two-node static implications [18] , yet how easy a large portion of both two-node and multi-node static invariants can be avoided by our invariant selection scheme.
Definition 1: For a group of true invariants Itrue, we say that Itme is k-sufficient if adding these invariants to all k time-frames of M makes /M UNSAT. This means that these invariants are sufficient to constrain the state space to prove the equivalence property.
Definition 2: For a group of potential invariants ^potential, we define them as k-sufficient if the true invari ants I true Q ^potential are k-sufficient. On the contrary, we define I po tential as k-insufficient if I true C I po tential are not k-sufficient.
Theorem 1: While solving JM with constraints from hase already added as on the first time-frame of M, if the SAT solver returns a satisnable assignment SM > then hase is k-insufficient.
Proof:
We prove this by contradiction. Suppose hase were k-sufficient, meaning that Itrue ^ hase are ksufficient. After constraining hase in the first time-frame of M, hrue are also included. Because Itrue are true in variants, they are also true on all successive time-frames in M. Because Itrue is k-sufficient, SAT solver should return UNSAT after solving /M , therefore contradicting with the premise that the instance was satisnable with a satisfying assignment SM-■
IV. INVARIANT FILTERING MODEL II
A. Motivation Note that even if hase is sufficient for M, hase m ay not be sufficient for M S i mp f e (recall that M s ; mp z e is a twotime-frame model of the miter). And because M S i mp i e is the model used for the fix-point calculation to compute hrue to save computational costs, cases exist where I base is sufficient, but I filtered from Algorithm 2 is not. The reason is because the filter framework is over the fc-time-frame M and not the 2-time-frame M s i mp i e .
Therefore it only guarantees that if the invariants hold for k time-frames are able to restrict state space such that equivalence property holds in fM-As a result, the true invariants obtained by the fix-point calculation over M S i mp i e can be fewer such that they no longer are sufficient. Thus for these circuits, we need a second filtering technique that is based on a model using basic induction only.
B. The proposed filtering technique
A general model that Filtering Technique II relies on is shown in Fig. 5 . If the invariants only involve flip-flops, the model can be simplified to Fig. 6 . In both general model and simplified model, 'k timeframes' does not mean ac tual timeframes, but rather time-frames that functionally count. For convenience, we denote a timeframe as l-a or  l-b, (1 <l < k) , where a and b denote the first and second time-frame, respectively. Comparing Fig. 5 to Filtering Model I, we break the state element connections after ev ery two time-frames. We also insert a time-frame to pass only the constraints from their previous time-frames, thus enabling exact basic induction implicitly. 
The above two clauses impose the following: whenever (Ai_ 6 , 5i_ 6 ) is (0, 0), (0, 1) or (1, 0), (A 2 _ a , £ 2 _ a ) also has to be one of the three combinations. Conversely, whenever (A 2 -a , B 2 -a ) is (1, 1) 
For three-node invariants, without losing generality, the transferring clauses for invariant (->A V -iS V ->C) are:
Let the unrolled miter circuit shown in Definition 3: We define APPLY-2 as a function that adds an invariant i to M f directly in the first time-frame of M f and for all subsequent time-frames in M', add trans ferring clauses between time-frames 1-6 and (l+l)-a. Based on this Filtering Model II, we propose the invariant selecting scheme in Algorithm 3. Note that in Algorithm 3, the reason for selecting invariants based on signal assign ments in all time-frames is because we want to make the most out of each satisfiable solution that the SAT solver returns.
Theorem 2: While solving fM' with invariants from hase already added on M f (via APPLY-2 function), if the SAT solver still returns a satisfiable solution SM', then hase is 2-insufficient.
Proof: We prove this by contradiction: Suppose hase is 2-sufficient. Therefore, hrue ^ hase is 2-sufficient. After adding hase to M' via the APPLY-2 function, ■'■true are also added, since Itrue is a subset of hase-Because Itrue contains true invariants, they are passed to all time-frames in M f including time-frames that have only connections with previous time-frames by transferring clauses of hase- Considering the last two time-frames of M', because Itrue is 2-sufficient and has been added to the circuit model, the SAT solver should return UNSAT for fw, contradicting the premise that the formula was satisfiable. ■
V. SUFFICIENCY-BASED SEC FRAMEWORK
We propose the entire sufficiency-based SEC framework that can be embedded with either Filtering Technique I or a combination of Filtering Techniques I and II as illus trated in Fig. 7 . Since potential invariants are derived from random simulation, there could be many potential invariants extracted as a result, needing effective filter ing mechanisms. Every candidate potential invariant ex tracted has the following characteristic: it has never been violated by any of the stimuli in the random simulation trace. Hence, if a potential invariant involves only state variables (flip-flops), then it is consistent with all states reached thus far by random simulation. And the fact that it is true in at least one such reachable state suffices for a valid base case in the inductive proof. On the other hand, if a potential invariant involves internal signals, the random trace is insufficient to serve as a base case, since we have not exhausted all possible input combinations for a given state to ensure that the potential invariant is indeed true for all possible inputs within at least one known reachable state. Nevertheless, our filtering frameworks choose those relevant potential invariants for the subsequent fix-point calculation of inductive invariants. Therefore, the cost of handling a subset of filtered invariants would take much less time, which is discussed next in the results section.
VI. EXPERIMENTAL RESULTS
The proposed SEC framework was implemented in C++ and the performance was evaluated on an Intel Pentium 4 Since there are very few SEC instances in which the two circuits being checked differ drastically, we construct a suite of hard-toverify SEC benchmarks by using entirely different state encodings (gray and one hot, namely) manually for ITC99 circuits. Although these circuits are not huge, there are few or no internal equivalent points, and they suffice to demonstrate our approach.
We derive invariants among flip-flops to illustrate the power of our filtering techniques. Due to memory issues that too many invariants may cause to the SAT solver, we limit the number of initial potential invariants to be un der 240,000. Therefore for all circuits, we derive 2-node, 3-node and 4-node invariants for bOl, b02 and b06, 2-node and 3-node for b03, b04, b08, b09, blO and bll, and only 2-node for the rest of the circuits including b05, b07, bll, bl2 and bl3. Should more invariants be needed, these invari ants can easily be divided into smaller groups of 240,000 in variants per group. However, dividing the potential invari ants to multiple groups may sacrifice truthfulness of some invariants. Nevertheless, the filtering techniques proposed in this paper are still applicable, even when the potential invariants are divided into smaller groups.
The results are shown in Table I . The first column lists the names of the miter circuits. The second column re ports the number of flip-flops in the circuits, for exam ple, 5/10 means there are 5 FFs in bOl^gray and 10 in b01_onehot. The third column shows the number of timeframes used in the filtering model(s) we proposed. For b09 and bll, we used both the filtering techniques. The first number before '/' indicates number of time-frames in the first filtering model and the second number for the sec ond filtering model. For most circuits, we used only the 
first filtering technique since it was sufficient. The fourth column shows the number of initial potential invariants ex tracted from random simulation. The fifth column shows the number of invariants after filtering, followed with the sixth column reporting the percentage of selected invari ants over the original potential invariants. The seventh column shows if equivalence can be proved using initial set of potential invariants, while the eighth column shows whether equivalence can be proved by the reduced list of invariants selected by our filtering techniques. C Y' means sufficient to prove and 'N' means insufficient. We can see that out of all 7 instances that can be proved by using all initial potential invariants, our filtering approach can also prove all of them. On the other hand, for circuits that can not be proved by using initial set of potential invariants, our approach can detect that by not being able to select sufficient invariants to pass the filter(s). 3 Time by fix-point calc. of inductive invariants using filtered pot. invariants 4 Total time taken by SEC framework without filter 5 Total time taken by SEC framework with filter(s) Table II shows the performance comparison of proposed SEC framework with/without filters. The first column shows the names of the benchmarks. The second column shows the time taken by the filtering schemes that we ap plied. Columns 3 and 4 show the time for fix-point calcula tion of inductive invariants for initial invariants and filtered invariants, respectively. Note that a value of 0 means the initial invariants cannot pass the filters, therefore the orig inal set of invariants is insufficient to prove equivalence is directly concluded. The fifth and the sixth columns show the total time taken by the SEC framework without fil ters and with filters. Finally, Column 7 shows the speedup of the total run time for SEC framework with filters over without filters.
We first note that the time for filtering is generally a small fraction of the time needed for fix-point calculation. For instance, in b08_gray_onehot, the filter took about 8 seconds, while the fix-point calculation for the inductive invariants took nearly 400 seconds. With an initial set of 45842 potential invariants extracted (from Table I ), our first filter selected only 23.6% out of them. Fix-point cal culation of these selected invariants took only 32.7% of the time compared with the original set of potential in variants -resulting a 2.7x speedup in terms of overall runtime. Note that the selected invariants are still suffi cient to prove equivalence. The results for other instances for which the potential invariants were sufficient to prove equivalence follow a similar trend.
Next, consider the circuit b05_gray_onehot among those cases that equivalence could not be proved with the orig inal set of potential invariants. After random simulation, 3451 potential invariants are obtained. If all of these 3451 potential invariants were true invariants, adding them to all time-frames of M would make the formula JM UNSAT. However, it's almost always the case that only a subset of the initial potential invariants are true inductive invariants. On the other hand, since our filter iteratively adds any fil tered constraints to the first time-frame only, those false invariants will not remain true in subsequent time-frames. As a result, it allows us to conclude that the potential invariants are insufficient. Fix-point calculation of these inductive invariants and applying all true invariants in at tempting to solve the SEC instance took 633.787 seconds, while our Filtering Technique I took only 13.041 seconds to conclude that the set of potential invariants are insuf ficient to prove equivalence, saving the trouble to actually find the true inductive invariants and perform the SEC. A speedup of more than 39 x was achieved in this case. The results are similar for other instances for which equivalence could not be proved.
For circuits such as b01_gray_onehot and b02_gray_onehot, the proposed approach takes more or less the same amount of time as the SEC framework without our filter, since these circuits are small. Also for b09_gray_onehot, Filtering Technique II took more time which causes the proposed approach to cost more, but b07_gray_onehot and bl2_gray_onehot shows the power of combining Filtering Technique I and II, where a speedup of 44.81x and >219.73x, respectively, are achieved by applying our filters.
VII. CONCLUSION
We presented two novel filtering techniques for process ing potential invariants (either two-node or multi-node, ei ther among only flip-flops or among all internal signals), that select useful invariants towards proving the equiva lence of sequential circuits. Experimental results show the power of the proposed approaches: when the original set of potential invariants is able to prove equivalence, the pro posed approaches can always select a smaller subset and still be able to prove equivalence; on the other hand, when the original set of potential invariant is insufficient to prove equivalence, the proposed filters can quickly prove this by being unable to select a sufficient set of invariants. Our fu ture work includes improving the filtering models to better interact with the SAT solver.
