A Faithful Binary Circuit Model with Adversarial Noise by Függer, Matthias et al.
A Faithful Binary Circuit Model with
Adversarial Noise
Matthias Fu¨gger∗, Ju¨rgen Maier† , Robert Najvirt†, Thomas Nowak‡ , Ulrich Schmid†
∗CNRS & LSV, ENS Paris-Saclay
†Technische Universita¨t Wien
‡Universite´ Paris-Sud
This is the unedited Authors version of a Submitted Work that was subsequently accepted for publication at 2018 Design, Automation Test in Europe
Conference Exhibition (DATE).
Abstract—Accurate delay models are important for static and
dynamic timing analysis of digital circuits, and mandatory for
formal verification. However, Fu¨gger et al. [IEEE TC 2016]
proved that pure and inertial delays, which are employed for
dynamic timing analysis in state-of-the-art tools like ModelSim,
NC-Sim and VCS, do not yield faithful digital circuit models.
Involution delays, which are based on delay functions that are
mathematical involutions depending on the previous-output-to-
input time offset, were introduced by Fu¨gger et al. [DATE’15] as
a faithful alternative (that can easily be used with existing tools).
Although involution delays were shown to predict real signal
traces reasonably accurately, any model with a deterministic
delay function is naturally limited in its modeling power.
In this paper, we thus extend the involution model, by adding
non-deterministic delay variations (random or even adversarial),
and prove analytically that faithfulness is not impaired by this
generalization. Albeit the amount of non-determinism must be
considerably restricted to ensure this property, the result is
surprising: the involution model differs from non-faithful models
mainly in handling fast glitch trains, where small delay shifts
have large effects. This originally suggested that adding even
small variations should break the faithfulness of the model, which
turned out not to be the case. Moreover, the results of our
simulations also confirm that this generalized involution model
has larger modeling power and, hence, applicability.
I. INTRODUCTION
Modern digital circuit design relies heavily on fast func-
tional simulation tools like Cadence NC-Sim, Mentor Graphics
ModelSim or Synopsis VCS, which also allow dynamic timing
validation using suitable delay models. In fact, for modern
VLSI technologies with their switching times in the picosec-
ond range, static timing analysis may not be sufficient for
critical parts of a circuit, where e.g. the presence of glitch
trains may severely affect correctness and power consumption.
Fully-fledged analog simulations, on the other hand, are often
too costly in terms of simulation time.
Delay models like CCSM [9] and ECSM [13] used in gate-
level timing analysis tools make use of elaborate character-
ization techniques, which incorporate technology-dependent
information like driving strengths of a gate for a wide range of
voltages and load capacitances. Based on these data, dynamic
timing analysis tools compute the delay for each gate and
wire in a specific circuit, which is then used to parametrize
pure and/or inertial delay channels (i.e., model components
This research was supported by the FATAL (grant P21694) and SIC project
(grant P26436-N30) of the Austrian Science Fund (FWF).
representing delays). Recall that pure delay channels model a
constant transport delay, whereas inertial delay channels [14]
allow an input transition to proceed to its output only if there
is no subsequent (opposite) input transition within some time
window ∆ > 0. Subsequent simulation and dynamic timing
analysis runs use these pre-computed delays as constants, i.e.,
they are not reevaluated at every point in time.
More accurate simulation and dynamic timing analysis re-
sults can be achieved by the Degradation Delay Model (DDM),
introduced by Bellido-Dı´az et al. [2], [3], which allows channel
delays to vary and covers gradual pulse cancellation effects.
Fu¨gger et al. [7] investigated the faithfulness of digital
circuit models, i.e., whether a problem solvable in the model
can be solved with a real physical circuit and vice versa.
Unfortunately, however, they proved that none of the existing
models is faithful: for the simple Short-Pulse Filtration (SPF)
problem, which resembles a one-shot variant of an inertial de-
lay channel, they showed that every model based on bounded
single-history channels (see below for the definition) either
contradicts the unsolvability of SPF in bounded time or the
solvability of SPF in unbounded time by physical circuits [11].
Single-history channels allow the input-to-output delay for
a given input transition to depend on the time of the previous
output transition. Formally, a single-history channel is defined
by a delay function δ : R → R, where δ(T ) determines the
delay of an input transition at time t, given that the previous
output transition occurred at time t − T . Fig. 1 depicts the
involved parameters. Note that T and δ(T ) are potentially
negative in the case of a short input pulse, where a new input
transition occurs earlier than the just scheduled previous output
transition. Together with the rule that non-FIFO transitions
cancel each other, this allows to model attenuation and even
suppression of glitches. Fig. 2 shows an example input/output-
trace generated by a single-history channel. Note that, for
bounded single-history channels, δ(T ) cannot point arbitrarily
far back into the past.
In [6], Fu¨gger et al. introduced an unbounded single-history
channel model based on involution channels, which use a delay
function δ(T ) whose negative is self-inverse, i.e., fulfills the
involution property −δ(−δ(T )) = T . They proved that, in
sharp contrast to bounded single-history channels, SPF cannot
be solved in bounded time with involution channels, whereas it
is easy to provide an unbounded SPF implementation, which is
ar
X
iv
:2
00
6.
08
48
5v
1 
 [c
s.O
H]
  1
5 J
un
 20
20
in(t)
t
out(t)
t
T δ(T )
Fig. 1: Input/output signal of single-history channel, involving the
previous-output-to-input delay T and input-to-output delay δ(T ).
t
in(t)
t
out(t)
Fig. 2: Single-history channels allow to model pulse attenuation:
The delay δ(T ) becomes smaller with smaller previous-output-to-
input time T . Observe the cancellation of the second pulse due to
non-FIFO-scheduled output transitions.
in accordance with real physical circuits [11]. Hence, binary-
valued circuit models based on involution channels are faithful
with respect to the SPF problem. We note that this actually
implies faithfulness also w.r.t. other, practically more relevant
problems: analogous to [1], it is possible to implement a one-
shot version of a latch (that allows a single up- and a single
down-transition of the enable input) using a circuit solving
SPF, and vice versa. Consequently, the involution model is
also faithful for one-shot latches. Moreover, in [12], Najvirt et
al. used both measurements and Spice simulations to show that
the involution model can also be made reasonably accurate by
suitable parametrization, in the sense that it nicely (though not
perfectly) predicts the actual glitch propagation behavior of a
real circuit, namely, an inverter chain.
As it is easy to replace the standard pure or inertial delays
currently used in VITAL or Verilog models by involution
delays, the model is not only a promising starting point
for sound formal verification, but also allows to seamlessly
improve existing dynamic timing analysis tools.
Main contributions: Notwithstanding its superiority with re-
spect to faithfulness, like every deterministic delay model, the
involution model has limited modeling power: many different
effects in physical circuits cause various types of noise in
signal waveforms and, hence, jitter in the digital abstraction
[4]. No deterministic delay function can properly capture the
resulting variability in the signal traces.
In this paper, we relax the involution model introduced
in [6] by adding limited non-determinism η = [−η−, η+],
for some fixed η−, η+ ≥ 0, on top of the (deterministic)
involution delay function δ(T ). We prove that this can be
done without sacrificing faithfulness: both the original SPF
impossibility result and, in particular, a novel SPF possibility
hold for this generalized model. We need to stress, however,
that adding non-determinism is merely a convenient way of
securing maximum generality of our results: no practically
observable bounded jitter phenomenon, neither bounded ran-
dom noise, from white to slowly varying flicker noise [4],
nor even adversarially chosen transition time variations can
invalidate the faithfulness of the resulting η-involution model.
Deterministic effects, like slightly different thresholds due to
process variations, are of course also covered.
Note carefully that, albeit the non-determinism (η+ and
η−) must be restricted to ensure faithfulness, the mere fact
that we can afford some non-determinism here at all is very
surprising: comparing the faithful original involution model
and the non-faithful DDM model reveals that they primarily
differ in handling fast glitch trains, where small delay shifts
have large effects. We thus conjectured originally that adding
even small non-determinism would break the border between
both models, which we now know is not the case.
Our generalization also results in an improved principal1
modeling accuracy of the η-involution model: thanks to the
additional freedom for choosing transition times provided by
η, it is obviously easier to match the real behavior of a
circuit with some feasible behavior of the circuit in the model.
We provide some simulation results (in a similar setting as
used in [12]), which demonstrate that it is indeed possible
to match the behavior of a real inverter chain with the η-
involution model if the variations of operating conditions resp.
process variations are small. Whereas this does not hold for
larger variations, we observed that excessive deviations occur
for relatively large values of T only, which are essentially
irrelevant for faithfulness. We are of course aware that more
validation experiments, with more complex circuits, will be
needed to actually claim good accuracy of the η-involution
model, nevertheless, our preliminary results are encouraging.
Regarding applicability, we consider the η-involution model
interesting for primarily two reasons: First, it facilitates ac-
curate modeling and analysis of circuits under (restricted)
noise, varying operating conditions and parameter variations.
Second, to the best of our knowledge, it is the first model that
appears to be a suitable basis for the sound formal verification
of a circuit, which aims at proving that the circuit meets
its specification in every feasible trace. We thus believe that
our η-involution model might eventually turn out to be an
interesting ingredient for a novel verification tool.
Paper organization: In Section II, we provide some indis-
pensable basics of standard involution channels taken from
[6]. Section III defines our η-involution model, Section IV
provides the proofs for faithfulness. Our simulation results are
presented in Section V, and some conclusions and directions
of our current/future work are appended in Section VI.
II. THE INVOLUTION MODEL WITHOUT CHOICE
Before we can present the generalized η-involution model
with non-deterministic delay variations, we recall the basics
from the circuit model introduced in [6].
Signals. A falling transition at time t is the pair (t, 0), a rising
transition at time t is the pair (t, 1). A signal is a list of
alternating transitions such that
S1) the initial transition is at time −∞; all other transitions
are at times t ≥ 0,
1We stress that we do not aim at resolving the non-determinism of the
η-involution model to build an accurate simulator in this paper, but rather at
providing a model that makes this possible.
S2) the sequence of transition times is strictly increasing,
S3) if there are infinitely many transitions in the list, then the
set of transition times is unbounded.
To every signal s (uniquely) corresponds a function R →
{0, 1}, its signal trace, whose value at time t is that of the
most recent transition.
Circuits. Circuits are obtained by interconnecting the external
interface, i.e., a set of input and output ports, and a set
of combinational gates via channels. The valid connections
are constrained by demanding that gates and channels must
alternate on every path in the circuit and that any gate input and
output port is attached to only one channel output. Formally we
describe a circuit by a directed graph with potentially multiple
edges between nodes. Its nodes are in/out ports and gates,
and edges are channels. A channel has a channel function,
which maps input signals to output signals, whereas a gate is
characterized by a (zero-time) Boolean function and an initial
Boolean value that defines its output until time 0. Channels
connecting input and output ports are assumed to have zero
delay, in order to facilitate the composition of circuits.
Executions. An execution of circuit C is an assignment of
signals to the vertices and edges of C that respects channel
functions, Boolean gate functions, and initial values of gates.
Signals on input ports are unrestricted. For an edge c repre-
senting a channel with channel function fc from vertex v in C,
we require that the signal sc assigned to c fulfills sc = fc(sv).
Involution Channels. An involution channel propagates each
transition at time t of the input signal to a transition at the
output happening after some input-to-output delay δ(T ), which
depends on the previous-output-to-input delay T (cf. Fig. 1).
An involution channel function is characterized by two
strictly increasing concave delay functions δ↑ : (−δ↓∞,∞)→
(−∞, δ↑∞) and δ↓ : (−δ↑∞,∞) → (−∞, δ↓∞) such that both
δ↑∞ = limT→∞ δ↑(T ) and δ
↓
∞ = limT→∞ δ↓(T ) are finite and
− δ↑
(− δ↓(T )) = T and − δ↓(− δ↑(T )) = T (1)
for all T . All such functions are necessarily continuous. For
simplicity, we will also assume them to be differentiable; δ be-
ing concave thus implies that its derivative δ′ is monotonically
decreasing. In this paper, we assume all involution channels
to be strictly causal, i.e., δ↑(0) > 0 and δ↓(0) > 0.
A particular and important special case are the so-called
exp-channels: They occur when gates drive RC-loads and
generate digital transitions when reaching a certain threshold
voltage Vth (typically Vth = 1/2 of the maximum voltage
VDD). We obtain
δ↑(T ) = τ ln(1− e−(T+Tp−τ ln(Vth))/τ ) + Tp − τ ln(1− Vth)
δ↓(T ) = τ ln(1− e−(T+Tp−τ ln(1−Vth))/τ ) + Tp − τ ln(Vth) ,
where τ is the RC constant, Tp the pure delay component
and Vth = Vth/VDD.
For ease of reference, we restate the following technical
lemma from [5], [6]:
in(t)
t
out(t)
tη
− η+
T δ(T )
Fig. 3: The η-involution channel: Non-deterministic choice of the
tentative output transition after applying δ(T ).
Lemma 1. A strictly causal involution channel has a
unique δmin defined by δ↑(−δmin) = δmin = δ↓(−δmin), which
is positive. For exp-channels, δmin = Tp.
For the derivative, we have δ′↑(−δ↓(T )) = 1/δ′↓(T ) and
hence δ′↑(−δmin) = 1/δ′↓(−δmin).
The channel function fc mapping input signal s to output
signal fc(s) (cp. Fig. 2) is defined via the following algorithm.
It can easily be implemented in e.g. VHDL to be used
by existing simulators like ModelSim, as these simulators
automatically drop transitions on signals violating FIFO order.
Output transition generation algorithm: Let t1, t2, . . . be
the transitions times of s, set t0 = −∞ and δ0 = 0.
• Initialization: Copy the initial transition at time −∞ from
the input signal to the output signal.
• Iteration: Iteratively determine the tentative list of pend-
ing output transitions: Determine the input-to-output de-
lay δn for the input transition at time tn by setting
δn = δ↑(tn − tn−1 − δn−1) if tn is a rising transition
and δn = δ↓(tn − tn−1 − δn−1) if it is falling. The nth
and mth pending output transitions cancel if n < m but
tn+δn ≥ tm+δm. In this case, we mark both as canceled.
• Return: The channel output signal fc(s) has the same
initial value as the input signal, and contains every
pending transition at time tn + δn that has not been
marked as canceled.
III. INTRODUCING ADVERSARIAL CHOICE
We now generalize the circuit model from the previous
section to allow a non-deterministic perturbation of the output
transition times after the application of the delay functions δ↑
and δ↓. Note that the resulting output shifts need not be the
same for all applications of the delay functions; they can
vary arbitrarily from one transition to the next. However,
each perturbation needs to be within some pre-determined
interval η = [−η−, η+]. These non-deterministic choices can
be used to model various effects in digital circuits that cannot
be captured by single-history delay functions, ranging from
arbitrary types of noise [4] to unknown variations of process
parameters and operating conditions. Fig. 3 shows the possible
variation of the output transition time caused by the non-
deterministic choice.
Formally, we change the notion of the channel function
to accept an additional parameter: A channel has a channel
function, which maps each pair (s,H) to an output signal,
where s is the channel’s input signal and H is a parameter
taken from some suitable set of admissible parameters (see
below). We also adapt the definition of an execution to allow
t
in(t)
t
out1(t)
-η1 η2 η3=η4=0 -η5
t
in(t)
t
out2(t)
η1 η2 -η3 η4 -η5
Fig. 4: The η-involution channel covers pulse attenuation under
(bounded) adversarial noise, varying operating conditions, parameter
variations and other modeling inaccuracies. Observe the different
output behaviors out1 and out2 for the same input trace, caused by
different adversarial choices (η1, η2, . . . ). The output transitions that
would have been caused just by δ(T ), without η-shifts, are dotted.
Note that different adversarial choices usually change the history
and, hence, T and thus δ(T ).
an adversarial choice of H: For an edge c from v in C, we
require that there exists some admissible parameter H such
that the signal sc fulfills sc = fc(sv, H).
For η-involution channels, we let the admissible param-
eters H be any sequence of choices ηn ∈ η. The output
transition generation algorithm’s Iteration step for the nth
transition of the input signal is adapted as follows: δn =
δ↑(max{tn − tn−1 − δn−1,−δ↑∞}) + ηn if tn is a rising
transition and δn = δ↓(max{tn− tn−1− δn−1,−δ↓∞}) +ηn if
it is falling. Note that the max-terms guard agains adversarial
choices that would exceed the domain of δ↑(.) and δ↓(.).
This could occur only in the extreme situation of a short
glitch after a long stable input, which must be canceled
anyway. So enforcing δn = δ↑(−δ↑∞) + ηn = −∞ resp.
δn = δ↓(−δ↓∞)+ηn = −∞ in this case is safe. As this cannot
occur in the cases analyzed in this paper, we will subsequently
omit the max-terms in the definition of δn for simplicity.
Fig. 4 depicts two example signal traces, out1 and out2,
obtained by an η-involution channel with the same underlying
δ as the one in Fig. 2. Observe that the adversary has
the freedom to “de-cancel” pulses that would have canceled
according to the delay function (second pulse in out2), extend
pulses (first pulse in out1), and shift pulses (first pulse in out2).
IV. FAITHFULNESS OF INVOLUTION CHANNELS WITH
ADVERSARIAL CHOICE
In this section, we will prove that η-involution channels are
faithful with respect to Short-Pulse Filtration (SPF).
A pulse of length ∆ at time T has initial value 0, one rising
transition at time T , and one falling transition at time T + ∆.
A signal contains a pulse of length ∆ at time T if it contains
a rising transition at time T , a falling transition at time T +∆
and no transition in between.
Definition 2 (Short-Pulse Filtration). A circuit with a single
input and a single output port solves Short-Pulse Filtration
OR
c
i HT o
Fig. 5: A circuit solving unbounded SPF, consisting of an OR-gate,
with initial value 0, fed back by channel c, and a high-threshold
buffer HT.
(SPF), if it fulfills the following conditions for all admissible
channel function parameters H:
F1) The circuit has exactly one input and one output port.
(Well-formedness)
F2) A zero input signal produces a zero output signal. (No
generation)
F3) There exists an input pulse such that the output signal is
not the zero signal. (Nontriviality)
F4) There exists an ε > 0 such that for every input pulse the
output signal never contains a pulse of length less than ε.
(No short pulses)
Note that we allow the SPF circuit to behave arbitrarily if
the input signal is not a (single) pulse.
To show faithfulness of the η-involution model, we start
with the trivial direction: we prove that no circuit with η-
involution channels can solve the bounded-time variant of
SPF (where the output must stabilize to constant 0 or 1
within bounded time). Note that this matches the well-known
impossibility [10] of building such a circuit in reality. Indeed,
the result immediately follows from the fact that the adversary
is free to always choose ηn = 0, i.e., make the η-involution
channels behave like involution channels. In [6], [5], it has
been shown that no circuit with involution channels can solve
bounded-time SPF, which completes the proof.
What hence remains to be shown is the existence of a
circuit that solves SPF (with unbounded stabilization time)
with η-involution channels. We can prove that the circuit
shown in Fig. 5, which consists of a fed back OR-gate forming
the storage loop and a subsequent buffer with a suitably
chosen (high) threshold voltage (modeled as an exp-channel),
does the job. As a consequence, a circuit model based on
η-involution channels enjoys the same faithfulness as the
involution channels of [6], even though its set of allowed
behaviors is considerably larger.
Informally, we consider a pulse of length ∆0 at time 0 at
the input and reason about the behavior of the feed-back loop,
i.e., the output of the OR gate. There are 3 cases: If ∆0 is
small, then the pulse is filtered by the channel in the feed-
back loop. If it is big, the pulse is captured by the storage
loop, leading to a stable output 1. For a certain range of ∆0,
the storage loop may be oscillating, possibly forever. In any
case, however, it turns out that a properly chosen exp-channel
can translate this behavior to a legitimate SPF output.
Lemma 3. If the input pulse’s length ∆0 satisfies ∆0 ≥ δ↑∞+
η+, then the output of the OR in Fig. 5 has a unique rising
transition at time 0, and no falling transition.
Proof. Clearly, the output of the OR, hence the η-involution
channel’s input, will have a rising transition at time 0. The
corresponding rising transition occurs at the channel output at
the latest at η+ + δ↑∞ ≤ ∆0. This guarantees the storage loop
to lock, causing the output of the OR output to stick to 1.
Lemma 4. If the input pulse’s length ∆0 satisfies ∆0 ≤ δ↑∞−
δmin − η+ − η−, then the OR output in Fig. 5 contains only
the input pulse.
Proof. The input signal contains only two transitions: one at
time t1 = 0 and one at time t2 = ∆0. The earliest time
when the output transition corresponding to the rising input
transition can occur is t′1 = δ
↑
∞ − η−. For the falling input
transition, we thus get T = ∆0−δ↑∞+η−, and observe that the
corresponding falling output transition cannot occur later than
t′2 = ∆0 + η
+ + δ↓(T ). The two output transitions cancel iff
t′2 ≤ t′1, which is equivalent to X = ∆0 +η+ + δ↓(T )− δ↑∞+
η− ≤ 0. Replacing ∆0 with the upper bound from the lemma
reveals T ≤ −δmin − η+ and X ≤ −δmin + δ↓(−δmin − η+) ≤
−δmin + δ↓(−δmin) = 0 by monotonicity of δ↓ and Lemma 1,
which concludes the proof.
For an input pulse length that satisfies δ↑∞−δmin−η+−η− <
∆0 < δ
↑
∞+ η
+, the OR output signal may contain a series of
pulses of lengths ∆0,∆1,∆2, . . . . In sharp contrast to standard
involution channels [6], it is not the case that there is a unique
value ∆0 = ∆˜0 that leads to an infinite series of (identical)
pulses ∆1 = ∆2 = . . . Rather, due to the adversarial choices,
there is a range of values for ∆0 that may lead to a whole
range of infinite pulse trains, with varying pulse lengths, which
are surprisingly difficult to bound.
An informal, high-level explanation of the approach that
was eventually found to be successful is the following: we
identified a self-repeating infinite “worst-case pulse train”,
which ensures that any adversarial choice that deviates from
it at some point causes the subsequent pulses to die out, i.e.,
to resolve to a stable 1. In more detail, let ∆0 be such that an
infinite self-repeating pulse train ∆ = ∆1 = ∆2 = . . . exists,
subject to the constraint that the adversary deterministically
takes all rising transitions maximally (η+) late and all falling
transitions maximally (η−) early. Note that this adversarial
choice actually minimizes ∆n for any given ∆n−1. Therefore,
given a pulse ∆n−1 = ∆, any other adversarial choice (as
well as any larger ∆n−1 > ∆) leads to a subsequent pulse
with ∆n > ∆. As a consequence, ∆ is an upper bound for
the length of every pulse ∆n, n ≥ 1, occurring in an arbitrary
infinite pulse train: if some ∆n−1 > ∆ ever happens, then
∆n+` > ∆ for every ` ≥ 0 as well; in fact, Lemma 7 will
reveal that the pulse train will only be finite in these cases.
Similarly, since the adversarial choice that minimizes the
up-time ∆n simultaneously maximizes the down-time ∆n of
a pulse, we also get a a lower bound ∆n ≥ P − ∆ for all
pulses in an arbitrary infinite pulse train, where P is the period
of our infinite self-repeating pulse train.
For these arguments to work, we need to restrict the
adversarial choice for the feed-back channel in Fig. 5:
η+ + η− < δ↓(−η+)− δmin (C)
Formally, we have the following Lemma 5:
Lemma 5. Consider the circuit in Fig. 5 subject to constraint
(C). Assume that the input pulse length ∆0 is such that it
results in an infinite pulse train ∆0,∆1, . . . occurring at the
output of the OR. Then, for every n ≥ 1, the up-time ∆n
satisfies ∆n ≤ ∆, the down-time ∆′n (preceding the pulse with
up-time ∆n) satisfies ∆′n ≥ P −∆, and Pn = ∆n + ∆′n+1 ≥
P . Herein, ∆ = δ↓(η+−τ) with ∆ < δmin is the up-time of an
infinite self-repeating pulse train with period P = τ and duty
cycle γ = ∆/P , with τ > 0 denoting the smallest positive
fixed point of the equation δ↓(η+ − τ) + δ↑(−η− − τ) = τ ,
which is guaranteed to exist and satisfies η+ + δmin < τ <
min(−η− + δ↓∞, η+ + δ↑∞).
Proof. In the circuit of Figure 5, the nth input pulse of the η-
involution channel c is just its (n−1)th output pulse. Therefore,
for all n > 1, the output pulse length ∆n under the worst-
case adversarial choice of η+-late rising and η−-early falling
transitions evaluates to
∆n = f(∆n−1) = δ↓
(
∆n−1 − η+ − δ↑(−∆n−1)
)
(2)
+ ∆n−1 − η− − η+ − δ↑(−∆n−1) .
The sought fixed point ∆ of (2) resulting in a infinite pulse
train is obtained by solving ∆ = f(∆), which yields
δ↓
(
∆− η+ − δ↑(−∆)
)
= η− + η+ + δ↑(−∆) . (3)
Applying the involution property to (3) results in ∆ − η+ −
δ↑(−∆) = −δ↑(−η− − η+ − δ↑(−∆)) and further in
∆ + δ↑
(− η− − η+ − δ↑(−∆)) = η+ + δ↑(−∆) . (4)
Defining τ = η+ + δ↑(−∆), rewriting it to −δ↑(−∆) =
η+ − τ and applying the involution property, we observe
∆ = δ↓(η+ − τ) . (5)
Using (5) and (1) in (4) yields the fixed point equation stated
in our lemma:
δ↓(η+ − τ) + δ↑(−η− − τ) = τ . (6)
Now assume that the smallest fixed point τ > 0 of (6),
and hence ∆ of (2), exists. Then, in any infinite pulse train,
any pulse ∆n−1 > ∆, n > 1, and/or any non-worst-case
adversarial choice (also in the case ∆n−1 = ∆) leads to
a subsequent pulse with ∆n > ∆. As a consequence, ∆ is
indeed an upper bound for the length of every such pulse.
We will proceed in our proof with establishing constraints
on η−, η+ that guarantee the existence of a solution τ > 0 of
(6). For this purpose, we introduce the function
h(τ) = δ↓(η+ − τ) + δ↑(−η− − τ)− τ . (7)
and show that there are values τ0 < τ1 where h(τ0) > 0 but
h(τ1) < 0. Since h(.) is continuous, this ensures the existence
of τ0 < τ < τ1 with h(τ) = 0.
If we plug in τ0 = η+ + δmin in (7), we find by recalling
Lemma 1 that h(η+ + δmin) = δ↑(−η+ − η− − δmin)− η+. In
order to guarantee that h(η+ + δmin) > 0 we need δ↑(−η+ −
η−− δmin) > η+. Rewriting this using the involution property
requires −δ↑(−η+−η−−δmin) < −δ↑(−δ↓(−η+)) and hence
η+ + η− < δ↓(−η+) − δmin as stated in constraint (C). Note
that this implies η+ < δmin, since η+ + η− ≥ 0.
For h(τ) < 0, we simply obtain −∞ from δ↓(η+ − τ) or
δ↑(−η− − τ) by plugging in τ1 = min(−η− + δ↓∞, η+ + δ↑∞)
in (7), noting that the involution property guarantees −∞ =
δ↑(−δ↓∞) = δ↓(−δ↑∞). Since all other terms of h(.) are finite,
the result is definitely < 0.
We still need to assure that the boundary interval for τ is
not empty, i.e., that τ0 = η+ + δmin < τ1 = min(−η− +
δ↓∞, η
+ + δ↑∞). This is trivially the case if τ1 = η
+ + δ↑∞. If
τ1 = δ
↓
∞−η−, we need η++η− < δ↓∞−δmin, which is implied
by constraint (C). Thus, putting everything together, we can
indeed guarantee a solution τ of h(τ) = 0, which satisfies
0 < η+ + δmin < τ < min(−η− + δ↓∞, η+ + δ↑∞) (8)
as stated in our lemma.
We can now determine the upper bound for ∆: Recalling
the definition τ = η++δ↑(−∆), the lower bound on τ implies
δmin < τ − η+ = δ↑(−∆). Using the involution property, we
can translate this to −δ↓(−δmin) < −∆.
Applying Lemma 1, we end up with
∆ < δmin (9)
as asserted in this lemma.
Regarding the periods of our pulses, we recall that our
adversary takes all rising transitions maximally late and all
falling transitions maximally early to minimize the high-times
of the generated pulse train. The period Pn = ∆n + ∆′n+1
of the high-pulse ∆n, measured from the rising transition of
∆n to the rising transition of ∆n+1, is Pn = δ↑(−∆n) + η+n ,
which is not difficult to see from the considerations leading
to (2). Hence, Pn only depends on the up-time ∆n and the
adversarial choice η+n ≤ η+. It follows that the adversarial
choices used for generating our minimal up-time pulse train
simultaneously maximize both the period (P = δ↑(−∆)+η+)
and the down-time (P −∆). As the adversary cannot further
shrink the up-times of the pulses, it cannot further extend the
down-times, without running into cancellations.
Formally, by the same argument as used for ∆, we find that
no infinite pulse train can contain a pulse with a downtime
strictly smaller than P−∆, where P = P ′ is the period of our
infinite ∆ pulse train: analogously to Pn above, we find that
the down-period P ′n = ∆
′
n+∆n, measured between the falling
transitions of ∆′n and ∆
′
n+1, evaluates to P
′
n = δ↓(−∆′n)−η−n ,
which decreases with both ∆′n and η
−
n ≤ η−. If ∆′n < P −∆
ever occurred, this would lead to P ′n > P
′ = δ↓(−P+∆)−η−.
Since obviously P ′ = P , this implies ∆n = P ′n − ∆′n >
∆, which contradicts the previously established upper bound
∆n ≤ ∆, however.
It hence only remains to evaluate P = δ↑(−∆) + η+ = τ ,
which completes the proof.
Lemma 6. Consider the circuit in Fig. 5 subject to constraint
(C). The duty cycle γn of any pulse ∆n, n ≥ 1, in an infinite
pulse train at the output of the OR-gate satisfies γn ≤ γ < 1.
Proof. According to Lemma 5, we have γn = ∆nPn ≤ ∆P = γ =
∆
δ↑(−∆)+η+ <
δmin
δmin+η
+ ≤ 1 for every n ≥ 1 as asserted.
We remark that η+ > 0 allows strengthening constraint
(C), which allows sharpening some inequalities in Lemma 5,
namely, η++η− ≤ δ↓(−η+)−δmin, ∆ ≤ δmin, and η++δmin ≤
τ , without violating γ < 1 established in Lemma 6.
The following lemma implies that if ∆1 > ∆ for ∆
according to Lemma 5, then the sequence of generated output
pulses ∆n, n ≥ 1, will be strongly monotonically increasing.
Consequently, we will only get a bounded number of pulses
at the output of the OR gate, with a stabilization time in the
order of loga(1/(∆1 −∆)) with a = 1 + δ′↑(0) > 1.
Lemma 7. For f(.) given in (2) with fixed point ∆, we have
f(∆1)−∆ ≥ (1 + δ′↑(0)) · (∆1 −∆) if ∆1 > ∆.
Proof. Differentiation of (2) provides
f ′(∆1) =
(
1 + δ′↑(−∆1)
)(
1 + δ′↓
(
∆1 − η+ − δ↑(−∆1)
))
≥ 1 + δ′↑(0) (10)
because δ′↑(−∆1) ≥ δ′↑(0) as ∆1 > ∆ > 0 and δ′(T ) > 0
is decreasing for all T as δ(.) is concave and increasing by
Lemma 1. The mean value theorem of calculus now implies
the lemma.
The following lemma allows to extend the validity of the
statement of Lemma 7 from the first output pulse ∆1 to the
initial input pulse ∆0.
Lemma 8. There is a unique ∆˜0 such that every input pulse
length ∆0 ≥ ∆˜0 guarantees ∆1 ≥ ∆ as given in Lemma 5.
Moreover, ∆1 −∆ ≥
(
1 + δ′↑(0)
) · (∆0 − ∆˜0) for ∆0 > ∆˜0,
provided ∆0 < δ↑∞ + η
+.
Proof. For the first pulse under the same worst-case adversar-
ial choice as in Lemma 5, the analogous considerations as in
the proof of Lemma 4 reveal
∆1 = δ↓(∆0 − η+ − δ↑∞) + ∆0 − η− − η+ − δ↑∞ .
Defining the auxiliary function g(∆0) = δ↓(∆0−η+− δ↑∞)+
∆0 − η− − η+ − δ↑∞, it is apparent that ∆1 = g(∆0).
Now, as lim∆0→η++δ↑∞−δmin g(∆0) ≤ 0 due to Lemma 1
and lim∆0→η−+η++δ↑∞ g(∆0) = δ↓(η
−), which is certainly
(much) larger than ∆, cp. Lemma 5, there is indeed a unique
∆˜0 with g(∆˜0) = ∆ with the desired properties. The Lipschitz
property is obtained exactly as in the proof of Lemma 7, by
differentiating g(∆0) and using ∆0 < δ↑∞ + η
+.
We summarize the consequences of the previous lemmas
in the following theorem, which extends [5, Thm. 12] to the
η-involution model:
Theorem 9. Consider the circuit in Fig. 5 subject to constraint
(C). The fed-back OR gate with a strictly causal η-involution
channel has the following output when the input pulse has
length ∆0:
• If ∆0 ≥ δ↑∞ + η+, then the output has a single rising
transition at time 0.
• If ∆0 ≤ δ↑∞−δmin−η+−η−, then the output only contains
the input pulse.
• If δ↑∞−δmin−η+−η− < ∆0 < δ↑∞+η+, then the output
may resolve to constant 0 or 1, or may be an (infinite)
pulse train, with ∆n ≤ ∆ and duty cycle γn ≤ γ =
∆
δ↑(−∆)+η+ < 1 for n ≥ 1. If ∆0 > ∆˜0, the output
resolves to 1 within a stabilization time in the order of
loga(1/(∆0 − ∆˜0)) with a = 1 + δ′↑(0) > 1.
Proof. The statements of our theorem follow immediately
from Lemmas 3, 5, and 4. Lemma 7 in conjunction with
Lemma 8 reveals that the number of generated pulses is in
the order of loga(1/(∆0 − ∆˜)) with a = 1 + δ′(0).
For dimensioning the high-threshold buffer, we can re-use
Lemmas 13 and 14 from [5]:
Lemma 10 ([5, Lem. 13]). Let C be an exp-channel with
threshold Vth and initial value 0, and let 0 ≤ Γ < Vth. Then
there exists some Θ > 0 such that every finite or infinite pulse
train with pulse lengths Θn ≤ Θ, n ≥ 0, and duty cycles
Γn ≤ Γ, n ≥ 1, is mapped to the zero signal by C.
Lemma 11 ([5, Lem. 14]). Let Θ > 0 and 0 ≤ Γ < 1. Then,
there exists an exp-channel C such that every finite or infinite
pulse train with pulse lengths Θn ≤ Θ, n ≥ 0, and duty cycles
Γn ≤ Γ, n ≥ 1, is mapped to the zero signal by C.
By choosing Γ = γ(1 + ε) < 1 for some ε > 0 sufficiently
small and Θ so large that the feed-back loop in Figure 5 has
already locked to constant 1 at time T + Θ, where T is the
time when some pulse ∆n, n ≥ 1, of the feed-back loop
with duty cycle γ(1 + ε) has started, we get the following: If
SPF input pulse lengths ∆0 and adversarial choices are such
that no ∆n reaches duty cycle γ(1 + ε), the output of the
exp-channel is constant zero; otherwise, there is a single up-
transition (occurring only after T+Θ) at the output. Therefore:
Theorem 12. There is a circuit that solves unbounded SPF.
Proof. If ∆0 < δ↑∞− δmin− η+− η−, Theorem 9 ensures that
the input of the high-threshold buffer is constant 0, and so
is the output. If ∆0 > δ↑∞ + η
+, then the input of the high-
threshold buffer experiences a single up-transition (at time 0),
and so does the output (eventually).
For ∆0 in between, we distinguish two cases: (i) Suppose
∆0 and the adversarial choices are such that no ∆n ever
reaches duty cycle γ(1 + ε). Then, the minimality of the
period P of the worst-case pulse train guaranteed by Lemma 5
implies that the input of the high-threshold buffer sees pulses
with duration at most Θ and duty cycle at most Γ. Hence,
Lemma 11 guarantees a zero-output in this case.
For the other case (ii), which is guaranteed to happen when
∆0 > ∆˜0 (but may also occur for smaller values of ∆0 in
the case of certain adversarial choices), there is some time T
inverter chain
on-chip sense
amplifiers
load
in
to real-time oscilloscope
Q1 Q2 Q3 Q4 Q5 Q6
Fig. 6: Schematics of the ASIC used for validation measurements. It
combines an inverter chain with analog high-speed sense amplifiers.
where a 1-pulse Θn starts at the input of the exp-channel that
will (along with its subsequent 0) have a duty cycle Γn ≥
Γ > γ. Moreover, by time T + Θ, the last input transition (to
1) has already occurred. Lemma 11 not only guarantees that
all pulses occurring before T cancel, but also the ones that
occur before time T + Θ: after all, even a single, long pulse
Θn = Θ would still be canceled. Therefore, since the input of
the exp-channel is already stable at 1 at time T + Θ, only this
final rising transition will eventually appear at the output.
V. SIMULATIONS
In this section, we complement the proof of faithfulness
provided in the previous section with simulation experiments
and measurement results, which confirm that our η-involution
model indeed captures reality better than the original invo-
lution model [12]. Whereas more experiments, with different
technologies and more complex circuits (including multi-input
gates), would be needed to actually claim improved model
coverage, our results are nevertheless encouraging.
We employ the same experimental setup as in [12], which
uses UMC-90 nm and UMC-65 nm bulk CMOS 7-stage in-
verter chains as the primary targets. For UMC-65, we resorted
to Spice simulations of a standard cell library implementation,
for UMC-90, we relied on a custom ASIC [8]. The latter
provides a 7-stage inverter chain built from 700 nm x 80 nm
(W x L) pMOS and 360 nm x 80 nm nMOS transistors,
with threshold voltages 0.29 V and 0.26 V, respectively, and
a nominal supply voltage of VDD = 1 V. As all inverter
outputs are connected to on-chip low-intrusive high-speed
analog sense amplifiers (gain 0.15, -3 dB cutoff frequency
8.5 GHz, input load equivalent to 3 inverter inputs), see
Fig. 6, which can directly drive the 50 Ω input of a high-
speed real-time oscilloscope, the ASIC facilitates the faithful
analog recording of all signal waveforms. Independent power
supplies and grounds for inverters and amplifiers also facilitate
measurements with different digital supply voltages VDD.
For convenience, we provide the delay functions determined
in [12] in Fig. 7 (δ↓ for UMC-90, measurements).
In order to validate the η-involution model, we use the
following general approach: Given simulated/measured output
waveforms of a single inverter excited by input pulses of
different width, we compare (i) the digital output obtained
from the simulated/measured waveforms with (ii) the pre-
dictions for some given delay function. The differences of
the transition times of predicted and real digital output is a
−2 0 2 4 6
−6
−4
−2
0
2
T [ns]
δ(
T
)
[n
s]
0.3 V
0.4 V
0.6 V sim.
0.6 V 0.7 V
0.8 V1 V
Fig. 7: Measured δ↓ for UMC-90 inverter chain for VDD ∈
{0.3, 0.4, 0.6, 0.7, 0.8, 1} V and simulated (dashed brown) δ↓ for
VDD = 0.6 V, taken from [12, Fig. 7].
measure of modeling inaccuracy of the original involution
model. If these differences can be compensated by suitable
output shifts within [η−, η+], however, we can claim that the
η-involution model matches the real behavior of the circuit
for the given waveforms. Since faithfulness puts the severe
constraint η+ + η− < δ↓(−η+) − δmin on η+, η−, recall
Lemma 5, it is not clear under which conditions this claim
indeed holds. In our evaluation, η+ was first set to a suitable
value (η+ > 0) and afterwards η− was calculated according
to η− = δ↓(−η+)−δmin−η+. Clearly, this results in different
η bounds in each of the figures below.
The particular questions addressed in our experiments are
the following: Is the allowed range for η+ and η− sufficient
for the η-involution model to capture: (a) The circuit behavior
under variations of certain operating conditions. After all,
circuit delays change with varying supply voltage and tem-
perature, so the question remains to what extent the resulting
fluctuations are covered by the η-involution model. (b) The
circuit behavior under process variations. In general, circuit
delays vary from manufactured chip to chip, so the question
arises whether the η-involution model based on a “typical”
delay function covers typical process variations. (c) The real
behavior of our inverter chain with a (suitably parametrized)
standard involution function, in particular for exp-channels.
This would simplify model calibration, as it is typically easier
to determine the exp-channel model parameters for a given
circuit [2], rather than its entire delay function.
To investigate question (a), i.e., the robustness against
voltage variations, we added a sine wave to the voltage supply
source (nominally 1.2 V = VDD) with a period similar to the
full range switching time of the inverter and a magnitude of
0.012 V (1 % of VDD). We applied pulses with differing width
to the input of the inverter and recorded the output, whereat
the phase of the sine wave was set for each pulse randomly be-
tween 0 and 360 degrees. In Fig. 8a, the deviation D between
the prediction and the actual crossing over the previous-output-
to-input delay T is shown. Despite the stringent bounds on η,
it is possible to fully cover the resulting delay variations for
low T , for higher values however, the η-involution model does
no longer apply. Please note that the huge difference between
δ↓ and δ↑ can be easily explained by the fact that δ↑ results
in a falling transition at the output of the inverter. For this
transition, the transistor connecting the output to the power
supply gets closed more and more, reducing also the impact
of the voltage variations. (When varying the ground level, the
reverse case can be observed.)
To answer question (b), we chose to vary the transistor
width, which increases/decreases the maximum current and
allows us to model variations of resistance and capacitance
as well. The simulations themselves were carried out in the
same fashion as described in the last paragraph, except that
VDD = 1.2 V was constant. Fig. 8b shows the results for 10
% wider transistors, where the η-bound is even bigger than
required. In contrast, the deviations for 10 % narrower ones
(Fig. 8c) exceed the η-bound with increasing values of T .
Unlike VDD variations, varying transistor sizes, as expected,
either increases or decreases the delay. This can be seen very
clearly in the figures, as one trace is well below and one well
above D = 0.
For question (c), we tried to fit the parameters of the
involution function (2) for exp-channels w.r.t. the measurement
data published in [12] and evaluated the deviations D between
the resulting model predictions and the real digital output.
Whereas the deviations over the whole range of T exceed the
feasible η-bounds, one can observe that even this very simple
exp-channel only results in minor mispredictions near T = 0.
As shown in Fig. 9, it again turns out that, when using the
resulting involution function, excessive deviations occur (quite
naturally) for large values of T only.
We hence conclude that the η-involution model indeed im-
proves the modeling accuracy of the original involution model,
despite the fact that the allowed non-determinism, i.e., η, is
quite restricted. Moreover, our simulation experiments indicate
that the absolute deviations |D| between model predictions
and real traces is increasing with increasing previous-output-
to-input delay T , making it possible to fully compensate D
via η near T = 0. This is crucial, as our η-bounds result from
proving faithfulness, which involves the range T ∈ [−δmin, 0]
only. For larger T , D grows bigger, but in this region, it might
be feasible to also increase the allowed non-determinism as
these values are almost irrelevant w.r.t. faithfulness.
VI. CONCLUSIONS AND FUTURE WORK
We proved the surprising fact that adding non-determinism
to the delays of involution channels, the only delay model
known so far that is faithful for the SPF problem, does
not invalidate faithfulness. As confirmed by some simulation
experiments and even measurements, noise, varying operating
conditions and process parameter variations hence do not a
priori rule out faithful continuous-time, binary value models.
Part of our future work will be devoted to further increase the
level of non-determinism sustained by our model, the handling
of more complex circuits, and the first steps for incorporating
the η-involution model in a suitable formal verification tool.
0 50 100
-0.4
-0.2
0
0.2
0.4
previous-output-to-input delay (T) [ps]
de
vi
at
io
n
(D
)
[p
s]
δ↓
δ↑
η
(a) Power supply variations of 1 %.
0 50 100
−1
−0.5
0
previous-output-to-input delay (T) [ps]
de
vi
at
io
n
(D
)
[p
s]
δ↓
δ↑
η
(b) Transistor width increase of 10 %.
0 50 100
0
0.2
0.4
0.6
previous-output-to-input delay (T) [ps]
de
vi
at
io
n
(D
)
[p
s]
δ↓
δ↑
η
(c) Transistor width reduction of 10 %.
Fig. 8: Deviation between predicted and actual VTH crossings for different variations.
0 0.5 1 1.5
0
-20
-40
-60
-80
previous-output-to-input delay (T) [ns]
de
vi
at
io
n
(D
)
[p
s]
δ↓
δ↑
η
Fig. 9: Fitting an exp-channel involution to measured data.
REFERENCES
[1] Jose´ C. Barros and Brian W. Johnson. Equivalence of the arbiter, the
synchronizer, the latch, and the inertial delay. IEEE ToC, 32(7):603–614,
1983.
[2] M. J. Bellido-Dı´az, J. Juan-Chico, A. J. Acosta, M. Valencia, and J. L.
Huertas. Logical modelling of delay degradation effect in static CMOS
gates. IEE Proceedings – Circuits, Devices, and Systems, 147(2):107–
117, 2000.
[3] Manuel J. Bellido-Dı´az, Jorge Juan-Chico, and Manuel Valencia. Logic-
Timing Simulation and the Degradation Delay Model. Imperial College
Press, London, 2006.
[4] C. E. Calosso and E. Rubiola. Phase noise and jitter in digital electronics.
arXiv:1701.00094, 2016.
[5] Matthias Fu¨gger, Robert Najvirt, Thomas Nowak, and Ulrich Schmid.
Faithful glitch propagation in binary circuit models. arXiv:1406.2544,
2014.
[6] Matthias Fu¨gger, Robert Najvirt, Thomas Nowak, and Ulrich Schmid.
Towards binary circuit models that faithfully capture physical solvability.
In Proceedings of the 2015 Design, Automation & Test in Europe
Conference & Exhibition, DATE ’15, pages 1455–1460, San Jose, CA,
USA, 2015. EDA Consortium.
[7] Matthias Fu¨gger, Thomas Nowak, and Ulrich Schmid. Unfaithful glitch
propagation in existing binary circuit models. IEEE Transactions on
Computers, 65(3):964–978, March 2016.
[8] Michael Hofbauer, Kurt Schweiger, Horst Dietrich, Horst Zimmermann,
Kay-Obbe Voss, Bruno Merk, Ulrich Schmid, and Andreas Steininger.
Pulse shape measurements by on-chip sense amplifiers of single event
transients propagating through a 90 nm bulk CMOS inverter chain. IEEE
Transactions on Nuclear Science, 59(6):2778–2784, December 2012.
[9] Synopsis Inc. CCS timing library characterization guidelines, October
2016. Version 3.4.
[10] Leonard R. Marino. The effect of asynchronous inputs on sequential
network reliability. IEEE ToC, 26(11):1082–1090, 1977.
[11] Leonard R. Marino. General theory of metastable operation. IEEE ToC,
30(2):107–115, 1981.
[12] Robert Najvirt, Ulrich Schmid, Michael Hofbauer, Matthias Fu¨gger,
Thomas Nowak, and Kurt Schweiger. Experimental validation of a
faithful binary circuit model. In Proceedings of the 25th Edition on
Great Lakes Symposium on VLSI, GLSVLSI ’15, pages 355–360, New
York, NY, USA, 2015. ACM.
[13] Cadence Design Systems. Effective current source model (ECSM)
timing and power specification, January 2015. Version 2.1.2.
[14] Stephen H. Unger. Asynchronous sequential switching circuits with
unrestricted input changes. IEEE ToC, 20(12):1437–1444, 1971.
