A Faithful Binary Circuit Model with Adversarial Noise
Matthias Függer, Jürgen Maier, Robert Najvirt, Thomas Nowak, Ulrich Schmid
AA Faithful Binary Circuit Model withAdversarial Noise
Matthias F¨ugger ∗ , J¨urgen Maier † , Robert Najvirt † , Thomas Nowak ‡ , Ulrich Schmid †∗ CNRS & LSV, ENS Paris-Saclay † Technische Universit¨at Wien ‡ Universit´e Paris-Sud
This is the unedited Authors version of a Submitted Work that was subsequently accepted for publication at 2018 Design, Automation Test in EuropeConference Exhibition (DATE).
Abstract —Accurate delay models are important for static anddynamic timing analysis of digital circuits, and mandatory forformal verification. However, F¨ugger et al. [IEEE TC 2016]proved that pure and inertial delays, which are employed fordynamic timing analysis in state-of-the-art tools like ModelSim,NC-Sim and VCS, do not yield faithful digital circuit models.Involution delays, which are based on delay functions that aremathematical involutions depending on the previous-output-to-input time offset, were introduced by F ¨ugger et al. [DATE’15] asa faithful alternative (that can easily be used with existing tools).Although involution delays were shown to predict real signaltraces reasonably accurately, any model with a deterministicdelay function is naturally limited in its modeling power.In this paper, we thus extend the involution model, by addingnon-deterministic delay variations (random or even adversarial),and prove analytically that faithfulness is not impaired by thisgeneralization. Albeit the amount of non-determinism must beconsiderably restricted to ensure this property, the result issurprising: the involution model differs from non-faithful modelsmainly in handling fast glitch trains, where small delay shiftshave large effects. This originally suggested that adding evensmall variations should break the faithfulness of the model, whichturned out not to be the case. Moreover, the results of oursimulations also confirm that this generalized involution modelhas larger modeling power and, hence, applicability.
I. I
NTRODUCTION
Modern digital circuit design relies heavily on fast func-tional simulation tools like Cadence NC-Sim, Mentor GraphicsModelSim or Synopsis VCS, which also allow dynamic timingvalidation using suitable delay models. In fact, for modernVLSI technologies with their switching times in the picosec-ond range, static timing analysis may not be sufficient forcritical parts of a circuit, where e.g. the presence of glitchtrains may severely affect correctness and power consumption.Fully-fledged analog simulations, on the other hand, are oftentoo costly in terms of simulation time.Delay models like CCSM [9] and ECSM [13] used in gate-level timing analysis tools make use of elaborate character-ization techniques, which incorporate technology-dependentinformation like driving strengths of a gate for a wide range ofvoltages and load capacitances. Based on these data, dynamictiming analysis tools compute the delay for each gate andwire in a specific circuit, which is then used to parametrizepure and/or inertial delay channels (i.e., model components
This research was supported by the FATAL (grant P21694) and SIC project(grant P26436-N30) of the Austrian Science Fund (FWF). representing delays). Recall that pure delay channels model aconstant transport delay, whereas inertial delay channels [14]allow an input transition to proceed to its output only if thereis no subsequent (opposite) input transition within some timewindow ∆ > . Subsequent simulation and dynamic timinganalysis runs use these pre-computed delays as constants , i.e.,they are not reevaluated at every point in time.More accurate simulation and dynamic timing analysis re-sults can be achieved by the Degradation Delay Model (DDM) ,introduced by Bellido-D´ıaz et al. [2], [3], which allows channeldelays to vary and covers gradual pulse cancellation effects.F¨ugger et al. [7] investigated the faithfulness of digitalcircuit models, i.e., whether a problem solvable in the modelcan be solved with a real physical circuit and vice versa.Unfortunately, however, they proved that none of the existingmodels is faithful: for the simple
Short-Pulse Filtration (SPF)problem, which resembles a one-shot variant of an inertial de-lay channel, they showed that every model based on boundedsingle-history channels (see below for the definition) eithercontradicts the unsolvability of SPF in bounded time or thesolvability of SPF in unbounded time by physical circuits [11].Single-history channels allow the input-to-output delay fora given input transition to depend on the time of the previous output transition. Formally, a single-history channel is definedby a delay function δ : R → R , where δ ( T ) determines thedelay of an input transition at time t , given that the previousoutput transition occurred at time t − T . Fig. 1 depicts theinvolved parameters. Note that T and δ ( T ) are potentiallynegative in the case of a short input pulse, where a new inputtransition occurs earlier than the just scheduled previous outputtransition. Together with the rule that non-FIFO transitionscancel each other, this allows to model attenuation and evensuppression of glitches. Fig. 2 shows an example input/output-trace generated by a single-history channel. Note that, for bounded single-history channels, δ ( T ) cannot point arbitrarilyfar back into the past.In [6], F¨ugger et al. introduced an unbounded single-historychannel model based on involution channels , which use a delayfunction δ ( T ) whose negative is self-inverse, i.e., fulfills theinvolution property − δ ( − δ ( T )) = T . They proved that, insharp contrast to bounded single-history channels, SPF cannotbe solved in bounded time with involution channels, whereas itis easy to provide an unbounded SPF implementation, which is a r X i v : . [ c s . OH ] J un n ( t ) t out ( t ) tT δ ( T ) Fig. 1:
Input/output signal of single-history channel, involving theprevious-output-to-input delay T and input-to-output delay δ ( T ) . t in ( t ) t out ( t ) Fig. 2:
Single-history channels allow to model pulse attenuation:The delay δ ( T ) becomes smaller with smaller previous-output-to-input time T . Observe the cancellation of the second pulse due tonon-FIFO-scheduled output transitions. in accordance with real physical circuits [11]. Hence, binary-valued circuit models based on involution channels are faithfulwith respect to the SPF problem. We note that this actuallyimplies faithfulness also w.r.t. other, practically more relevantproblems: analogous to [1], it is possible to implement a one-shot version of a latch (that allows a single up- and a singledown-transition of the enable input) using a circuit solvingSPF, and vice versa. Consequently, the involution model isalso faithful for one-shot latches. Moreover, in [12], Najvirt etal. used both measurements and Spice simulations to show thatthe involution model can also be made reasonably accurate bysuitable parametrization, in the sense that it nicely (though notperfectly) predicts the actual glitch propagation behavior of areal circuit, namely, an inverter chain.As it is easy to replace the standard pure or inertial delayscurrently used in VITAL or Verilog models by involutiondelays, the model is not only a promising starting pointfor sound formal verification, but also allows to seamlesslyimprove existing dynamic timing analysis tools. Main contributions:
Notwithstanding its superiority with re-spect to faithfulness, like every deterministic delay model, theinvolution model has limited modeling power: many differenteffects in physical circuits cause various types of noise insignal waveforms and, hence, jitter in the digital abstraction[4]. No deterministic delay function can properly capture theresulting variability in the signal traces.In this paper, we relax the involution model introducedin [6] by adding limited non-determinism η = [ − η − , η + ] ,for some fixed η − , η + ≥ , on top of the (deterministic)involution delay function δ ( T ) . We prove that this can bedone without sacrificing faithfulness: both the original SPFimpossibility result and, in particular, a novel SPF possibilityhold for this generalized model. We need to stress, however,that adding non-determinism is merely a convenient way ofsecuring maximum generality of our results: no practicallyobservable bounded jitter phenomenon, neither bounded ran-dom noise, from white to slowly varying flicker noise [4],nor even adversarially chosen transition time variations caninvalidate the faithfulness of the resulting η -involution model .Deterministic effects, like slightly different thresholds due to process variations, are of course also covered.Note carefully that, albeit the non-determinism ( η + and η − ) must be restricted to ensure faithfulness, the mere factthat we can afford some non-determinism here at all is verysurprising: comparing the faithful original involution modeland the non-faithful DDM model reveals that they primarilydiffer in handling fast glitch trains, where small delay shiftshave large effects. We thus conjectured originally that addingeven small non-determinism would break the border betweenboth models, which we now know is not the case.Our generalization also results in an improved principal modeling accuracy of the η -involution model: thanks to theadditional freedom for choosing transition times provided by η , it is obviously easier to match the real behavior of acircuit with some feasible behavior of the circuit in the model.We provide some simulation results (in a similar setting asused in [12]), which demonstrate that it is indeed possibleto match the behavior of a real inverter chain with the η -involution model if the variations of operating conditions resp.process variations are small. Whereas this does not hold forlarger variations, we observed that excessive deviations occurfor relatively large values of T only, which are essentiallyirrelevant for faithfulness. We are of course aware that morevalidation experiments, with more complex circuits, will beneeded to actually claim good accuracy of the η -involutionmodel, nevertheless, our preliminary results are encouraging.Regarding applicability, we consider the η -involution modelinteresting for primarily two reasons: First, it facilitates ac-curate modeling and analysis of circuits under (restricted)noise, varying operating conditions and parameter variations.Second, to the best of our knowledge, it is the first model thatappears to be a suitable basis for the sound formal verificationof a circuit, which aims at proving that the circuit meetsits specification in every feasible trace. We thus believe thatour η -involution model might eventually turn out to be aninteresting ingredient for a novel verification tool. Paper organization:
In Section II, we provide some indis-pensable basics of standard involution channels taken from[6]. Section III defines our η -involution model, Section IVprovides the proofs for faithfulness. Our simulation results arepresented in Section V, and some conclusions and directionsof our current/future work are appended in Section VI.II. T HE I NVOLUTION M ODEL W ITHOUT C HOICE
Before we can present the generalized η -involution modelwith non-deterministic delay variations, we recall the basicsfrom the circuit model introduced in [6]. Signals. A falling transition at time t is the pair ( t, , a risingtransition at time t is the pair ( t, . A signal is a list ofalternating transitions such thatS1) the initial transition is at time −∞ ; all other transitionsare at times t ≥ , We stress that we do not aim at resolving the non-determinism of the η -involution model to build an accurate simulator in this paper, but rather atproviding a model that makes this possible.
2) the sequence of transition times is strictly increasing,S3) if there are infinitely many transitions in the list, then theset of transition times is unbounded.To every signal s (uniquely) corresponds a function R →{ , } , its signal trace , whose value at time t is that of themost recent transition. Circuits.
Circuits are obtained by interconnecting the externalinterface, i.e., a set of input and output ports, and a setof combinational gates via channels. The valid connectionsare constrained by demanding that gates and channels mustalternate on every path in the circuit and that any gate input andoutput port is attached to only one channel output. Formally wedescribe a circuit by a directed graph with potentially multipleedges between nodes. Its nodes are in/out ports and gates,and edges are channels. A channel has a channel function,which maps input signals to output signals, whereas a gate ischaracterized by a (zero-time) Boolean function and an initialBoolean value that defines its output until time . Channelsconnecting input and output ports are assumed to have zerodelay, in order to facilitate the composition of circuits. Executions.
An execution of circuit C is an assignment ofsignals to the vertices and edges of C that respects channelfunctions, Boolean gate functions, and initial values of gates.Signals on input ports are unrestricted. For an edge c repre-senting a channel with channel function f c from vertex v in C ,we require that the signal s c assigned to c fulfills s c = f c ( s v ) . Involution Channels.
An involution channel propagates eachtransition at time t of the input signal to a transition at theoutput happening after some input-to-output delay δ ( T ) , whichdepends on the previous-output-to-input delay T (cf. Fig. 1).An involution channel function is characterized by twostrictly increasing concave delay functions δ ↑ : ( − δ ↓∞ , ∞ ) → ( −∞ , δ ↑∞ ) and δ ↓ : ( − δ ↑∞ , ∞ ) → ( −∞ , δ ↓∞ ) such that both δ ↑∞ = lim T →∞ δ ↑ ( T ) and δ ↓∞ = lim T →∞ δ ↓ ( T ) are finite and − δ ↑ (cid:0) − δ ↓ ( T ) (cid:1) = T and − δ ↓ (cid:0) − δ ↑ ( T ) (cid:1) = T (1)for all T . All such functions are necessarily continuous. Forsimplicity, we will also assume them to be differentiable; δ be-ing concave thus implies that its derivative δ (cid:48) is monotonicallydecreasing. In this paper, we assume all involution channelsto be strictly causal , i.e., δ ↑ (0) > and δ ↓ (0) > .A particular and important special case are the so-called exp-channels : They occur when gates drive RC-loads andgenerate digital transitions when reaching a certain thresholdvoltage V th (typically V th = 1 / of the maximum voltage V DD ). We obtain δ ↑ ( T ) = τ ln(1 − e − ( T + T p − τ ln( V th )) /τ ) + T p − τ ln(1 − V th ) δ ↓ ( T ) = τ ln(1 − e − ( T + T p − τ ln(1 − V th )) /τ ) + T p − τ ln( V th ) , where τ is the RC constant, T p the pure delay componentand V th = V th /V DD .For ease of reference, we restate the following technicallemma from [5], [6]: in ( t ) t out ( t ) t η − η + T δ ( T ) Fig. 3:
The η -involution channel: Non-deterministic choice of thetentative output transition after applying δ ( T ) . Lemma 1.
A strictly causal involution channel has aunique δ min defined by δ ↑ ( − δ min ) = δ min = δ ↓ ( − δ min ) , whichis positive. For exp-channels, δ min = T p .For the derivative, we have δ (cid:48)↑ ( − δ ↓ ( T )) = 1 /δ (cid:48)↓ ( T ) andhence δ (cid:48)↑ ( − δ min ) = 1 /δ (cid:48)↓ ( − δ min ) . The channel function f c mapping input signal s to outputsignal f c ( s ) (cp. Fig. 2) is defined via the following algorithm.It can easily be implemented in e.g. VHDL to be usedby existing simulators like ModelSim, as these simulatorsautomatically drop transitions on signals violating FIFO order. Output transition generation algorithm:
Let t , t , . . . bethe transitions times of s , set t = −∞ and δ = 0 . • Initialization:
Copy the initial transition at time −∞ fromthe input signal to the output signal. • Iteration:
Iteratively determine the tentative list of pend-ing output transitions: Determine the input-to-output de-lay δ n for the input transition at time t n by setting δ n = δ ↑ ( t n − t n − − δ n − ) if t n is a rising transitionand δ n = δ ↓ ( t n − t n − − δ n − ) if it is falling. The n th and m th pending output transitions cancel if n < m but t n + δ n ≥ t m + δ m . In this case, we mark both as canceled. • Return:
The channel output signal f c ( s ) has the sameinitial value as the input signal, and contains everypending transition at time t n + δ n that has not beenmarked as canceled.III. I NTRODUCING A DVERSARIAL C HOICE
We now generalize the circuit model from the previoussection to allow a non-deterministic perturbation of the outputtransition times after the application of the delay functions δ ↑ and δ ↓ . Note that the resulting output shifts need not be thesame for all applications of the delay functions; they canvary arbitrarily from one transition to the next. However,each perturbation needs to be within some pre-determinedinterval η = [ − η − , η + ] . These non-deterministic choices canbe used to model various effects in digital circuits that cannotbe captured by single-history delay functions, ranging fromarbitrary types of noise [4] to unknown variations of processparameters and operating conditions. Fig. 3 shows the possiblevariation of the output transition time caused by the non-deterministic choice.Formally, we change the notion of the channel function to accept an additional parameter: A channel has a channelfunction, which maps each pair ( s, H ) to an output signal,where s is the channel’s input signal and H is a parametertaken from some suitable set of admissible parameters (seebelow). We also adapt the definition of an execution to allow in ( t ) t out ( t ) - η η η = η = - η t in ( t ) t out ( t ) η η - η η - η Fig. 4:
The η -involution channel covers pulse attenuation under(bounded) adversarial noise, varying operating conditions, parametervariations and other modeling inaccuracies. Observe the differentoutput behaviors out and out for the same input trace, caused bydifferent adversarial choices ( η , η , . . . ). The output transitions thatwould have been caused just by δ ( T ) , without η -shifts, are dotted.Note that different adversarial choices usually change the historyand, hence, T and thus δ ( T ) . an adversarial choice of H : For an edge c from v in C , werequire that there exists some admissible parameter H suchthat the signal s c fulfills s c = f c ( s v , H ) .For η -involution channels, we let the admissible param-eters H be any sequence of choices η n ∈ η . The outputtransition generation algorithm’s Iteration step for the n th transition of the input signal is adapted as follows: δ n = δ ↑ (max { t n − t n − − δ n − , − δ ↑∞ } ) + η n if t n is a risingtransition and δ n = δ ↓ (max { t n − t n − − δ n − , − δ ↓∞ } ) + η n ifit is falling. Note that the max -terms guard agains adversarialchoices that would exceed the domain of δ ↑ ( . ) and δ ↓ ( . ) .This could occur only in the extreme situation of a shortglitch after a long stable input, which must be canceledanyway. So enforcing δ n = δ ↑ ( − δ ↑∞ ) + η n = −∞ resp. δ n = δ ↓ ( − δ ↓∞ ) + η n = −∞ in this case is safe. As this cannotoccur in the cases analyzed in this paper, we will subsequentlyomit the max -terms in the definition of δ n for simplicity.Fig. 4 depicts two example signal traces, out and out ,obtained by an η -involution channel with the same underlying δ as the one in Fig. 2. Observe that the adversary hasthe freedom to “de-cancel” pulses that would have canceledaccording to the delay function (second pulse in out ), extendpulses (first pulse in out ), and shift pulses (first pulse in out ).IV. F AITHFULNESS OF I NVOLUTION C HANNELS WITH A DVERSARIAL C HOICE
In this section, we will prove that η -involution channels arefaithful with respect to Short-Pulse Filtration (SPF) .A pulse of length ∆ at time T has initial value , one risingtransition at time T , and one falling transition at time T + ∆ .A signal contains a pulse of length ∆ at time T if it containsa rising transition at time T , a falling transition at time T + ∆ and no transition in between. Definition 2 (Short-Pulse Filtration) . A circuit with a singleinput and a single output port solves Short-Pulse Filtration OR ci HT o Fig. 5:
A circuit solving unbounded SPF, consisting of an OR-gate,with initial value , fed back by channel c , and a high-thresholdbuffer HT. (SPF), if it fulfills the following conditions for all admissiblechannel function parameters H :F1) The circuit has exactly one input and one output port. (Well-formedness) F2) A zero input signal produces a zero output signal. (Nogeneration)
F3) There exists an input pulse such that the output signal isnot the zero signal. (Nontriviality)
F4) There exists an ε > such that for every input pulse theoutput signal never contains a pulse of length less than ε . (No short pulses) Note that we allow the SPF circuit to behave arbitrarily ifthe input signal is not a (single) pulse.To show faithfulness of the η -involution model, we startwith the trivial direction: we prove that no circuit with η -involution channels can solve the bounded-time variant ofSPF (where the output must stabilize to constant 0 or 1within bounded time). Note that this matches the well-knownimpossibility [10] of building such a circuit in reality. Indeed,the result immediately follows from the fact that the adversaryis free to always choose η n = 0 , i.e., make the η -involutionchannels behave like involution channels. In [6], [5], it hasbeen shown that no circuit with involution channels can solvebounded-time SPF, which completes the proof.What hence remains to be shown is the existence of acircuit that solves SPF (with unbounded stabilization time)with η -involution channels. We can prove that the circuitshown in Fig. 5, which consists of a fed back OR-gate formingthe storage loop and a subsequent buffer with a suitablychosen (high) threshold voltage (modeled as an exp-channel),does the job. As a consequence, a circuit model based on η -involution channels enjoys the same faithfulness as theinvolution channels of [6], even though its set of allowedbehaviors is considerably larger.Informally, we consider a pulse of length ∆ at time atthe input and reason about the behavior of the feed-back loop,i.e., the output of the OR gate. There are 3 cases: If ∆ issmall, then the pulse is filtered by the channel in the feed-back loop. If it is big, the pulse is captured by the storageloop, leading to a stable output 1. For a certain range of ∆ ,the storage loop may be oscillating, possibly forever. In anycase, however, it turns out that a properly chosen exp-channelcan translate this behavior to a legitimate SPF output. Lemma 3.
If the input pulse’s length ∆ satisfies ∆ ≥ δ ↑∞ + η + , then the output of the OR in Fig. 5 has a unique risingtransition at time 0, and no falling transition.Proof. Clearly, the output of the OR, hence the η -involutionhannel’s input, will have a rising transition at time 0. Thecorresponding rising transition occurs at the channel output atthe latest at η + + δ ↑∞ ≤ ∆ . This guarantees the storage loopto lock, causing the output of the OR output to stick to 1. Lemma 4.
If the input pulse’s length ∆ satisfies ∆ ≤ δ ↑∞ − δ min − η + − η − , then the OR output in Fig. 5 contains onlythe input pulse.Proof. The input signal contains only two transitions: one attime t = 0 and one at time t = ∆ . The earliest timewhen the output transition corresponding to the rising inputtransition can occur is t (cid:48) = δ ↑∞ − η − . For the falling inputtransition, we thus get T = ∆ − δ ↑∞ + η − , and observe that thecorresponding falling output transition cannot occur later than t (cid:48) = ∆ + η + + δ ↓ ( T ) . The two output transitions cancel iff t (cid:48) ≤ t (cid:48) , which is equivalent to X = ∆ + η + + δ ↓ ( T ) − δ ↑∞ + η − ≤ . Replacing ∆ with the upper bound from the lemmareveals T ≤ − δ min − η + and X ≤ − δ min + δ ↓ ( − δ min − η + ) ≤− δ min + δ ↓ ( − δ min ) = 0 by monotonicity of δ ↓ and Lemma 1,which concludes the proof.For an input pulse length that satisfies δ ↑∞ − δ min − η + − η − < ∆ < δ ↑∞ + η + , the OR output signal may contain a series ofpulses of lengths ∆ , ∆ , ∆ , . . . . In sharp contrast to standardinvolution channels [6], it is not the case that there is a uniquevalue ∆ = ˜∆ that leads to an infinite series of (identical)pulses ∆ = ∆ = . . . Rather, due to the adversarial choices,there is a range of values for ∆ that may lead to a wholerange of infinite pulse trains, with varying pulse lengths, whichare surprisingly difficult to bound.An informal, high-level explanation of the approach thatwas eventually found to be successful is the following: weidentified a self-repeating infinite “worst-case pulse train”,which ensures that any adversarial choice that deviates fromit at some point causes the subsequent pulses to die out, i.e.,to resolve to a stable 1. In more detail, let ∆ be such that aninfinite self-repeating pulse train ∆ = ∆ = ∆ = . . . exists,subject to the constraint that the adversary deterministicallytakes all rising transitions maximally ( η + ) late and all fallingtransitions maximally ( η − ) early. Note that this adversarialchoice actually minimizes ∆ n for any given ∆ n − . Therefore,given a pulse ∆ n − = ∆ , any other adversarial choice (aswell as any larger ∆ n − > ∆ ) leads to a subsequent pulsewith ∆ n > ∆ . As a consequence, ∆ is an upper bound forthe length of every pulse ∆ n , n ≥ , occurring in an arbitrary infinite pulse train: if some ∆ n − > ∆ ever happens, then ∆ n + (cid:96) > ∆ for every (cid:96) ≥ as well; in fact, Lemma 7 willreveal that the pulse train will only be finite in these cases.Similarly, since the adversarial choice that minimizes theup-time ∆ n simultaneously maximizes the down-time ∆ n ofa pulse, we also get a a lower bound ∆ n ≥ P − ∆ for allpulses in an arbitrary infinite pulse train, where P is the periodof our infinite self-repeating pulse train.For these arguments to work, we need to restrict theadversarial choice for the feed-back channel in Fig. 5: η + + η − < δ ↓ ( − η + ) − δ min (C) Formally, we have the following Lemma 5: Lemma 5.
Consider the circuit in Fig. 5 subject to constraint (C) . Assume that the input pulse length ∆ is such that itresults in an infinite pulse train ∆ , ∆ , . . . occurring at theoutput of the OR. Then, for every n ≥ , the up-time ∆ n satisfies ∆ n ≤ ∆ , the down-time ∆ (cid:48) n (preceding the pulse withup-time ∆ n ) satisfies ∆ (cid:48) n ≥ P − ∆ , and P n = ∆ n + ∆ (cid:48) n +1 ≥ P . Herein, ∆ = δ ↓ ( η + − τ ) with ∆ < δ min is the up-time of aninfinite self-repeating pulse train with period P = τ and dutycycle γ = ∆ /P , with τ > denoting the smallest positivefixed point of the equation δ ↓ ( η + − τ ) + δ ↑ ( − η − − τ ) = τ ,which is guaranteed to exist and satisfies η + + δ min < τ < min( − η − + δ ↓∞ , η + + δ ↑∞ ) .Proof. In the circuit of Figure 5, the n th input pulse of the η -involution channel c is just its ( n − th output pulse. Therefore,for all n > , the output pulse length ∆ n under the worst-case adversarial choice of η + -late rising and η − -early fallingtransitions evaluates to ∆ n = f (∆ n − ) = δ ↓ (cid:0) ∆ n − − η + − δ ↑ ( − ∆ n − ) (cid:1) (2) + ∆ n − − η − − η + − δ ↑ ( − ∆ n − ) . The sought fixed point ∆ of (2) resulting in a infinite pulsetrain is obtained by solving ∆ = f (∆) , which yields δ ↓ (cid:0) ∆ − η + − δ ↑ ( − ∆) (cid:1) = η − + η + + δ ↑ ( − ∆) . (3)Applying the involution property to (3) results in ∆ − η + − δ ↑ ( − ∆) = − δ ↑ ( − η − − η + − δ ↑ ( − ∆)) and further in ∆ + δ ↑ (cid:0) − η − − η + − δ ↑ ( − ∆) (cid:1) = η + + δ ↑ ( − ∆) . (4)Defining τ = η + + δ ↑ ( − ∆) , rewriting it to − δ ↑ ( − ∆) = η + − τ and applying the involution property, we observe ∆ = δ ↓ ( η + − τ ) . (5)Using (5) and (1) in (4) yields the fixed point equation statedin our lemma: δ ↓ ( η + − τ ) + δ ↑ ( − η − − τ ) = τ . (6)Now assume that the smallest fixed point τ > of (6),and hence ∆ of (2), exists. Then, in any infinite pulse train,any pulse ∆ n − > ∆ , n > , and/or any non-worst-caseadversarial choice (also in the case ∆ n − = ∆ ) leads toa subsequent pulse with ∆ n > ∆ . As a consequence, ∆ isindeed an upper bound for the length of every such pulse.We will proceed in our proof with establishing constraintson η − , η + that guarantee the existence of a solution τ > of(6). For this purpose, we introduce the function h ( τ ) = δ ↓ ( η + − τ ) + δ ↑ ( − η − − τ ) − τ . (7)and show that there are values τ < τ where h ( τ ) > but h ( τ ) < . Since h ( . ) is continuous, this ensures the existenceof τ < τ < τ with h ( τ ) = 0 .If we plug in τ = η + + δ min in (7), we find by recallingLemma 1 that h ( η + + δ min ) = δ ↑ ( − η + − η − − δ min ) − η + . Inrder to guarantee that h ( η + + δ min ) > we need δ ↑ ( − η + − η − − δ min ) > η + . Rewriting this using the involution propertyrequires − δ ↑ ( − η + − η − − δ min ) < − δ ↑ ( − δ ↓ ( − η + )) and hence η + + η − < δ ↓ ( − η + ) − δ min as stated in constraint (C). Notethat this implies η + < δ min , since η + + η − ≥ .For h ( τ ) < , we simply obtain −∞ from δ ↓ ( η + − τ ) or δ ↑ ( − η − − τ ) by plugging in τ = min( − η − + δ ↓∞ , η + + δ ↑∞ ) in (7), noting that the involution property guarantees −∞ = δ ↑ ( − δ ↓∞ ) = δ ↓ ( − δ ↑∞ ) . Since all other terms of h ( . ) are finite,the result is definitely < .We still need to assure that the boundary interval for τ isnot empty, i.e., that τ = η + + δ min < τ = min( − η − + δ ↓∞ , η + + δ ↑∞ ) . This is trivially the case if τ = η + + δ ↑∞ . If τ = δ ↓∞ − η − , we need η + + η − < δ ↓∞ − δ min , which is impliedby constraint (C). Thus, putting everything together, we canindeed guarantee a solution τ of h ( τ ) = 0 , which satisfies < η + + δ min < τ < min( − η − + δ ↓∞ , η + + δ ↑∞ ) (8)as stated in our lemma.We can now determine the upper bound for ∆ : Recallingthe definition τ = η + + δ ↑ ( − ∆) , the lower bound on τ implies δ min < τ − η + = δ ↑ ( − ∆) . Using the involution property, wecan translate this to − δ ↓ ( − δ min ) < − ∆ .Applying Lemma 1, we end up with ∆ < δ min (9)as asserted in this lemma.Regarding the periods of our pulses, we recall that ouradversary takes all rising transitions maximally late and allfalling transitions maximally early to minimize the high-timesof the generated pulse train. The period P n = ∆ n + ∆ (cid:48) n +1 of the high-pulse ∆ n , measured from the rising transition of ∆ n to the rising transition of ∆ n +1 , is P n = δ ↑ ( − ∆ n ) + η + n ,which is not difficult to see from the considerations leadingto (2). Hence, P n only depends on the up-time ∆ n and theadversarial choice η + n ≤ η + . It follows that the adversarialchoices used for generating our minimal up-time pulse trainsimultaneously maximize both the period ( P = δ ↑ ( − ∆) + η + )and the down-time ( P − ∆ ). As the adversary cannot furthershrink the up-times of the pulses, it cannot further extend thedown-times, without running into cancellations.Formally, by the same argument as used for ∆ , we find thatno infinite pulse train can contain a pulse with a downtimestrictly smaller than P − ∆ , where P = P (cid:48) is the period of ourinfinite ∆ pulse train: analogously to P n above, we find thatthe down-period P (cid:48) n = ∆ (cid:48) n +∆ n , measured between the fallingtransitions of ∆ (cid:48) n and ∆ (cid:48) n +1 , evaluates to P (cid:48) n = δ ↓ ( − ∆ (cid:48) n ) − η − n ,which decreases with both ∆ (cid:48) n and η − n ≤ η − . If ∆ (cid:48) n < P − ∆ ever occurred, this would lead to P (cid:48) n > P (cid:48) = δ ↓ ( − P +∆) − η − .Since obviously P (cid:48) = P , this implies ∆ n = P (cid:48) n − ∆ (cid:48) n > ∆ , which contradicts the previously established upper bound ∆ n ≤ ∆ , however.It hence only remains to evaluate P = δ ↑ ( − ∆) + η + = τ ,which completes the proof. Lemma 6.
Consider the circuit in Fig. 5 subject to constraint (C) . The duty cycle γ n of any pulse ∆ n , n ≥ , in an infinitepulse train at the output of the OR-gate satisfies γ n ≤ γ < .Proof. According to Lemma 5, we have γ n = ∆ n P n ≤ ∆ P = γ = ∆ δ ↑ ( − ∆)+ η + < δ min δ min + η + ≤ for every n ≥ as asserted.We remark that η + > allows strengthening constraint(C), which allows sharpening some inequalities in Lemma 5,namely, η + + η − ≤ δ ↓ ( − η + ) − δ min , ∆ ≤ δ min , and η + + δ min ≤ τ , without violating γ < established in Lemma 6.The following lemma implies that if ∆ > ∆ for ∆ according to Lemma 5, then the sequence of generated outputpulses ∆ n , n ≥ , will be strongly monotonically increasing.Consequently, we will only get a bounded number of pulsesat the output of the OR gate, with a stabilization time in theorder of log a (1 / (∆ − ∆)) with a = 1 + δ (cid:48)↑ (0) > . Lemma 7.
For f ( . ) given in (2) with fixed point ∆ , we have f (∆ ) − ∆ ≥ (1 + δ (cid:48)↑ (0)) · (∆ − ∆) if ∆ > ∆ .Proof. Differentiation of (2) provides f (cid:48) (∆ ) = (cid:0) δ (cid:48)↑ ( − ∆ ) (cid:1)(cid:16) δ (cid:48)↓ (cid:0) ∆ − η + − δ ↑ ( − ∆ ) (cid:1)(cid:17) ≥ δ (cid:48)↑ (0) (10)because δ (cid:48)↑ ( − ∆ ) ≥ δ (cid:48)↑ (0) as ∆ > ∆ > and δ (cid:48) ( T ) > is decreasing for all T as δ ( . ) is concave and increasing byLemma 1. The mean value theorem of calculus now impliesthe lemma.The following lemma allows to extend the validity of thestatement of Lemma 7 from the first output pulse ∆ to theinitial input pulse ∆ . Lemma 8.
There is a unique ˜∆ such that every input pulselength ∆ ≥ ˜∆ guarantees ∆ ≥ ∆ as given in Lemma 5.Moreover, ∆ − ∆ ≥ (cid:0) δ (cid:48)↑ (0) (cid:1) · (∆ − ˜∆ ) for ∆ > ˜∆ ,provided ∆ < δ ↑∞ + η + .Proof. For the first pulse under the same worst-case adversar-ial choice as in Lemma 5, the analogous considerations as inthe proof of Lemma 4 reveal ∆ = δ ↓ (∆ − η + − δ ↑∞ ) + ∆ − η − − η + − δ ↑∞ . Defining the auxiliary function g (∆ ) = δ ↓ (∆ − η + − δ ↑∞ ) +∆ − η − − η + − δ ↑∞ , it is apparent that ∆ = g (∆ ) .Now, as lim ∆ → η + + δ ↑∞ − δ min g (∆ ) ≤ due to Lemma 1and lim ∆ → η − + η + + δ ↑∞ g (∆ ) = δ ↓ ( η − ) , which is certainly(much) larger than ∆ , cp. Lemma 5, there is indeed a unique ˜∆ with g ( ˜∆ ) = ∆ with the desired properties. The Lipschitzproperty is obtained exactly as in the proof of Lemma 7, bydifferentiating g (∆ ) and using ∆ < δ ↑∞ + η + .We summarize the consequences of the previous lemmasin the following theorem, which extends [5, Thm. 12] to the η -involution model: Theorem 9.
Consider the circuit in Fig. 5 subject to constraint (C) . The fed-back OR gate with a strictly causal η -involutionhannel has the following output when the input pulse haslength ∆ : • If ∆ ≥ δ ↑∞ + η + , then the output has a single risingtransition at time . • If ∆ ≤ δ ↑∞ − δ min − η + − η − , then the output only containsthe input pulse. • If δ ↑∞ − δ min − η + − η − < ∆ < δ ↑∞ + η + , then the outputmay resolve to constant or , or may be an (infinite)pulse train, with ∆ n ≤ ∆ and duty cycle γ n ≤ γ = ∆ δ ↑ ( − ∆)+ η + < for n ≥ . If ∆ > ˜∆ , the outputresolves to within a stabilization time in the order of log a (1 / (∆ − ˜∆ )) with a = 1 + δ (cid:48)↑ (0) > .Proof. The statements of our theorem follow immediatelyfrom Lemmas 3, 5, and 4. Lemma 7 in conjunction withLemma 8 reveals that the number of generated pulses is inthe order of log a (1 / (∆ − ˜∆)) with a = 1 + δ (cid:48) (0) .For dimensioning the high-threshold buffer, we can re-useLemmas 13 and 14 from [5]: Lemma 10 ([5, Lem. 13]) . Let C be an exp-channel withthreshold V th and initial value , and let ≤ Γ < V th . Thenthere exists some Θ > such that every finite or infinite pulsetrain with pulse lengths Θ n ≤ Θ , n ≥ , and duty cycles Γ n ≤ Γ , n ≥ , is mapped to the zero signal by C . Lemma 11 ([5, Lem. 14]) . Let Θ > and ≤ Γ < . Then,there exists an exp-channel C such that every finite or infinitepulse train with pulse lengths Θ n ≤ Θ , n ≥ , and duty cycles Γ n ≤ Γ , n ≥ , is mapped to the zero signal by C . By choosing
Γ = γ (1 + ε ) < for some ε > sufficientlysmall and Θ so large that the feed-back loop in Figure 5 hasalready locked to constant at time T + Θ , where T is thetime when some pulse ∆ n , n ≥ , of the feed-back loopwith duty cycle γ (1 + ε ) has started, we get the following: IfSPF input pulse lengths ∆ and adversarial choices are suchthat no ∆ n reaches duty cycle γ (1 + ε ) , the output of theexp-channel is constant zero; otherwise, there is a single up-transition (occurring only after T +Θ ) at the output. Therefore: Theorem 12.
There is a circuit that solves unbounded SPF.Proof. If ∆ < δ ↑∞ − δ min − η + − η − , Theorem 9 ensures thatthe input of the high-threshold buffer is constant 0, and sois the output. If ∆ > δ ↑∞ + η + , then the input of the high-threshold buffer experiences a single up-transition (at time 0),and so does the output (eventually).For ∆ in between, we distinguish two cases: (i) Suppose ∆ and the adversarial choices are such that no ∆ n everreaches duty cycle γ (1 + ε ) . Then, the minimality of theperiod P of the worst-case pulse train guaranteed by Lemma 5implies that the input of the high-threshold buffer sees pulseswith duration at most Θ and duty cycle at most Γ . Hence,Lemma 11 guarantees a zero-output in this case.For the other case (ii), which is guaranteed to happen when ∆ > ˜∆ (but may also occur for smaller values of ∆ inthe case of certain adversarial choices), there is some time T inverter chainon-chip senseamplifiers loadin to real-time oscilloscope Q Q Q Q Q Q Fig. 6:
Schematics of the ASIC used for validation measurements. Itcombines an inverter chain with analog high-speed sense amplifiers. where a 1-pulse Θ n starts at the input of the exp-channel thatwill (along with its subsequent 0) have a duty cycle Γ n ≥ Γ > γ . Moreover, by time T + Θ , the last input transition (to1) has already occurred. Lemma 11 not only guarantees thatall pulses occurring before T cancel, but also the ones thatoccur before time T + Θ : after all, even a single, long pulse Θ n = Θ would still be canceled. Therefore, since the input ofthe exp-channel is already stable at 1 at time T + Θ , only thisfinal rising transition will eventually appear at the output.V. S IMULATIONS
In this section, we complement the proof of faithfulnessprovided in the previous section with simulation experimentsand measurement results, which confirm that our η -involutionmodel indeed captures reality better than the original invo-lution model [12]. Whereas more experiments, with differenttechnologies and more complex circuits (including multi-inputgates), would be needed to actually claim improved modelcoverage, our results are nevertheless encouraging.We employ the same experimental setup as in [12], whichuses UMC-90 nm and UMC-65 nm bulk CMOS 7-stage in-verter chains as the primary targets. For UMC-65, we resortedto Spice simulations of a standard cell library implementation,for UMC-90, we relied on a custom ASIC [8]. The latterprovides a 7-stage inverter chain built from 700 nm x 80 nm(W x L) pMOS and 360 nm x 80 nm nMOS transistors,with threshold voltages 0.29 V and 0.26 V, respectively, anda nominal supply voltage of V DD = 1 V. As all inverteroutputs are connected to on-chip low-intrusive high-speedanalog sense amplifiers (gain 0.15, -3 dB cutoff frequency8.5 GHz, input load equivalent to 3 inverter inputs), seeFig. 6, which can directly drive the 50 Ω input of a high-speed real-time oscilloscope, the ASIC facilitates the faithfulanalog recording of all signal waveforms. Independent powersupplies and grounds for inverters and amplifiers also facilitatemeasurements with different digital supply voltages V DD .For convenience, we provide the delay functions determinedin [12] in Fig. 7 ( δ ↓ for UMC-90, measurements).In order to validate the η -involution model, we use thefollowing general approach: Given simulated/measured outputwaveforms of a single inverter excited by input pulses ofdifferent width, we compare (i) the digital output obtainedfrom the simulated/measured waveforms with (ii) the pre-dictions for some given delay function. The differences ofthe transition times of predicted and real digital output is a − − − T [ns] δ ( T ) [ n s ] . V . V . V sim.0 . V . V . V V Fig. 7:
Measured δ ↓ for UMC-90 inverter chain for V DD ∈{ . , . , . , . , . , } V and simulated (dashed brown) δ ↓ for V DD = 0 . V, taken from [12, Fig. 7]. measure of modeling inaccuracy of the original involutionmodel. If these differences can be compensated by suitableoutput shifts within [ η − , η + ] , however, we can claim that the η -involution model matches the real behavior of the circuitfor the given waveforms. Since faithfulness puts the severeconstraint η + + η − < δ ↓ ( − η + ) − δ min on η + , η − , recallLemma 5, it is not clear under which conditions this claimindeed holds. In our evaluation, η + was first set to a suitablevalue ( η + > ) and afterwards η − was calculated accordingto η − = δ ↓ ( − η + ) − δ min − η + . Clearly, this results in different η bounds in each of the figures below.The particular questions addressed in our experiments arethe following: Is the allowed range for η + and η − sufficientfor the η -involution model to capture: (a) The circuit behaviorunder variations of certain operating conditions. After all,circuit delays change with varying supply voltage and tem-perature, so the question remains to what extent the resultingfluctuations are covered by the η -involution model. (b) Thecircuit behavior under process variations. In general, circuitdelays vary from manufactured chip to chip, so the questionarises whether the η -involution model based on a “typical”delay function covers typical process variations. (c) The realbehavior of our inverter chain with a (suitably parametrized)standard involution function, in particular for exp-channels.This would simplify model calibration, as it is typically easierto determine the exp-channel model parameters for a givencircuit [2], rather than its entire delay function.To investigate question (a), i.e., the robustness againstvoltage variations, we added a sine wave to the voltage supplysource (nominally . V = V DD ) with a period similar to thefull range switching time of the inverter and a magnitude of . V ( % of V DD ). We applied pulses with differing widthto the input of the inverter and recorded the output, whereatthe phase of the sine wave was set for each pulse randomly be-tween and degrees. In Fig. 8a, the deviation D betweenthe prediction and the actual crossing over the previous-output-to-input delay T is shown. Despite the stringent bounds on η ,it is possible to fully cover the resulting delay variations forlow T , for higher values however, the η -involution model does no longer apply. Please note that the huge difference between δ ↓ and δ ↑ can be easily explained by the fact that δ ↑ resultsin a falling transition at the output of the inverter. For thistransition, the transistor connecting the output to the powersupply gets closed more and more, reducing also the impactof the voltage variations. (When varying the ground level, thereverse case can be observed.)To answer question (b), we chose to vary the transistorwidth, which increases/decreases the maximum current andallows us to model variations of resistance and capacitanceas well. The simulations themselves were carried out in thesame fashion as described in the last paragraph, except that V DD = 1 . V was constant. Fig. 8b shows the results for % wider transistors, where the η -bound is even bigger thanrequired. In contrast, the deviations for % narrower ones(Fig. 8c) exceed the η -bound with increasing values of T .Unlike V DD variations, varying transistor sizes, as expected,either increases or decreases the delay. This can be seen veryclearly in the figures, as one trace is well below and one wellabove D = 0 .For question (c), we tried to fit the parameters of theinvolution function (2) for exp-channels w.r.t. the measurementdata published in [12] and evaluated the deviations D betweenthe resulting model predictions and the real digital output.Whereas the deviations over the whole range of T exceed thefeasible η -bounds, one can observe that even this very simpleexp-channel only results in minor mispredictions near T = 0 .As shown in Fig. 9, it again turns out that, when using theresulting involution function, excessive deviations occur (quitenaturally) for large values of T only.We hence conclude that the η -involution model indeed im-proves the modeling accuracy of the original involution model,despite the fact that the allowed non-determinism, i.e., η , isquite restricted. Moreover, our simulation experiments indicatethat the absolute deviations | D | between model predictionsand real traces is increasing with increasing previous-output-to-input delay T , making it possible to fully compensate D via η near T = 0 . This is crucial, as our η -bounds result fromproving faithfulness, which involves the range T ∈ [ − δ min , only. For larger T , D grows bigger, but in this region, it mightbe feasible to also increase the allowed non-determinism asthese values are almost irrelevant w.r.t. faithfulness.VI. C ONCLUSIONS AND F UTURE W ORK
We proved the surprising fact that adding non-determinismto the delays of involution channels, the only delay modelknown so far that is faithful for the SPF problem, doesnot invalidate faithfulness. As confirmed by some simulationexperiments and even measurements, noise, varying operatingconditions and process parameter variations hence do not apriori rule out faithful continuous-time, binary value models.Part of our future work will be devoted to further increase thelevel of non-determinism sustained by our model, the handlingof more complex circuits, and the first steps for incorporatingthe η -involution model in a suitable formal verification tool.
50 100-0.4-0.200.20.4previous-output-to-input delay (T) [ps] d e v i a ti on ( D )[ p s ] δ ↓ δ ↑ η (a) Power supply variations of %. − − . previous-output-to-input delay (T) [ps] d e v i a ti on ( D )[ p s ] δ ↓ δ ↑ η (b) Transistor width increase of %. d e v i a ti on ( D )[ p s ] δ ↓ δ ↑ η (c) Transistor width reduction of %. Fig. 8:
Deviation between predicted and actual V TH crossings for different variations. . . d e v i a ti on ( D )[ p s ] δ ↓ δ ↑ η Fig. 9:
Fitting an exp-channel involution to measured data. R EFERENCES[1] Jos´e C. Barros and Brian W. Johnson. Equivalence of the arbiter, thesynchronizer, the latch, and the inertial delay.
IEEE ToC , 32(7):603–614,1983.[2] M. J. Bellido-D´ıaz, J. Juan-Chico, A. J. Acosta, M. Valencia, and J. L.Huertas. Logical modelling of delay degradation effect in static CMOSgates.
IEE Proceedings – Circuits, Devices, and Systems , 147(2):107–117, 2000.[3] Manuel J. Bellido-D´ıaz, Jorge Juan-Chico, and Manuel Valencia.
Logic-Timing Simulation and the Degradation Delay Model . Imperial CollegePress, London, 2006.[4] C. E. Calosso and E. Rubiola. Phase noise and jitter in digital electronics. arXiv:1701.00094 , 2016.[5] Matthias F¨ugger, Robert Najvirt, Thomas Nowak, and Ulrich Schmid.Faithful glitch propagation in binary circuit models. arXiv:1406.2544 ,2014.[6] Matthias F¨ugger, Robert Najvirt, Thomas Nowak, and Ulrich Schmid.Towards binary circuit models that faithfully capture physical solvability.In
Proceedings of the 2015 Design, Automation & Test in EuropeConference & Exhibition , DATE ’15, pages 1455–1460, San Jose, CA,USA, 2015. EDA Consortium.[7] Matthias F¨ugger, Thomas Nowak, and Ulrich Schmid. Unfaithful glitchpropagation in existing binary circuit models.
IEEE Transactions onComputers , 65(3):964–978, March 2016.[8] Michael Hofbauer, Kurt Schweiger, Horst Dietrich, Horst Zimmermann,Kay-Obbe Voss, Bruno Merk, Ulrich Schmid, and Andreas Steininger.Pulse shape measurements by on-chip sense amplifiers of single eventtransients propagating through a 90 nm bulk CMOS inverter chain.
IEEETransactions on Nuclear Science , 59(6):2778–2784, December 2012.[9] Synopsis Inc. CCS timing library characterization guidelines, October2016. Version 3.4.[10] Leonard R. Marino. The effect of asynchronous inputs on sequentialnetwork reliability.
IEEE ToC , 26(11):1082–1090, 1977.[11] Leonard R. Marino. General theory of metastable operation.
IEEE ToC ,30(2):107–115, 1981.[12] Robert Najvirt, Ulrich Schmid, Michael Hofbauer, Matthias F¨ugger,Thomas Nowak, and Kurt Schweiger. Experimental validation of afaithful binary circuit model. In
Proceedings of the 25th Edition onGreat Lakes Symposium on VLSI , GLSVLSI ’15, pages 355–360, NewYork, NY, USA, 2015. ACM. [13] Cadence Design Systems. Effective current source model (ECSM)timing and power specification, January 2015. Version 2.1.2.[14] Stephen H. Unger. Asynchronous sequential switching circuits withunrestricted input changes.