Formal Verification of Hardware Components in Critical Systems

,


Introduction
Hardware, software, and communication networks altogether make systems operating in the cyberspace such as Unmanned Aerial Vehicles (UAVs). UAVs operating in an uncertain, potentially hazardous, remote, and dynamic environment are extremely important but challenging to be reliable, robust, and secure. ese flying vehicles are currently being used in mission-critical [1], industry-oriented [2], and Internet of ings (IoT) [3] applications, to name a few. To meet the high standards of safety and reliability of UAV-based mission-critical [1] or IoT [2,3] applications, the UAVs in such systems must be studied and analysed using rigorous and formal techniques. Failure or unauthentic use of software and hardware systems of air vehicles can lead to human losses [4,5] and strategic losses [6,7]. UAV-based human environment can be manipulated and controlled by a remote attacker using attacks such as sensor input spoofing attack [8]. Military UAVs have been and are currently the favourite target of attackers to gain cyber power [9], which has recently led towards a drone war [10].
To design fault-tolerant and secure air vehicles, conventional design and testing methods must be augmented with more robust and reliable tools and techniques called formal methods [11]. Formal methods have been successfully used to verify collision avoidance between UAVs [12], certify UAVs within civil airspace [13], and design resilient UAV systems [14]. As the security and reliability of UAVs depend upon the security and reliability of individual components, their correctness must be ensured in the design phase. In addition to UAVs, the formal framework presented in this paper is equally applicable to any other computer system such as sensor networks [15][16][17] and hardware components, such as flash memory, of such systems [18]. In this paper, we address the formal specification and verification of hardware (logic) components, such as memory units and adders, designed at the logic gates level using Boolean algebra. is makes our formal model extremely important in the domain of critical system design in general and in UAVs in particular.
Boolean algebra [19] is the basic logic tool for the analysis and synthesis of (models of) logic circuits. is connection between Boolean algebra and logic circuits was established by Claude Shannon [20]. While different computer tools [21][22][23][24][25] and mathematical techniques [26,27] are available to manipulate logic circuits modelled as Boolean functions, it must be ensured that such tools and techniques do not alter the intended interpretation (behaviour) of these circuits. To verify that the behaviour of the digital circuit (modelled as Boolean function) after the analysis is symmetric to the original behaviour, the Boolean function before the mathematical manipulation must be proven to be functionally symmetric to the function after the manipulation. is property of digital circuits is often referred to as functional equivalence [28]. Common examples of manipulation are mathematical manipulation [29], Karnaugh map [26], and tabulation method [27] used for the Boolean functions.
Boolean algebra is one of the most widely used mathematical techniques to model and analyse logic circuits. In the electronic design flow, the initial circuit design is often described at system level in high-level languages (e.g., MATLAB and C) and translated to register-transfer logic (RTL) representation in a description language (e.g., Verilog and VHDL) using high-level synthesis (hardware compilers) tools. e RTL representation of the circuit is transformed to gate-level representation (often as Boolean functions) using logic synthesis tools, which is finally fabricated to produce physical layout of the circuit. e gate-level representation described as Boolean functions is commonly used in techniques and frameworks [30][31][32][33] and in classrooms for the design and analysis of simple logic circuits [29].

Research Challenges.
Boolean functions or logic circuits described as Boolean functions are normally manipulated through the error-prone pen-and-paper method using the basic theorems and postulates of Boolean algebra. To the best of our knowledge, neither the algebra nor the mathematical manipulation process has been formally defined in an interactive theorem prover and hence their correctness cannot be checked mechanically.
ere is no guarantee that the principle of duality indeed holds, the mathematical manipulation carried out is correct, or the logic circuits (described as Boolean functions) optimized for size, efficiency, and cost-effectiveness using K-map [26] or tabulation [24] methods are behaviourally symmetric.

Solution
Overview. In order to formally reason about Boolean algebra and verify the correctness of digital components described at gate level as Boolean functions, we define a formal model of the Boolean algebra using the calculus of construction in theorem prover Coq. e formal model of Boolean algebra defined enables one to define and prove all the basic theorems as well as the principle of duality. We extend our formal model of the Boolean algebra to represent combinational circuits. To assess the efficacy of our formal model, the proof facility of Coq is used to carry out proof of correctness of gate-level combinational circuits and reason about Boolean algebra. Among other numerous advantages (Section 2) of computer-aided verification using interactive theorem prover are the following: (a) all the formal definitions and proofs can be defined in the computer, and (b) the correctness of the proofs can be automatically checked by the computer [34]. e formal approach for checking correctness of Boolean functions and digital circuits is described in Figure 1. Formal models of the digital circuit under verification and the properties of interest as theorems are fed into an ITP engine (Coq system, in our case) and a formal proof that the (model of the) circuit holds the properties is carried out interactively. A proof engineer guides the tool by providing it proof commands, which becomes part of the proof script if accepted by the tool. e correctness of the proof script is automatically checked using the tool. e formal verification in Coq using the proposed formal model is demonstrated in Section 6 by proving equivalence, reversibility, and type safety properties of multiple circuits. In this context, the major contributions of this paper are the following: (i) A computer-based mathematical model for describing and reasoning about Boolean functions and gate-level combinational circuits is defined. Our formal model is novel as it enables, in addition to Boolean algebra and basic theorems, defining the principle of duality and logic circuits in a computerbased theorem prover. Furthermore, the model together with the basic theorems allows one to mechanize the mathematical manipulation process, which can be checked correctly using computer. (ii) Formal proofs of the principle of duality and basic theorems of Boolean algebra are carried out. In the literature, there is no computer-based proof of validity of the principle of duality and proof of basic theorems listed in most popular books such as [29,36]. (iii) Formal proofs of equivalence and reversibility of multiple combinational circuits are carried out. To reduce the propagation delay in a multibit adder, a look-ahead carry generator circuit is added using a step-by-step process; however, there is no proof that it does not alter the intended behaviour of the adder. We formally prove that the look-ahead carry generator preserves the functional behaviour of the adder.
(iv) e performance of the Coq theorem prover over our model is evaluated. e rest of the paper is organized as follows. In the next section, the significance of interactive theorem proving is highlighted. e tool Coq theorem prover and Boolean 2 Wireless Communications and Mobile Computing algebra are introduced in Section 3. e formal model based on Boolean algebra is defined in theorem prover in Section 4. Boolean algebra and logic circuits are reasoned about in Sections 5 and 6, respectively. Our formal model is evaluated and results are discussed in Section 7. A critical review of the related work is given in Section 8 and Section 9 concludes the paper. All the Coq source codes are available from our GitHub repository at https://www.github.com/wilstef/ booleanalgebra.

Why Interactive Proof Assistant?
A common approach to check the two circuits (represented as Boolean functions) for functional equivalence is to extensively simulate them against many inputs and compare the results. Simulation-based testing is the most popular approach in industry because it is easy to use; however, it fails to ensure absence of faults in the system. Furthermore, simulating systems with large inputs are not computationally feasible; for instance, simulating a 256 bit memory chip would require testing it for 2 256 possible inputs. Another approach to check correctness of the digital circuits in general, or equivalence checking in particular, is to use formal methods based on computer-based mathematical tools and techniques. e prevailing advantages of formal tools and techniques are that they are rigorous and computer-aided and can be used to formally prove properties for all the possible inputs. Moreover, formal methods based techniques can be used to ensure the absence of faults in the system. According to a recent survey [35], most of the formal verification methods and tools are based on model checking and automated theorem provers that are restricted by wellknown state and memory explosion [37,38] problems. Formal verification using model checking is popular in industry [39,40] and well-studied domain by the research community [40][41][42]; however, the focus of this paper is on interactive theorem proving (ITP) [43][44][45] approach. In the ITP-based formal approach, a proof engineer guides a computer-based proof assistant, such as Coq and Isabelle/ HOL [45], by providing proof commands during the proof process. e ITP-based formal verification, also referred to as semiautomatic approach, combines the strengths of manual and automated proofs.
is semiautomatic ITP approach requires expertise and skills; however, it has been used in the past for investigating large case studies [46]. In automated theorem proving, it is hard to get insights when a proof attempt fails, while ITP forces the designer to pay attention to even the minor details. is results in understanding the system under study more precisely. e conventional mathematical proofs on pen and paper (informal) are error-prone and difficult to manage large and complex proofs. Computer-aided verification, on the other hand, is an effective, efficient, and rigorous way of formal specification and verification. Automated theorem provers are widely used in industry as they automatically create proofs without requiring human effort; however, they face problems such as state explosion [37,38]. Human-assisted theorem provers, on the other hand, require human support to carry out mathematical proofs. A proof engineer guides the theorem prover by providing proof commands and interactively creating proofs. Coq is one such popular interactive proof assistant considered for defining our formal framework.
Mathematical proofs carried out in a human-assisted theorem prover are more organized because of the following reasons: (i) in mechanized theorem prover (such as Coq), the proofs can be divided into modules (to make proof handling easy); (ii) lemmas/theorems already proven can be easily invoked and applied; (iii) the Coq Language of Tactics (Ltac) can be used to combine complex set of proof commands (tactics) in a single tactic; (iv) the proofs can be read and checked by the computer using a proof checker; (v) a new proof can be opened inside an existing unfinished proof; (vi) large proof scripts can be checked for unproved lemmas just by using a single Coq command; and so on. In summary, the proofs in proof assistants such as Coq are more organized as compared to pen-and-paper proof methods and the correctness of the proof scripts can be checked by the computer.

Background
To mathematically prove the properties of Boolean algebra and verify correctness of digital circuits using computer, the algebra must be defined in the logic of a mechanical (computer-readable) proof assistant such as Coq. Such a formal definition of Boolean algebra is given in Section 4. To understand the formal definition, the Boolean algebra and the formal tool Coq used are introduced in this section. For an in-depth understanding of circuit modelling using Boolean algebra and Coq theorem prover, the readers are recommended to refer to books [29,47], respectively. [44] is an interactive theorem prover based on the calculus of inductive construction. It is available with a language of specification called Gallina, a type checker and a proof checker. e language, type checker and proof checker are used for creating formal specifications of the systems under test, checking the specifications for type errors, creating and checking formal proofs, respectively. To understand formalizing and proving systems using interactive theorem prover, we define a simple system of numbers using the proof assistant Coq and then give reasoning about the system. We begin with formally defining numbers inductively as data type Nat using the Coq keyword Inductive with two constructors for generating elements of the type Nat (lines 1-3, Listing 1). e definition Nat in this listing states that O (for 0) is Nat and if n is Nat, Succ n is also Nat. e first constructor has no argument and simply states that O is a member of type Nat. e second constructor Succ has one argument of type Nat which states that S followed by a Nat (the Nat on left of the arrow) is also a Nat (the Nat on right of the arrow). e term Succ (Succ (Succ O)), for example, is a Nat that corresponds to number 3.

Coq Proof Assistant. Coq
To operate on numbers, we define a recursive function Add (lines 5-9) to add values of type Nat. e function returns the second argument m if the first argument is O; otherwise, it returns Succ (Add n′ m). A lemma Add_N_O, where Add n O � n holds for any value of n, is stated and proven in Listing 1 (lines [11][12][13][14][15][16][17][18]. e proof of this lemma has been carried out by applying induction on the construction of the first argument n. While carrying out the proof, the Coq tool was interactively guided by giving proof commands called tactics (lines [13][14][15][16][17]. Many other properties of the Add function, such as commutative and associative properties, may also be stated and proven mechanically using the Coq proof assistant.

Boolean Algebra.
According to George Boole [19], Boolean algebra is an algebraic structure with a set of values, two binary operations "+" and "." over the values in the set and proof of Huntington [48] postulates. Later on, Shannon [20] introduced a two-valued version of the algebra to represent properties of the switching circuits. In a twovalued algebra, the set of values include elements 1 and 0 and the two binary operations are conjunction (logical AND) and disjunction (logical OR). In addition, there is a unary operation called negation or complement (NOT).
Using Boolean functions in the two-valued Boolean algebra, logic circuits can be modelled. e function F � x · y models a logic circuit where the AND gate represents the product operation and the NOT gate represents the complement operation. When logic circuits are represented with functions, they can be manipulated and reasoned about using tools and techniques developed for Boolean algebra. For example, the algebraic manipulation steps using postulates can be written down in and checked using Coq tool (see Section 5).
Shannon's two-valued version of the Boolean algebra is defined in Coq theorem prover as described in Listing 2 [47]. e first part of Boolean algebra, a set of two elements, is represented with Coq type bool defined using the Coq keyword Inductive as shown in Listing 2 (line 1). e two values of the Boolean algebra defined are true and false. e second part of Boolean algebra is to define two binary operations over the values of the Boolean type bool.
e rules for the first operation + (sum) are defined as function sum on lines 3-7 in Listing 2. Using pattern matching, the function sum gets two values of type bool and returns value false if both input values are false; otherwise, it returns true.
e rules for the second binary operation . (product) are defined in function prod (lines 9-13, Listing 2). is function returns true only if the two input values are true; otherwise, it returns false. A unary operation. complement on elements of Boolean set is defined in the function not on lines 15-19 in the listing. Given one value as the input, not returns the other value. Among these operations, the operation ¬ has the highest and + has the lowest precedence.

Formalizing Logic Circuits and Boolean Algebra
e Boolean algebra defined in Section 3 is extended and tailored towards combinational circuit definitions. To begin with, the set of notations in Listing 3 is extended with symbol ⊕ (Listing 4) for xor operation with same precedence as. (operation prod). e formal definitions of logic operations sum, prod, xor, and not model the basic logic components OR, AND, XOR, and NOT gates, respectively. After formally modelling these basic logic components, they are combined together to form combinational circuits. A combinational circuit is defined as a list of Boolean (functions) values (Listing 5).
e list "F 1 x y::F 2 x y::nil" represents a combinational circuit with two inputs x and y and two outputs defined as two Boolean functions. To evaluate each Boolean function in the list to a Boolean value, an evaluation function eval_cir is defined in Listing 6. e function takes a combinational circuit as list of Boolean functions and returns a list of Boolean values (Listing 7). e final requirement of Boolean algebra is to formalize the six Huntington postulates [29,48] and prove the set of all basic theorems. Formal definitions of Huntington postulates are included in the Coq script available from our repository. Furthermore, the formal definitions of operation sum, prod, and not are sufficient to reason about Huntington postulates and all the basic theorems except principle of duality (discussed in Section 5). As the derivation in principle of duality requires operating on the Boolean expressions, the principle cannot be defined in the current setting. e existing definitions of expressions do not differentiate between variables and values (identity elements), which is the basic requirement of operation in the duality. To do this, a type exp for Boolean expressions is defined as shown in Listing 8. e first three constructors (line 2-4) correspond to the three logical operations sum, prod, and not, respectively. e last constructor converts a Boolean term, variable, or value to an expression.
All the postulates and basic theorems, except the closure, involution, and consensus, have two parts: one part is for the operation + (sum) and the other is for . (prod). According to the principle of duality, one part of the postulate/theorem can be derived from the other if the operators and the identity elements are interchanged. e duality principle is significant in proving the theorems using postulates and in algebraic manipulation. In particular, when the proof of one part of a theorem is given, the other can easily be carried out following the principle of (1) Notation "x ⊕ y" :� (x * ¬y + ¬x * y) duality. e derivation carried out this way is believed to be valid according to the principle of duality in literature and textbooks [29]; however, no formal proof has been provided. We bridge this gap by providing a formal proof of duality principle. A function changeident (Listing 9) is defined to interchange identity elements in the Boolean expression. It gets an expression and swaps the identity elements true and false and leaves the operators and variables unchanged. e keyword Fixpoint is used to define recursive functions. Another operation for interchanging operators is defined as a recursive function changeop in Listing 10. Similarly, the function changeop gets an expression and swaps the operators sum and prod.

Formal Proofs of Boolean Algebra
e formal definitions in Section 4 enable one to formally reason about both Boolean algebra and combinational circuits described as Boolean functions. is section contains proof of duality principle and demonstrates with examples that our formal setting mechanizes the informal algebraic manipulation used in textbooks on Digital Logic Design. Furthermore, all the basic theorems and postulates have been defined and proven in Coq and given in the Coq script available from our repository.

Principle of Duality.
e duality principle states that expressions derived from postulates by interchanging the operators (+ and .) and identity elements (0 and 1) are valid. After defining the interchange operations over the Boolean expressions, the duality principle can now be stated as a lemma as shown in Listing 11. e lemma states that if a part of theorem holds (two arbitrary expressions are equal), then it implies that the second part of the theorem can be derived by changing the identity elements and operators. To check that the duality property can be used in proofs, given the first part of commutative property (x + y � y + x), the second part of commutative property (x · y � y · x) is proven (Listing 12) by applying the duality property.

Mechanizing Algebraic Manipulation.
To get simplified logic circuit, the number of literals and terms must be reduced in the description of the circuit. e algebraic manipulation method is one of the most popular methods used in textbooks [29] for this purpose. is kind of manipulation is informal and hence is error prone. e formal structure including the postulates and basic theorems defined in previous sections can be applied, as in the informal algebraic manipulation, using Coq proof assistant. e main advantage of mechanizing algebraic manipulation in proof assistant is that proof scripts can be mechanically read, checked, and maintained.
To demonstrate that our formal framework is fit for mechanically checking correctness of algebraic manipulation, proof of the theorem absorption_sum has been listed in Listing 13. is proof is carried out by applying (using the rewrite tactic) the postulates and theorems.
is proof (1) Definition F(x y: bool) : circuit :� ¬x * ¬y::nil.  Wireless Communications and Mobile Computing script is a mechanized version of the informal proof of eorem 6 (a) in the textbook [29]. Proof of the second part abroption_prod of the same theorem is believed to hold by the duality principle. is principle has been proven to hold in the above section. Every postulate or basic theorem has two parts, where one is the dual of the other. is is interesting to show that, given stepby-step proof of one theorem, proof of the other (dual) part can be carried out by applying the dual of postulate/theorem applied at the corresponding step. e proof of the theorem abroption_prod (dual of theorem absorption_sum) has been listed in Listing 14. e postulates/theorems applied on lines 5-9 in both proofs are the dual of each other.

Describing and Verifying Combinational Circuits
UAVs or drones are like flying computers with Linux or Windows operating system, flight controllers, main boards, memory units, and thousands of lines of programmable code. Formal methods, and in particular our framework, can be applied to the analysis of UAVs in different ways. As mentioned, it is a complex computer system, and hence formal techniques can be used to verify the operating system, protocols, logic components, memory units, and any algorithm used in the UAV system. As arithmetic and logic components (e.g., adder and comparator) and memory (e.g., ROM) are the main components of any typical computer (including UAVs), we apply our formal framework to analyse a memory and an adder circuit. In this section, functional equivalence and reversibility properties of few combinational circuits are proven. Furthermore, it is also proven that all the described circuits hold the basic reliability property called type-safety. (1) Lemma du ality_check: ∀ x y, (2) sumexp (bexp x) (bexp y) � sumexp (bexp y) (bexp x) ⟶ (3) prodexp (bexp x) (bexp y) � prodexp (bexp y) (bexp x).
LISTING 12: Example of proof using the duality property.
(3) intros. (4) pattern x at 1. e formal model of the combinational circuit in Listing 16 has been simplified following the well-known simplification method K-map to circuit in Listing 18; however, it is not guaranteed that the circuits are functionally equivalent. In other words, there is no mathematical guarantee that the K-map simplification process has not altered the original behaviour of the circuit. e initial design built from the truth table specification serves as the "golden" or "reference" design. To prove the simplified circuit is functionally equivalent to the "golden" design, the individual functions are proven to be equivalent in eorem 1 (this theorem corresponds to a set of eight lemmas equiv_OO′ 0-equi-v_OO′ 7 in Coq script.). Functional equivalence of the two circuits is checked in eorem 2. e theorem states that the circuit before simplification is equivalent to the circuit after simplification, which guarantees that the simplification process preserves the functionality. Proof: is theorem is proven using case analysis on the Boolean variables used. e Coq proof of this theorem is listed at our GitHub repository at https://github.com/ wilstef/booleanalgebra. eorem 2 (Functional Equivalence of Circuits): e combinational circuit C described in Listing 16 and its simplified version C s in Listing 18 are functionally equivalent. More formally, C ≈ C s , where C s � S Kmap (C) and S Kmap is K-map simplification operation.
Proof: is theorem is proven by applying (rewriting) the eight lemmas already proven in eorem 1. e Coq proof of this theorem is listed at our GitHub repository at https://github.com/wilstef/booleanalgebra.

Verifying Equivalence of Combinational Circuits.
Arithmetic component, such as adder, is an integral part of the arithmetic and logic unit (processor) of any microprocessor-based system. To design energy-efficient and fast components, their design description (normally in a description language) is often transformed and mathematically manipulated. However, it must be ensured that such transformations do not alter the intended behaviour of these components. is surety is even more necessary when the (1) Lemma abroption_prod: ∀ x y, x * (x + y) � x.
(2) Proof. (3) intros. (4) pattern x at 1. (5) rewrite ⟵ pos_identity_sum. (6) rewrite ⟵ pos_dist_over_prod. (7) rewrite ⟵ pos_comm_prod. (8) rewrite identity_prod_0 with (x :� y). (9) rewrite pos_identity_sum. (10) auto. (11) Qed. LISTING 14: Proof of absorption law (product).  To demonstrate that our formal definitions can also be used to prove functional equivalence of two combinational circuits, we describe two versions of a Binary Coded Decimal (BCD) adder ( Figure 2) in Coq. Such a BCD adder has been designed and described in the popular textbook [29] on the subject Digital Logic Design; however, no formal proof of equivalence has been provided. A BCD adder adds two decimal digits and their sum results as a BCD number. A 4-bit BCD adder may be designed using two 4-bit binary parallel adders as shown in Figure 2 (right). e conventional 4-bit binary adder, comprised of four full adders, is a serial adder that adds two 4-bit binary numbers in serial fashion. Each full adder gets two bits (the augend and addend bits) and an input carry bit and gives a sum bit and an output carry bit. e output carry of one full adder is given as input carry to the next one and the input carry of the first (right most) adder is set to logic 0. e output carry of the last adder is the output carry of the 4-bit binary adder. e initial carry, given as input to the first adder, propagates to the last adder, which results in a propagation delay. To avoid this propagation delay in the binary adder, a look-ahead carry generator [29] is used to predict the input carries.
e look-ahead carry generator is a small-scale integrated circuit added in front of the 4-bit adder to make it fast. e transformation avoids propagation delay; however, no formal proof that the functional properties of the adder are preserved is provided. In this section, we formally prove that two implementations of the BCD adder (Figure 2), one with and the other without look-ahead carry generator circuit, are functionally equivalent.
First, we design a BCD adder using binary adders without look-ahead carry generator. e 4-bit parallel full adder FA4bit is defined as a function in Listing 19. It applies the full-adder function fa to the 4-bit pairs of the two 4-bit numbers and input carry (inputs D-A, d-a and e), and returns a 5 bit tuple. e first bit in the tuple is the final carry and the next four bits are the sum bits. e binary adder FA4bit is used to implement the BCD adder as shown in Listing 20. e let-expressions on lines 2, 3, and 4 calculate the result of the first binary adder, output carry, and second binary adder, respectively. e additional circuitry between the two binary adders is needed to generate the output carry of the BCD adder and to adjust the sum of the first binary adder to BCD sum.
To generate a BCD adder with look-ahead carry generator, we must first design binary parallel adder with look-ahead carry generator. Formal definition of a 4-bit binary parallel adder has been listed in Listing 21. e definitions C2-C5 (lines 1-7) calculate the four output carries of the four full adders in the binary adder. Unlike the adder FA4bit, every internal output carry is independent of the output carry of the previous full adder. is allows every full adder to produce output sum simultaneously without waiting for the output carry from the previous adder. e definitions S1-S4  Figure 2: Block diagrams of two versions of a BCD adder. e BCD adder on the left is with look-ahead carry generator and the one on the right is without look-ahead carry generator [29]. calculate the four sum bits in terms of the look-ahead carry bits C2-C5 and initial carry e. Finally, the 4-bit binary parallel adder with look-ahead carry generator is defined as a function FA4bitLA (lines [17][18][19][20]. As in BCDadder, two instances of binary parallel adder FA4bitLA are combined together with the additional circuitry for output carry to form a BCD adder. e formal definition of 4-bit BCD adder with look-ahead carry generator has been shown in Listing 22. Readers are advised to refer to books [29,36] for further details about BCD adder and look-ahead carry generator. e formal definitions BCDadderLA and BCDadder model 4-bit BCD adders with and without look-ahead carries, respectively. eir functional equivalence is stated in theorem check_equiv_BCD_adder in Listing 23. e theorem states that both adders produce equal outputs for all equal inputs. is theorem is proven using case analysis on the input variables. e formal proof of eorem check_equiv_BCD_adder demonstrates that our framework can effectively be used to check equivalence of combinational circuits other than memory circuits.

Proof of Reversibility Property.
To demonstrate that our formal framework can also be used to verify properties other than equivalence, we formally verify reversibility of a simple circuit description. To this end, we prove that the circuit Circuit defined in Listing 24 is reversible. e theorem reversible_circuit states that, for all different (2-bit) inputs, the outputs are different. Additionally, this theorem also states that the numbers of inputs and outputs are the same. In this theorem, the lists [w; x] and [y; z] on line 4 in Listing 24 model the inputs.

Evaluation and Discussion
Automated tools, such as model checkers, sometimes stuck due to memory or state explosion problems [38] and never return. To evaluate the performance of Coq tool running over our framework, we tested the Coq proof checker to check proof scripts of functional equivalence of Boolean functions with multiple Boolean variables. e results in Figure 3 show that the Coq proof checker takes around 12 seconds to check proof scripts for functional equivalence with functions up to 45 variables (over a billion input cases). e formal model developed in Coq provides a formal foundation for defining and reasoning about Boolean functions and logic circuits using the calculus of constructions behind the Coq theorem prover. e following is a list of the major advantages of our formal model: (i) Boolean function definitions or models of logic circuits can be automatically checked (for type errors) by the Coq type checker. (ii) e correctness of the mathematical manipulation used in the analysis of Boolean functions can be checked automatically. (iii) Properties, such as principle of duality, functional equivalence, and reversibility, of Boolean algebra and (models of ) logic circuits can be proven interactively using the Coq theorem prover. (iv) All the proofs carried out can be mechanically checked by the Coq proof checker using computer.
Formal verification using proof assistant is very tedious and requires expertise; however, many researchers have recently used proof assistants to build formal languages and frameworks for hardware verification [49][50][51][52][53]. Proof assistants include benefits of both manual and automated theorem provers and are more powerful and expressive [50]. Our framework allows defining Boolean functions and combinational circuits in a natural style similar to that used in many popular textbooks [29,36] and most of the proofs can be carried out easily by applying Coq's destruct tactic.

Related Work
e most common approach to reliable digital circuit design is to test designs using simulators such as VCS [54] and Icarus [55] by providing all possible inputs. While simulation-based verification can show presence of errors, it fails to guarantee their absence [56]. Approaches based on formal verification [57], such as model checking [32,58,59] and theorem proving [49,52,53,60,61], are more popular in the literature. Readers are recommended to refer to [62] for a detailed comparison of simulation and formal methodbased approaches. Tools based on model checking can be used to check equivalence of two functions (models); however, they are constrained by the popular state explosion [37,38] problem. ere is a body of research works in the literature on formal verification of software systems [63][64][65]; however, literature review of hardware verification and simulation tools for checking Boolean functions equivalence is included in this section.

Formal Hardware Verification.
As mentioned earlier, tools and techniques based on formal methods can be used to prove absence of faults in hardware components. Osman et al. [51] defined a formal framework in the higher-order logic of HOL theorem prover for proving reliability property of combinational circuits. While their work is mainly tailored towards checking reliability property, our framework facilitates functional equivalence checking in a stronger and expressive logic calculus of inductive constructions of Coq theorem prover [50]. Kabat et al. [66] advocate the use of automated theorem provers for the synthesis of combinational logic. ey used demodulation as the rewriting logic to simplify canonical circuit structures. Automated theorem provers are more popular in industry; however, they are not as powerful and expressive as proof assistants. Proof assistants, on the other hand, combine the benefits of automated and manual theorem provers and are currently investigated and encouraged for hardware verification [50,51]. e work in [50] highlights the effectiveness and power of interactive theorem prover Coq in hardware verification which further supports our framework embedded in Coq for logic circuit verification. While their work is more focused towards synthesis based on Coq's code extraction feature, our work embeds Boolean algebra as a gate-level description language for circuit's description. Our gate-level description language provides a general framework for describing combinational circuits. Furthermore, we build metatheory for expressing and proving duality principle and carry out proofs of basic theorems of Boolean algebra.
Meredith et al. [67] defined executable semantics for Verilog by embedding it in the tool Maude [68] with rewriting logic as the underlying logic. Inspired from [67], Wilayat et al. [49,69] introduced a formal language, VeriFormal: a hardware description language with mathematical foundation. VeriFormal is a formal replica of description language Verilog deeply embedded in Isabelle/HOL theorem prover. VeriFormal and the formal simulator available with it were used later to prove functional equivalence of multiple logic circuits [70]. Braibant et al. [71] defined Fe-Si by deeply embedding the simplified version of functional hardware description language Bluespec in theorem prover Coq. Building upon the concepts behind proof-carrying code, Love et al. [72] implemented a framework by formalizing a synthesizable subset of Verilog in proof assistant Coq. Some researchers [52,60] targeted programmable logic controllers by formalizing the semantics of the programming languages used in the controllers, while others specified circuits as operations on bit-vectors. Coquet [53] is a high-level specification of circuits using deep embedding; however, this level of abstraction is achieved through advanced types, such as parametric types, which makes the formal definitions of circuits short but with increased complexity. All these research contributions add formal verification at higher level of abstraction, while our work analyses the circuits at gate level. Formal verification at higher levels, such as register-transfer level, is equally important but the main focus of this paper is to target circuits at gate level. Furthermore, in addition to reasoning about digital circuits, our Coq framework can effectively be used to reason about Boolean algebra as well.

Boolean Equivalence Checking Tools.
ere are a number of other tools developed specifically for Boolean functions manipulation. Ronjom et al. [23] developed an online database of Boolean functions. eir tool can be used to check different properties of a Boolean function and convert between different representations.
e WolframAlpha computational engine [21] translates logical function as input to a truth table and different minimal forms. Moreover, the tool generates a Venn diagram and logic circuit for the input function. e WolframAlpha engine has been included as Boolean algebra calculator by the company TutorVista. Another tool [22] was developed to minimize Boolean functions using Karnaugh maps [26]. e function can be entered as a sequence of notations or as a truth table (up to six variables).
Among the most recent tools is 32x8 [25] which has been built for logic circuit simplification. It accepts a function (up to eight variables) in the form of a truth table and returns a Karnaugh map, Boolean function (as sum of product or product of sums), truth table, and logic circuit for the input. Lean and Marxel developed a solver, QMSolver [24], based on Quine-McCluskey algorithm for simplification of Boolean functions.
e solver gets number of minterm indices (separated by spaces) and returns a simplified function. All these tools manipulate circuits at gate level; however, none of them have formal foundation and hence the manipulation of circuit designs cannot be proven correct.

Conclusions
When (model of) a logic circuit is transformed or mathematically manipulated (most often for optimization purposes), it must be guaranteed that the transformation does not alter the desired behaviour of the circuit. In this paper, a formal framework for describing and verifying Boolean functions and logic circuits at gate level was defined in the Coq theorem prover. To demonstrate the significance of the framework, basic theorems of the Boolean algebra and the duality principle were proven. Furthermore, multiple basic hardware components were described in the formal notations and functional equivalence and reversibility properties were verified. Our formal developments can be used to describe other logic components used in critical systems and can be formally proven correct using the Coq theorem prover tool. As a future work, we plan to build a translator to automatically translate circuit designs as Boolean functions in a natural style to the formalized (in Coq) Boolean algebra. Furthermore, to complete a formal electronic design flow, we intend to build a logic synthesis tool for translation from formal register-transfer level representation of the circuit (e.g., in VeriFormal, [49,69]) to gate-level representation as Boolean functions. Saud University, Saudi Arabia, for partially funding this