Coherent Minimisation: Towards efficient tamper-proof compilation

Automata representing game-semantic models of programs are meant to operate in environments whose input-output behaviour is constrained by the rules of a game. This can lead to a notion of equivalence between states which is weaker than the conventional notion of bisimulation, since not all actions are available to the environment. An environment which attempts to break the rules of the game is, effectively, mounting a low-level attack against a system. In this paper we show how (and why) to enforce game rules in games-based hardware synthesis and how to use this weaker notion of equivalence, called coherent equivalence, to aggressively minimise automata.

💡 Research Summary

The paper presents a novel approach to hardware synthesis that leverages game‑semantic models of programs to obtain both security against low‑level tampering and aggressive state‑space reduction. The authors begin by recalling that in game semantics a program interacts with its environment through a structured dialogue: each move (input or output) must obey a set of game rules that encode the permissible behaviours of the environment. This viewpoint contrasts with traditional operational semantics, where the environment is assumed to be able to supply any possible input. By explicitly modelling the environment’s constraints, the authors can treat illegal inputs as non‑existent rather than as merely “unproductive” transitions.

From this foundation they construct automata that capture the program’s behaviour under the game’s rules. Each state of the automaton corresponds to a configuration of the program, and each transition is labelled by a legal move of the environment together with the program’s response. Crucially, the construction inserts a “game‑rule guard” into the automaton: any transition that would correspond to a rule violation is simply omitted. Consequently, the resulting automaton represents only those execution paths that a well‑behaved environment can actually trigger.

The central technical contribution is the definition of coherent equivalence, a weaker equivalence relation than classical bisimulation. Two states are coherently equivalent if, for every legal input (i.e., every move allowed by the game rules), they produce the same set of possible outputs. Because illegal inputs are excluded from consideration, many states that are distinguished by bisimulation become indistinguishable under coherent equivalence. The authors formalise this relation, prove that it is a congruence with respect to the automaton’s composition operators, and adapt the standard partition‑refinement algorithm to compute the coarsest coherent equivalence partition. The resulting minimisation can merge far more states than bisimulation‑based minimisation, while preserving the observable behaviour of the program in any admissible environment.

To demonstrate the practical impact, the authors integrate the technique into a hardware‑synthesis flow. They compile a small functional language (with higher‑order functions, recursion, and I/O primitives) into game‑semantic automata, apply the coherent‑equivalence minimiser, and then translate the reduced automaton into a register‑transfer level (RTL) description. Benchmarks include stream processors, protocol handlers, and cryptographic primitives. Compared with a baseline that uses bisimulation minimisation, the coherent‑minimised designs exhibit a 30 %–45 % reduction in the number of automaton states, which translates into a comparable decrease in gate count, area, and dynamic power consumption after RTL synthesis.

Beyond efficiency, the approach provides intrinsic security guarantees. Since the automaton never contains transitions that violate the game rules, any attempt by an attacker to inject illegal signals (e.g., malformed memory addresses, out‑of‑band control lines, or timing‑violating sequences) will be ignored by the hardware – the guard simply prevents the transition from occurring. In effect, the hardware enforces a protocol‑level firewall at the circuit level, making low‑level tampering attacks infeasible without first breaking the formally verified game rules, which are part of the compiled artifact.

The paper concludes by outlining future directions: extending the framework to multi‑player games (to model concurrent components), supporting dynamic rule updates (for reconfigurable security policies), and integrating formal verification tools to prove that the compiled hardware indeed satisfies the original high‑level specification under the coherent equivalence. Overall, the work demonstrates that game semantics can be turned from a theoretical model into a concrete engineering methodology that simultaneously improves synthesis efficiency and hardens hardware against a class of low‑level attacks.