• Top
    • Documentation
    • Books
    • Boolean-reasoning
    • Projects
    • Debugging
    • Std
    • Proof-automation
    • Macro-libraries
    • ACL2
    • Interfacing-tools
    • Hardware-verification
    • Software-verification
      • Kestrel-books
        • Crypto-hdwallet
        • Apt
        • Error-checking
        • Fty-extensions
        • Isar
        • Kestrel-utilities
        • Soft
        • Bv
        • Imp-language
        • C
        • Event-macros
        • Java
        • Bitcoin
        • Ethereum
        • Yul
        • Zcash
        • ACL2-programming-language
        • Prime-fields
        • Json
        • Syntheto
        • File-io-light
        • Number-theory
        • Cryptography
          • R1cs
          • Interfaces
          • Sha-2
          • Keccak
          • Kdf
          • Mimc
          • Padding
          • Hmac
          • Elliptic-curves
            • Secp256k1-attachment
            • Twisted-edwards
            • Montgomery
              • Montgomery-mul
              • Montgomery-add
              • Montgomery-point-orderp
              • Montgomery-add-commutativity
              • Montgomery-mul-distributivity-over-scalar-addition
              • Montgomery-add-associativity
                • Birational-montgomery-twisted-edwards
                • Montgomery-curve
                • Montgomery-mul-nonneg
                • Montgomery-not-point-with-x-minus1-when-a-minus-2-over-b-not-square
                • Point-on-montgomery-p
                • Montgomery-neg
                • Montgomery-sub
                • Montgomery-add-closure
                • Montgomery-only-point-with-y-0-when-aa-minus-4-non-square
                • Montgomery-point-order-leastp
                • Montgomery-distinct-x-when-nonzero-mul-in-order-range
                • Montgomery-add-inverse-uniqueness
                • Montgomery-distributivity-of-neg-over-add
                • Montgomery-mul-associativity
                • Montgomery-points-with-same-x-have-same-or-neg-y
                • Montgomery-zero
                • Montgomery-points-with-same-x-are-same-or-neg-point
                • Montgomery-mul-of-mod-order
                • Montgomery-neg-inverse
                • Montgomery-zero-identity
                • Point-on-montgomery-finite-when-not-zero
              • Edwards-bls12
              • Short-weierstrass-curves
              • Birational-montgomery-twisted-edwards
              • Has-square-root?-satisfies-pfield-squarep
              • Secp256k1
              • Secp256k1-domain-parameters
              • Secp256k1-types
              • Pfield-squarep
              • Secp256k1-interface
              • Bls12-377-domain-parameters
              • Prime-field-extra-rules
              • Points
            • Attachments
            • Elliptic-curve-digital-signature-algorithm
          • Lists-light
          • Builtins
          • Axe
          • Solidity
          • Helpers
          • Htclient
          • Typed-lists-light
          • Arithmetic-light
        • X86isa
        • Axe
        • Execloader
      • Math
      • Testing-utilities
    • Montgomery

    Montgomery-add-associativity

    Assumption of associativity of Montgomery addition.

    We plan to prove the associativity of montgomery-add, but since that will take substantial work (the proof is notoriously laborious), for now we capture the associtivity property in this nullary predicate, which we can use as hypothesis in theorems whose proof needs associativity. This is preferable to stating an axiom, because an incorrect axiom (either because it is misstated or because addition is misdefined) would make the logic inconsistent. In contrast, if this nullary predicate is actually false (due to the same kind of mistake mentioned just above), it just means that any theorem with it as hypothesis is vacuous (a much less severe problem).

    We enable the rewrite rule associated to this defun-sk because it is essentially the associativity theorem, which is a good rewrite rule to have enabled, with the only difference that it has this nullary predicate as hypothesis. That rewrite rules rewrites additions to associate to the right. We also add a disabled associativity rule that rewrites additions to associate to the left instead; this may be occasionally useful in algebraic manipulations. We add a theory invariant preventing both rules from being enabled.

    Note that we need to assume the closure of addition, in the guard, in order to verify the guards of this function.

    Definitions and Theorems

    Theorem: montgomery-add-associative-right

    (defthm montgomery-add-associative-right
 (implies
    (montgomery-add-associativity)
    (implies
         (and (point-on-montgomery-p point1 curve)
              (point-on-montgomery-p point2 curve)
              (point-on-montgomery-p point3 curve))
         (equal (montgomery-add (montgomery-add point1 point2 curve)
                                point3 curve)
                (montgomery-add point1
                                (montgomery-add point2 point3 curve)
                                curve)))))

    Theorem: booleanp-of-montgomery-add-associativity

    (defthm booleanp-of-montgomery-add-associativity
  (b* ((yes/no (montgomery-add-associativity)))
    (booleanp yes/no))
  :rule-classes :rewrite)

    Theorem: montgomery-add-associative-left

    (defthm montgomery-add-associative-left
  (implies
       (and (montgomery-add-associativity)
            (point-on-montgomery-p point1 curve)
            (point-on-montgomery-p point2 curve)
            (point-on-montgomery-p point3 curve))
       (equal (montgomery-add point1
                              (montgomery-add point2 point3 curve)
                              curve)
              (montgomery-add (montgomery-add point1 point2 curve)
                              point3 curve))))