@@ -9,7 +9,7 @@ This is more explicit than saying that `(a.toNat + b.toNat) % 2^32 = cols.toNat`
99def spec (cols : Add4Operation (Fin p))
1010 (a b c d : Word (Fin p)) : Prop :=
1111 a.isUInt32 → b.isUInt32 → c.isUInt32 → d.isUInt32 →
12- (a.toNat + b.toNat) % 2 ^32 = cols.toNat
12+ (a.toNat + b.toNat + c.toNat + d.toNat ) % 2 ^32 = cols.toNat
1313
1414-- /-- Constraints on `AddOperation` as extracted from the source code. -/
1515-- def extractedConstraints (cols : AddOperation (Fin p))
@@ -23,10 +23,10 @@ def spec (cols : Add4Operation (Fin p))
2323
2424/-- Cleaned up representation of the `AddOperation` constraints. -/
2525def idealConstraints (cols : Add4Operation (Fin p))
26- (a b c d : Word (Fin p)) : Prop :=
26+ (aw bw cw dw : Word (Fin p)) : Prop :=
2727 let carry0 := 0
28- let carry1 := (a [0 ] + b [0 ] - cols[0 ] + carry0) * baseInv
29- let carry2 := (a [1 ] + b [1 ] - cols[1 ] + carry1) * baseInv
28+ let carry1 := (aw [0 ] + bw[ 0 ] + cw[ 0 ] + dw [0 ] - cols[0 ] + carry0) * baseInv
29+ let carry2 := (aw [1 ] + bw[ 1 ] + cw[ 1 ] + dw [1 ] - cols[1 ] + carry1) * baseInv
3030 carry1 * (carry1 - 1 ) = 0 ∧ -- isBool check
3131 carry2 * (carry2 - 1 ) = 0 ∧ -- isBool check
3232 cols.isUInt32 -- slice range checks
@@ -37,27 +37,23 @@ def idealConstraints (cols : Add4Operation (Fin p))
3737-- cols.extractedConstraints a b ↔ cols.idealConstraints a b := by
3838-- simp [extractedConstraints, idealConstraints, Word.isUInt32]
3939
40- -- /-- The extracted constraints on `AddOperation` imply the spec. -/
41- -- theorem correct [Fact (Nat.Prime p)]
42- -- (cols : AddOperation (Fin p))
43- -- (a : Word (Fin p)) (b : Word (Fin p)) :
44- -- cols.extractedConstraints a b → cols.spec a b := by
45- -- -- Unfold the definitions of constraints and spec
46- -- rw [extractedConstraints_iff_idealConstraints, idealConstraints, spec]
47- -- simp [sub_eq_zero, mul_eq_zero]
48- -- -- Introduce all of the hypothesis from the constraints
49- -- intros h1 h2 hcols_u32 ha_u32 hb_u32
50- -- -- Simplify the addition using the fact both limbs are u16 vals
51- -- erw [Word.add_mod_of_isUInt32_of_isUInt32 ha_u32 hb_u32, Word.toNat_add_toNat]
52- -- -- Split into two cases depending on if there was overflow
53- -- split_ifs with h_overflow
54- -- -- Split into cases depending on if the first limb addition had a carry
55- -- <;> cases h1 with | inl h1 => ?_ | inr h1 => ?_
56- -- <;> {
57- -- rw [ h1 ] at h2
58- -- simp [Fin.add_def, Fin.sub_def, Fin.ext_iff, p, Word.toNat,
59- -- Word.isUInt32] at *
60- -- omega
61- -- }
40+ /-- The extracted constraints on `AddOperation` imply the spec. -/
41+ theorem correct [Fact (Nat.Prime p)]
42+ (cols : Add4Operation (Fin p))
43+ (aw bw cw dw: Word (Fin p)) :
44+ cols.idealConstraints aw bw cw dw → cols.spec aw bw cw dw := by
45+ -- Unfold the definitions of constraints and spec
46+ rw [idealConstraints, spec]
47+ simp [sub_eq_zero, mul_eq_zero]
48+
49+ -- Introduce all of the hypothesis from the constraints
50+ intros h1 h2 hcols_u32 ha_u32 hb_u32
51+
52+ -- Split on if the lower limb leads to a carry
53+ cases h1 with | inl h1 => ?_ | inr h1 => ?_
54+ all_goals
55+ { rw [h1] at h2
56+ simp [Fin.add_def, Fin.sub_def, Fin.ext_iff, p, Word.toNat, Word.isUInt32] at *
57+ omega }
6258
6359end Add4Operation
0 commit comments