2024 The 9th International Conference on Integrated Circuits and Microsystems
Formal Verification and Verilog Code Generation
for Coq-based Carry-Lookahead Adder Algorithm
Kexin Chen
Nanjing University of Aeronautics and Astronautics
Nanjing, China
0009-0006-1961-1129
[email protected]
2024 9th International Conference on Integrated Circuits and Microsystems (ICICM) | 979-8-3315-0945-3/24/$31.00 ©2024 IEEE | DOI: 10.1109/ICICM63644.2024.10814122
Abstract—This article describes the application of customized
proof techniques for proving theorems related to arithmetic
circuits in the Coq theorem prover and generating Verilog code
from Coq. By illustrating the correctness verification process of
a carry-lookahead adder (CLA) as an example, this set of proof
strategies not only significantly simplifies the proof process but
also enhances the efficiency of Coq formal verification in general.
It is also possible to generate Verilog code for CLA of arbitrary
size (up to 128 bits) based on Signal type. Additionally, the Verilog
code for CLA generated from Coq can be run directly, has been
synthesized and simulated in Quartus.
Index Terms—Coq Meta-proof, Custom Proof Strategies,
Hardware Formal Verification, Verilog, Arithmetic Circuits
I. I NTRODUCTION
As modern society continues to rely increasingly on digital
circuits and embedded systems, the reliability and correctness
of arithmetic circuits have become paramount. Arithmetic
circuits find widespread applications across various domains,
including computer processors, communication systems, med-
ical devices, and automatic control systems. In traditional cir-
cuit design, the validation of arithmetic circuit correctness typ-
ically relies on methods such as testing and simulation. While
these methods can help uncover certain design flaws, they
cannot provide complete correctness assurance. To address this
challenge, formal verification methods have emerged. Formal
verification is a mathematical and logic-based approach aimed
at providing a formal proof of correctness for hardware
circuits. Unlike simulation-based methods, formal verification
offer proofs of correctness for all possible scenarios, thereby
providing a higher level of assurance.
Formal verification can be roughly classified into two
classes. The first class is automated formal verification. The
main techniques include SAT, BDD, and model checking. The
second class is based on theorem proving, which requires
human machine interaction.
Automated equivalence checking based on SAT and BDD
are now well established and can effectively verify the correct-
ness of adder circuits. However, theorem proving techniques
are still valuable in order to understand the principles of
complex high-speed adders, to support the design of novel
addition circuits, to build formal hardware design libraries, and
to support modular formal hardware construction. In Table I,
we state the advantages of the theorem proving method.
979-8-3315-0945-3/24/$31.00 ©2024 IEEE
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY DELHI. Downloaded on April 19,2025 at 09:10:57 UTC from IEEE Xplore. Restrictions apply.
Gang Chen
Nanjing University of Aeronautics and Astronautics
Nanjing, China
TABLE I
A DVANTAGES OF T HEOREM P ROVING
Specificities Advantage Analysis
mathematical proof Have rigorous mathematical proofs
versatility Not limited by circuit size or complexity
highly customisable Can customise verification rules and properties
deep formal validation Can probe deeply into the formalisation of properties
accuracy guarantee Ensure that the property being verified is absolutely true
In our prior research papers, the mathematical derivations
elucidating the principles of high-speed parallel adders have
been described [1]–[3]. However, these papers have not pro-
vided a comprehensive analysis of the key techniques and
strategic foundations employed during the Coq proof process.
In this paper, we have developed a plethora of reusable proof
strategies and tools aimed at automating the proof process and
enhancing its efficiency. Based on the completion of the proof,
a Verilog code generator for CLA based on Coq has been
made, which is capable of automatically generating Verilog
code for CLA with no more than 128 bits. We summarize our
main contributions as follows.
• We have provided a comprehensive exposition of the
process and intricacies involved in the Coq proof of a carry-
lookahead adder. This serves to enhance the comprehension
of the design principles underlying high-speed parallel adders
and other arithmetic circuits.
• This paper provides a substantial supplement by offering
detailed Coq proofs and key techniques for the mathematical
deduction and verification of the principles behind high-speed
parallel adders, filling an important gap in the literature.
• On the basis of proving the correctness of the CLA,
a code generator was developed independently, which can
automatically generate the Verilog code of the CLA (the size
of the CLA does not exceed 128 bits) from the Coq.And
the generated Verilog code can be synthesised and simulated
directly in Quartus.
• We distil a reusable Coq library from correctness proofs of
carry-lookahead adders, including a set of lemmas, and Ltac-
defined proof strategies, a library that will help support future
formal verification of arithmetic circuits.
Related Works. Extensive work has also been conducted
on the correctness proof of carry-lookahead adders. T. Lynch
et al [4] proposed a 64-bit spanning tree carry-lookahead
6
 adder (STCLA) with a hybrid carry-lookahead/carry-select
structure. Yuke Wang et al [5] also proposed a new hybrid
carry-lookahead/carry-select scheme based on Ling’s carries
and complemented the group carry terms to gain speed.
J. O’Donnell and G. Rnger [6] employed high-order func-
tional combinators to represent carry-lookahead adder and
the correctness is established by algebraic transformations.
[7]considered formal verification of adder circuits for multiple-
valued logic and prove that for different types of adder
circuits polynomial-time verification can be performed based
on decision diagrams (DDs), which is also for fast adders like
the conditional sum adder and the carry- lookahead adder.
Quad trees-trees with four branches, are used to abstractly de-
scribe tree-structured carry-lookahead adders using 4-bit com-
ponents. The specification and implementation descriptions are
parametrized and tree-structured adders having arbitrarily large
inputs and outputs are described. The descriptions are formally
verified using the HOL theorem power [8].
The carry-lookahead adder is based on the principle of
parallel computation and shares similarities with many parallel
adders. Parallel adders are widely used in high-performance
computer design and hardware acceleration for large-scale data
processing. In the adder design theory, a key property of the
group propagated carry and the group generated carry is based
on the two recurrence equations. The property is fundamental
to many parallel prefix adders [9]–[13]. [2]provided a formal
proof regarding Gi and Pi. The proof granted a solid under-
pinning for a formal verification methodology for ubiquitous
parallel adders [1], [3], [14]–[16]. [17]computed of carries in
parallel, they were segmented into smaller pieces. It used carry
propagate and generate as intermediate signals. [18]Device
used Xilinx 14.7 and the designs were simulated using ISim
Simulator and Altera Modelsim 10.1d. A comparison was
made about the efficiency of KSA with Carry Look Ahead
adder (CLA) and Carry Skip Adder (CSA) with respect to
speed and number of slice LUT’s used.
The remainder of this article is organized as follows. Section
II introduces the basics of Coq theorem proving facilities,
while Section III summarizes some of the self-developed
lemmas and strategies utilized in proving the correctness of
the carry-lookahead adder. The lemma repository established
in this paper will be of significant assistance in future proofs
of more complex arithmetic circuits. Section IV presents the
application of our internally developed automated proof tech-
niques in the verification of carry-lookahead adders. Section V
introduces in detail the automatic generation of CLA’s Verilog
code of any length (no more than 128 bits) from Coq based
on the correctness proof of the carry-lookahead adder, and
conducts synthesize and simulate in Quartus. Finally, Section
VI concludes the paper.
II. T HE BASICS OF C OQ T HEOREM P ROVING
In Coq, both Lemmas and Tactics are essential compo-
nents in constructing formal proofs, utilized for deducing and
demonstrating specific propositions or goals. This section will
7
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY DELHI. Downloaded on April 19,2025 at 09:10:57 UTC from IEEE Xplore. Restrictions apply.
introduce the basics of Coq theorem proving and the relevant
principles.
In the Coq library, lemmas are defined as follows: they
are declared using the Lemma keyword (or T heorem, Goal,
etc.) followed by the lemma’s name, and then a proposition
expression is provided after the colon.
Lemmas provide a structured, step-by-step approach to
proving the correctness of a mathematical or logical assertion.
By breaking down a larger proof into smaller lemmas, the
proof can be more easily understood and validated. Addition-
ally, Coq lemmas can be reused in other proofs, making them
a powerful tool for building up a library of proven results that
can be used to establish new assertions. Lemma reuse can
make proofs more efficient. Below is an example of a simple
Coq lemma definition we customised:
Lemma plus comm : f orall n m : nat, n + m = m + n.
To prove this lemma, Coq’s tactics are employed to con-
struct the proof:
intros n m.rewrite N at.add comm.ref lexivity.Qed.
In the above example, Introduce two variables and rewrite
the expression using the commutativity property of natural
number addition. Finally, the ref lexivity tactic is employed
to prove the equality.
Coq provides the Ltac sublanguage for users to construct
customized proof strategies. Ltac can assist Coq users in
automating tedious and repetitive proof steps, thereby making
proofs more accessible, faster, and more reliable. The basic
syntax of Ltac is as follows:
Ltac tactic name := tactic def inition.
The fundamental principle of Ltac revolves around matching
and substitution. When defining tactics, a variety of different
commands can be used such as intros, apply, rewrite,
simpl, split, lef t, right, and so forth. These commands
can be combined to form complex tactics that simplify proof
process.
For example, here is an our customised tactic:
Ltac truth table tactic3 a b c :=
intros; destruct a; destruct b; destruct c; trivial.
When this tactic is applied to a proof goal, it matches a
pattern that introduces three variables and discusses all their
possible Boolean values in a categorical manner. Following
this pattern, the custom strategy can achieve automated proofs
for equations involving any number of Boolean variables,
simplifying the proof process for multi-variable Boolean equa-
tions.
III. S ELF - DEVELOPED P ROOF S TRATEGIES AND L EMMAS
FOR C ARRY- LOOKAHEAD ADDER
The formal verification of CLA involves intricate mathemat-
ical expressions,inductive assumptions, and recursive struc-
tures in parallel computation. It necessitates handling com-
 plex mathematical substitutions and expression simplifica-
tions.While existing proof tactics may be capable of complet-
ing the proof for these specific requirements, the process can
become exceedingly cumbersome. Hence, it necessitates the
customization of a new set of tactics and lemmas to streamline
and enhance the proof process. Simultaneously, they can also
be applied in other contexts of formal verification of arithmetic
circuits.
A. Customised Dual Inductive Lemma
During the formal verification of CLA, different cases of
input signals may need to be considered when proving a
property of a circuit, e.g. a proof involving recursive properties
for multiple input variables or multiple states may require the
simultaneous consideration of multiple combinations of input
and output signals. In that case analysing them one by one
using the inductive method would result in a large number of
subgoals and the situation would become very complicated.
Therefore, we customise a new theorem nat ind2 to use
double induction to complete the proof, and its Coq code is
as follows:
T heorem nat ind2 : f orall (P : nat → P rop),
(P 0) → (P 1) → (f orall (n : nat),
(P n) → (P (S (S n)))) → (f orall n, (P n)).
The goal of the theorem is to show that property P holds for
all natural numbers n. Use the lemma nat split to decompose
the natural number n into two cases: n is odd or n is even.
For the case where n = 0, this can be proved directly using
(P 0) in the prerequisite. If n is even, rewrite the expression
using the lemma simple.even succ. If n is odd, rewrite the
condition and discuss the classification of n again, rewrite
the substitution using Lemma simple.even succ and lemma
succ add1, and finally complete the proof.
In formal proofs of arithmetic circuits, this double induction
helps to prove some recursive properties or properties that
require analysis of the natural numbers.
B. Simultaneous Induction of Double Lists
When verifying the correctness of multi-digit arithmetic,
cascade circuits, adders and multipliers, datapaths, etc., it is
necessary to perform simultaneous induction on a double list
of inputs. One approach is to define new inductive theorems
tailored to address inductive proofs of such complex struc-
tures. Here, we introduce a custom inductive theorem named
doubleListInd, designed to simultaneously induct upon both
a and b lists. It internally categorizes the possibility of whether
the lists are empty, encapsulating the fundamental handling
methods for double equally sized lists. Its implementation in
Coq is as follows:
T heorem doubleListInd :
P nil nil → (f orall la, P la nil) →
(f orall lb, P nil lb) → (f orall a b la lb, P la lb →
P (a :: la) (b :: lb)) → (f orall la lb, P la lb).
8
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY DELHI. Downloaded on April 19,2025 at 09:10:57 UTC from IEEE Xplore. Restrictions apply.
The proof of using the auxiliary function doubleListRect
to handle recursion. It handles comparisons and operations on
two lists, The different cases are controlled by the parameters.
C. Apply a Binary Function to Succesive Pairs of a List
In formal proofs of arithmetic circuits, such as adder
operations, two input lists of signals need to be merged
one by one. The resulting new list of signals participates in
the next computational step. So we customised two func-
tions pairwise apply and pairwise pure, where function
pairwise apply can be used to merge two lists of unequal
length bit by bit; function pairwise pure can be used to
merge two lists of equal length bit by bit. Applying these two
binary functions to successive pairs of a list, we customise two
lemmas, pairwise apply redr and pairwise pure redr,
and their Coq codes are as follows:
Lemma pairwise apply redr :
f orall (l1 l2 : list A) (x y : A),
len eq l1 l2 →
pairwise apply (l1 : +x) (l2 : +y) =
(pairwise apply l1 l2) : +(op x y).
The proof procedure for lemma pairwise pure redr is the
same. These two theorems can be used to verify the correctness
of data signal propagation, circuit bit-level synthesis, and are
applicable in logic synthesis.
IV. A PPLICATION OF C USTOM AUTOMATED P ROOF
T ECHNIQUES IN THE V ERIFICATION OF
C ARRY-L OOKAHEAD A DDERS
In this section, we introduce the basic principles and design
features of the carry-lookahead adder. Next, we will delve into
the difficulties encountered in the proof process and present
independently developed proof strategies for such problems.
We combine mathematical derivations to systematically dissect
the proof process.
A. Principles and Design of Carry-Lookahead Adders
The core concept of a carry-lookahead adder (CLA) in-
volves two variables: Gi and Pi , where i represents the i-th
bit of the input data. G stands for Generator, and P stands
for P ropagator. To illustrate the design principle, let’s take
a 4-bit carry-lookahead adder as an example.
Gi is defined as Ai &&Bi , representing the carry generate
signal, and Pi as Ai Bi , representing the carry propagate signal.
Their generation process is depicted in Fig 1. Fig 2 shows the
circuit diagram for generating the carry signal C4 in CLA.
CLA initiates the calculation of all carries as soon as
the input signals A and B reach the ports. The gate delay
of a 4-bit carry-lookahead adder includes 3 gate levels for
computing C3 and an additional 1 gate level for the final GP
generator, totaling 4 gate levels. This represents more than a
50% reduction in gate levels compared to a 4-bit ripple carry
adder with 9 gate levels of delay.

Fig. 1. The generation process of G and P
Fig. 2. Schematic diagram of a 4-bit carry-lookahead adder
The structural diagram of a 4-bit carry-lookahead adder is
shown in Fig 3. It takes two input lists, A and B, as well as
the carry C0 from the least significant bit. The outputs consist
of a list of Si and the carry generate signals Gi and carry
propagate signals Pi , generated by each circuit structure as
shown in Fig 1. When combined with a carry generator, they
form the 4-bit carry-lookahead adder as depicted in Fig 3.
B. Formalizing Carry-Lookahead Adder in Coq
The challenge in proving the correctness of a carry-
lookahead adder in Coq lies in inductive proofs and formalised
bitwise operations.
In Coq, we define gi , pi , ci and si , where the latter
represents the carry and sum for the ith bit. The inputs to the
adder are vectors of Boolean values, where the AND operator
∗ is implemeted by the Coq operator &&, the XOR operator
⊕ by (+) , and the OR operator + by ||.
First we introduce some variables that serve as vectors, and
we specify their data types and legal ranges. In Coq, there are
various ways to model vectors. Here, we adopt a convenient
Fig. 3. 4-bit carry-lookahead adder structural diagram
9
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY DELHI. Downloaded on April 19,2025 at 09:10:57 UTC from IEEE Xplore. Restrictions apply.
modeling approach, treating vectors as functions from natural
numbers to Boolean values. Thus, input vectors x and y are
both functions of type nat → bool.
V ariables x y : nat → bool.
We introduce a natural number n, representing the upbound
of x and y:
V ariable n : nat.
To access vectors using the index variable i we need to
ensure that the index satisfies 0 ≤ i ≤ n. Therefore, we
introduce a predicate valid to check the legality of the index.
Def inition valid (i : nat) (n : nat) := (i >= 0) ∧ (i <= n).
Because we represent vectors using functions in Coq, it
is common to denote the i-th element of vector x as x(i),
indicating that the function x is applied to i. However, in Coq,
we can omit the parentheses and simply write it as x i.
Def inition p (i : nat) : bool := x i (+) y i.
Def inition g (i : nat) : bool := x i && y i.
Since the vectors used in the circuit have a fixed length,
which we denote as n, the input parameters i for functions
like p and g must be within the interval [0, n]:
Lemma P : f orall i, valid i n → (p i) = (x i (+) y i).
Lemma G : f orall i, valid i n → (g i) = (x i && y i).
These two lemmas are easy to prove using the definition.
The carry ci+1 = gi + pi &&ci is calculated using a recursive
function, where c 0 is equal to the input value cin:
F ixpoint c (i : nat) : bool := match i with
| O ⇒ cin
| S i ⇒ (g i || p i && c i) end.
Lemma c0 eq cin : c 0 = cin.
Lemma Carry : f orall i, valid i n → (c (S i))
= (g i || p i && c i).
These two lemmas are easy to prove using the definition.
Define the generated sum for each bit:
Def inition s (i : nat) : bool := p i (+) c i.
Lemma Sum : f orall i, valid i n → (s i) = (p i (+) c i).
There is an important property: when x and y are boolean
values, the following mathematical relationship holds: x+y =
x ∗ y ∗ 2 + x(+)y.The following is the proof process in Coq:
Lemma binary addition :
f orall x y : bool, x + y = x ∗ y ∗ 2 + x (+) y.
This lemma can be proved by using the trutht ablet actic2
strategy mentioned in Part II.
 C. Proving the Carry-Lookahead Adder x, 1 ∗ x = x, x ∗ 0 = 0, 0 ∗ x = 0, x + x = 2 ∗ x,
The correctness of the carry-lookahead adder can be de- and so on. The relevant definition of the BasicArith tactic
scribed using the following mathematical formulas: in Coq is as follows:
Pk−1 i Pk−1 i Pk−1 i k
i=0 xi 2 + i=0 yi 2 + c0 = i=0 si 2 + ck 2 (1) ♯[export] Hint Rewrite
Equation (1) is expressed in Coq as follows: plus 0 l plus 0 r a plus a minus n O
mult 0 r mult 0 l mult 1 l mult 1 r : base arith.
T heorem cla correctness : f orall k, valid k n →
Ltac BasicArith := autorewrite with base arith.
sigma2 k x + sigma2 k y + c 0
= sigma2 k s + c (S k) ∗ power2 (S k). After applying the BasicArith tactic, the subgoal is sim-
plified to:
The definition in Coq is a generalisation of the mathematical
expression to indicate that it holds for all legal arguments x0 + y0 + c0 = s0 + c1 ∗ 2
k. The scope of the subscripts of the variables needs to
2) To Automate the Proof of Boolean Equations:
be checked in the reasoning used, so the valid predicate
ensures the legitimacy of the reasoning and definitions. We use rewrite valid Sum; rewrite valid Carry.
the function sigma2 to represent the summation calculation,
rewrite binary addition in | − ∗.
which achieves this through recursive computation using an
auxiliary function called sigma2 aux. Its implementation in rewrite valid P ; rewrite valid Q;
Coq is as follows: truth table tactic3 (x 0) (y 0) (c 0).
F ixpoint sigma2 aux Continuing to prove subgoal x 0 + y 0 + c 0 = s 0 + c 1 ∗
(n : nat) (f : nat → bool) (result : nat) struct n := 2.which requires the expansion of the variables s and c. We
match n with have developed a novel proof strategy named rewrite valid.
The primary function of this strategy is twofold: it conducts
| 0 ⇒ f 0 + result rewriting operations while concurrently ensuring the validity
|S i⇒ of variables within the [0, k] interval.The relevant definition
sigma2 aux i f ((f n) ∗ power2 n + result) end. of the rewrite valid tactic in Coq is as follows:
Def inition sigma2 (n : nat) (f : nat → bool) := Ltac rewrite valid eq :=
sigma2 aux n f 0. rewrite eq; [idtac|apply valid zero].
Psigma2
k i
k x is equivalent to the mathematical formula After applying the rewrite valid tactic, the subgoal is
i=0 x i 2 , power2 (S k) is equivalent to the mathematical simplified to:
formula 2n . When k=0, the equation is: x0 +y0 +c0 = s0 +2c1 .
It is possible to derive the equivalence by substituting all the x0 + y0 + c0 =
parameters in the equation with g0 , p0 , and c0 . This case can p 0 (+) c 0 + (g 0 || p 0 && c 0) ∗ 2
be easily proved.
Next are the subgoals to be proved and an analysis of the Next, the rewrite valid strategy is used to rewrite the
difficulties: arguments S 0 and c 1 of the Boolean equation as an
1) Automated Arithmetic Expression Simplification: expression containing g 0 and p 0. Then we rewrite the lemma
binary addition proved in section IV into the expression,
P roof. induction k. intro;
and then we use the rewrite valid strategy to rewrite the
unf old sigma2 in | − ∗; simpl in | − ∗. BasicArith. arguments p 0 and g 0 of the Boolean equation as an
Firstly, we generalise k, introduce multiple premises of the expression containing x 0 and y 0. The proof is completed
objective to be proved into the hypothesis by intro, expand using the truth table tactic3 strategy proved in Section II.
the sigma2 function and simplify expressions, and isolate the Next use the induction step to continue to derive the
first sub-objective to be proved: the case k = 0. conclusion that holds for all positive integers.
Various arithmetic expressions that can be simplified may When n=k, assuming Equation (1) holds:
arise during the proof. For the case of k = 0, after Coq Pk−1 i Pk−1 i Pk−1 i k
i=0 xi 2 + i=0 yi 2 + c0 = i=0 si 2 + ck 2 (2)
simplification, we obtain the subgoal:
We should proof that the equation still holds when n=k+1:
x 0 + 0 + (y 0 + 0) + c 0 = s 0 + 0 + c 1 ∗ 2
Pk i Pk i Pk i k+1
We have defined a new proof strategy called BasicArith. i=0 xi 2 + i=0 yi 2 + c0 = i=0 si 2 + ck+1 2 (3)
Its purpose is to simplify expressions using a set of arithmetic Subtracting equation (2) from equation (3) gives:
simplification rules. These simplification rules include equa-
tions such as x + 0 = x, 0 + x = x, x − 0 = x, x ∗ 1 = xk 2k + yk 2k = sk 2k + ck+1 2k+1 − ck 2k (4)

10
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY DELHI. Downloaded on April 19,2025 at 09:10:57 UTC from IEEE Xplore. Restrictions apply.
 Further simplification gives:
xk + yk + ck = sk + 2ck+1
Substituting ck+1 = gk + pk ck ,sk = pk ⊕ ck ,xk + yk =
2xk yk + xk ⊕ yk = 2gk + pk , we can see that this equation
holds true. At this point the case n = k + 1 is proved. The
mathematical derivation is next verified in Coq, analysing the
difficulties of proof and custom proofing techniques will be
introduced. Next are the subgoals to be proved and an analysis
of the difficulties:
3) Factorisation and Simplification of Sums of Polynomials:
unf old sigma2 in | − ∗. simpl in | − ∗; BasicArith.
unf old sigma2 in IHk.
rewrite (sigma2 aux result k x),
(sigma2 aux result k y),
(sigma2 aux result k s)in | − ∗.
plusGroup(sigma2 aux k x 0 + sigma2 aux k y 0 + c 0).
Handling the summation of polynomials for the case n=k
poses a particularly intricate challenge, and the ingenious
application of conclusions previously established in the case
of k=0 becomes paramount. This represents the most arduous
aspect of proving the correctness of the carry-lookahead adder.
Prove the current subgoal:
sigma2 (S k) x + sigma2 (S k) y + c 0 =
sigma2 (S k) s + c (S (S k)) ∗ power2 (S (S k))
First, by encapsulating the sigma2 aux function within the
sigma2 function, with the initial accumulation value set to 0.
We then customise a new proof lemma sigma2 aux result,
which functions like a linear property, being able to transform
a product of polynomials into the form of a sum of two
polynomials, and in doing so we help simplify the process of
proof by separating out the expression for the case of k=0, and
thus replacing it with the conclusion we have already proved in
the previous section. The definition for sigma2 aux result
is as follows:
Lemma sigma2 aux result : f orall n f r,
sigma2 aux n f r = r + sigma2 aux n f 0.
The proof starts by expanding the sigma2 function and
using the BasicArith strategy to simplify the Boolean equa-
tion. Then we rewrite the arguments x, y, and s using the
sigma2 aux result lemma to split the polynomial product
into several polynomial sums, Finally, all the factors for the
case of k = 0 are separated out from the polynomial.
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY DELHI. Downloaded on April 19,2025 at 09:10:57 UTC from IEEE Xplore. Restrictions apply.
Applying our custom lemma sigma2 aux result to the
parameters x, y, and s yields new subgoals:
(5)
x (S k) ∗ (2 ∗ power2 k) + sigma2 aux k x 0
+ (y (S k) ∗ (2 ∗ power2 k) + sigma2 aux k y 0)
+c 0 =
s (S k) ∗ (2 ∗ power2 k) + sigma2 aux k s 0
+ c (S (S k)) ∗ (2 ∗ (2 ∗ power2 k))
At this stage, all the polynomial factors associated with
the k=0 case have been isolated, and a new proof strategy
plusGroup is customised, which is used for the grouping cal-
culation of specific additive terms.The code for the plusGroup
strategy is as follows:
Ltac plusGroup a := match a with
|(?y + ?z) + ?x ⇒ M vLef t plus x; plusGroup (y + z);
rewrite (f un u ⇒ plus assoc u x)
|(?y + ?x) ⇒ M vLef t plus x; M vLef t plus y;
rewrite (f un u => plus assoc u x)
| ⇒ idtac end.
Applying the plusGroup strategy to the group of addends
sigma2 aux k x 0 + sigma2 aux k y 0 + c 0, which
collectively represent the initial states of the adders x0, y0,
and c0, we effectively treat them as x 0 + y 0 + c 0 =
s 0 + c 1 ∗ 2, a result we have previously proven when
k=0. This allows us to replace the entire group of addends
in the subgoal with the established result.After applying the
plusGroup strategy, we obtain the following new subgoal:
sigma2 aux k s 0 + c (S k) ∗ power2 (S k) +
(x (S k) ∗ (2 ∗ power2 k) + y(S k) ∗ (2 ∗ power2 k))
= s (S k) ∗ (2 ∗ power2 k)
+ (sigma2 aux k s 0 + c (S (S k)) ∗ (2 ∗ (2 ∗ power2 k)))
4) Identical factor elimination for Boolean equations:
RmP lusT m (sigma2 aux k s 0);
RmM ultT m (power2 k). RmM ultT m 2.
In the next steps of the proof, the rewrite strategy applies
the inductive hypothesis IHk to the current goal of the proof,
helping to change the form of the goal. The power2 S
lemma is rewritten into the expression in order to extract the
common factors. The parameter c is rewritten as an expression
containing g and p.
Eliminating completely identical factors and redundant
parentheses from Boolean equations allows for further sim-
plification. We introduce two custom proof strategies: the
11
 RmP lusT m tactic and the RmM ultT m tactic, defined in
Coq as follows:
Ltac RmP lusT m a :=
M vLef t plus a; apply (f equal2 plus);
[ref lexivity | idtac].
Ltac RmM ultT m a :=
M vLef t mult a;
repeat(rewrite ← mult plus distr l);
apply (f equal2 mult); [ref lexivity | idtac].
These two tactics are used to simplify additive and multi-
plicative terms, respectively, and they simplify the proof by
proving that the factors on both sides are equal by shifting the
terms, expanding the operator, etc., and thus eliminating the
same factor on both sides of the equation.The subgoal after
sufficient simplification is: c (S k) + (x (S k) + y (S k)) =
s (S k) + 2 ∗ (g (S k) || p (S k) && c (S k))
The above are examples of the complexities and difficulties
in proving the process and some specific applications of
customised techniques.
V. G ENERATING V ERILOG C ODE FROM C OQ
The steps to generate Verilog code for CLA in Coq are as
follows:
A. Signal Vector Modeling and Parameterization
1) Define the Signal Type to Represent elements in Verilog:
Use Coq’s Inductive type to define the Signal type and
define logical operations such as and, or, different or etc.It
is also necessary to define Signal P air to represent signal
pairs for the inputs of partial and full adders. The following
code shows the partial definitions:
Inductive Signal : Set :=
| And2 : Signal → Signal → Signal
| Bitv : string → Signal
| Letb : string → Signal → Signal → Signal
with Signal P air : Set :=
| Spair : Signal → Signal → Signal P air
| Letb2 : string → Signal →
Signal P air → SignalP air.
2) Replace Signal Patterns to Facilitate Parametric:
Using the recursive function subst the input signal s are re-
placed accordingly to their type. For Bit0 and Bit1 signals,the
signal itself is returned directly. For logic gates with two sub-
signals,the subst function is called recursively to replace the
sub-signals.When the matched signal is a locally bound signal
Letb,recursively perform the substitution operation on the
bound value e1 and e2 while keeping the bound variable name
v unchanged.For named signals of type Bitv,if the naming is
the same as the signal name to be replaced, the replaced signal
12
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY DELHI. Downloaded on April 19,2025 at 09:10:57 UTC from IEEE Xplore. Restrictions apply.
e is returned; otherwise, the original named signal is returned.
The following code shows the partial definitions:
F ixpoint subst (s : Signal) (v : string) (e : Signal) :
Signal := let st s := subst s v e in match s with
| Bit0 ⇒ Bit0
| Bit1 ⇒ Bit1
| And2 r1 r2 ⇒ And2 (st r1) (st r2)
| Letb v e1 e2 ⇒ subst e1 v e2
| Bitv v ′ ⇒ if eqb v v ′ then e else s end.
3) Using Infix Operators to Represent Logical Operations:
The snippet declares a scope called Signal scope and
defines a series of midfix operators that are used to represent
logical operations within that scope.These operators can be
used for symbolic representation in logical expressions, im-
proving readability and expressiveness.For example:
Declare Scope Signal scope. Inf ix “||” :=
Or2 (at level 50, lef t associativity) : Signal scope.
B. Conversion between Signal Types and Verilog Code
1) Converts an Expression of Type Signal to the Verilog
String Representation:
The following code shows the partial definitions:
F ixpoint gv (s : Signal) : string := match s with
| Bit0 ⇒ “1′ b0”
| Bit1 ⇒ “1′ b1”
| Bitv v ⇒ v
| N ot1 r ⇒ “ (“ + + (gv r) + + ”)”
| And2 r1 r2 ⇒ “(“ + + (gv r1) + + ”)&
(“ + + (gv r2) + + ”)” end.
2) Expand Each Element of the Array:
The mk names function generates a list of arrays prefixed
with the string c (the name of the array) followed by a string of
natural numbers with subscripts ranging from 0 to n-1. If n is
zero, the result list is returned; if n is not zero, the mk names
function is called recursively, and the result is passed as a new
argument with n minus 1,and the new string is added to the
beginning of the result list. For example, if the value of c is g
and the value of n is 4, calling mk names g 4 [] will return
the list of strings [“g[0]”; “g[1]”; “g[2]”; “g[3]”].
F ixpoint mk names (c : string) (n : nat) (result : liststring)
list string := match n with
O ⇒ result
| Sm ⇒
mk names c m ((c + +(writeN at (n − 1))) :: result) end.
 3) Converts the Adder Output Signal Pair Into the Verilog
Assignment Statements:
The function gv adder out generates Verilog code based
on the provided list of output variable names, and the output
signals of the adder. Initially, it combines each output variable
name with its corresponding adder output signal. Then, for
each combination, it invokes the function gv assign to gener-
ate assignment statements. These statements are concatenated
into a single string using the f lat str list function. Sub-
sequently, the function handles the adder’s carry-out signal
by invoking gv assign, appending the resulting assignment
statement to the previously generated string. This process
yields a complete Verilog code string.
Def inition gv adder out
(out vars : list string) (ss : tpAdderOut)
: string := let ′ (sums, cout) := ss in let vs
:= List.combine outv ars sums
in (f lat str list (List.map gv assign vs))
+ + (gv assign (“cout”, cout)).
C. Calculate the Output Carry Signal
1) Calculate the qi Generated by each carry Generator:
As shown in Fig 3, the carry generation signal Gi and
the carry propagation signal Pi generated by each circuit
structure will enter the Carry generator, and each component
will generate a carry signal. f ast qi function will calculate
the carry qi generated by each pair of input signals, and pass
the carry signal from right to left to the next circuit structure,
which, together with the output generated by the GP generator,
forms a new tuple that enters the Carry generator to participate
in the operation.
F ixpoint f ast qi gpl c struct gpl :
Signal := match gpl with
(gi, pi) :: gpl′ ⇒ gi || (pi && (f ast qi gpl′ c))
| nil ⇒ c end.
2) Calculate the Final Output Carry Signal:
The f astc arry function takes two arguments: the chain gpl
and the initial rounding signal c. First,it calls the previously
defined f ast q function to compute the sequence of output
signals of the rounding chain, which is stored in the variable
q.Here,rev gpl is used to reverse the chain to obtain the correct
sequence of carry signal outputs.If q is the empty list,the initial
carry signal c is returned.The final function returns a tuple
consisting of the initial carry signal and the newly generated
sequence of carry output signals from the CLA.
Def inition f ast carry gpl c :
(list Signal) ∗ Signal :=
let q := f ast q (rev gpl) c in match q with
hd :: tl ⇒ (rev tl, hd)
| nil ⇒ (nil, c) end.
13
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY DELHI. Downloaded on April 19,2025 at 09:10:57 UTC from IEEE Xplore. Restrictions apply.
D. Generating Verilog Code and Simulation for n-bit CLA
from Coq
1) Generate Verilog code of Carry-Lookahead Adder of Size
n:
First a variable named z is defined to represent the input
carry. bitvc[0] creates a bit vector named c[0] which is the
input carry in the CLA. The mka dderi on ames function is
called next, which generates the names of the input and output
ports of the n-bit adder. These names are bound to the tuple
(ab, c), where ab is a list of the names of the adder ports and
c is the names of the output ports, equivalent to the gi list, the
pi list, and the ci list. Next a new variable abv is created, and
each element of the input port name list ab is converted to a
bit vector by the mk bvar2 function.
Next the gv adder out function is called, which generates
Verilog code based on the input port names and the output
rounding of the CLA. The call to the f ast carry function
computes the output rounding sequence of the CLA and passes
it to the gv adder out function. gv addern function returns
the output Verilog code, which is the body of the generated
Verilog code for the CLA of size n.
Def inition gv addern (n : nat) : string :=
let z := Bitv “c[0]” in
let ′ (ab, c) := mk adder io names n in let abv :=
List.map mk bvar2 ab in gv adder out c (f ast carry abv z).
2) Generating Complete Verilog Code for CLA from Coq:
Use the gv module function to automatically generate the
remaining portion of the Verilog code. n is the number of bits
of the CLA, which corresponds to the bit-width of the signal
parameter when generating the Verilog code.
The gva ddern function in combination with the gvm odule
function can be used to generate complete Verilog code (no
more than 128 bits) for a CLA of arbitrary size. This complete
code can be run directly in Quartus.For example the complete
Verilog code to generate a CLA of size 4 bits is as follows:
module CLA (cout, sum, a, b, cin);
output [4 : 0]sum; output cout; input [4 : 0] a, b;
input cin; wire [5 : 0] g, p, c;
assign c[0] = cin; assign p = a ˆ b; assign g = a & b;
assign c[0] = c[0]; assign c[1] = (g[0]) | ((p[0]) & (c[0]));
assign c[2] = (g[1]) | ((p[1]) & ((g[0]) | ((p[0]) & (c[0]))));
assign c[3] = (g[2]) | ((p[2]) & ((g[1]) | ((p[1])
& ((g[0]) | ((p[0]) & (c[0]))))));
assign cout = (g[3]) | ((p[3]) & ((g[2]) | ((p[2])
& ((g[1]) | ((p[1])& ((g[0]) | ((p[0]) & (c[0]))))))));
assign sum = p ˆ c[4 : 0]; endmodule
3) Verilog Code Running and Simulation in Quartus:
The following shows the running and simulation of the
Verilog code for the 32-bit CLA automatically generated
from Coq in Quartus, where Fig 4 shows the generated RTL
diagram.
 Fig. 4. RTL diagram for 32-bit carry-lookahead adder

R EFERENCES Engineering & Telecommunications, Vol. 3, No. 1, pp. 116-121, January

2014.
[1] Chen, Gang , and F. Liu . Proofs of Correctness and Properties of Integer [18] Raghumanohar Adusumilli and Vinod Kumar K, ”DESIGN AND
Adder Circuits. IEEE Transactions on Computers 59.1(2009):134-136. IMPLEMENTATION OF A HIGH SPEED 64 BIT KOGGE-STONE
[2] G. Chen, X. Song, G. Yang, T. Wang, X. Mu and Y. Fan, A Formal Proof ADDER USING VERILOG HDL,” International Journal of Electrical
of PG Recurrence Equations of Parallel Adders, in IEEE Transactions and Electronic Engineering & Telecommunications, Vol. 4, No. 1, pp.
on Computer-Aided Design of Integrated Circuits and Systems, vol. 40, 13-18, January 2015.
no. 7, pp. 1489-1494, July 2021, doi: 10.1109/TCAD.2020.3015414.
[3] Chen, G. . Formalization of a Parameterized Parallel Adder Within the
Coq Theorem Prover. Computer-Aided Design of Integrated Circuits and
Systems, IEEE Transactions on 29.1(2010):P.149-153.
[4] Lynch, Thomas W. and Earl E. Swartzlander. A Spanning Tree Carry
Lookahead Adder. IEEE Trans. Computers 41 (1992): 931-939.
[5] Wang, Yuke et al. The design of hybrid carry-lookahead/carry-select
adders. IEEE Transactions on Circuits and Systems Ii: Analog and
Digital Signal Processing 49 (2002): 16-24.
[6] O’Donnell, John T. and Gudula Rünger. Derivation of a logarithmic time
carry lookahead addition circuit. J. Funct. Program. 14 (2004): 697-713.
[7] P. Niemann and R. Drechsler, Polynomial-Time Formal Verification of
Adder Circuits for Multiple-Valued Logic, 2022 IEEE 52nd International
Symposium on Multiple-Valued Logic (ISMVL), Dallas, TX, USA,
2022, pp. 9-14, doi: 10.1109/ISMVL52857.2022.00009.
[8] Sae Hwan Kim and Shiu-Kai Chin, Formal verification of tree-
structured carry-lookahead adders, Proceedings Ninth Great Lakes
Symposium on VLSI, Ypsilanti, MI, USA, 1999, pp. 232-233, doi:
10.1109/GLSV.1999.757419.
[9] S. Mathew, M. Anders, R. K. Krishnamurthy, and S. Borkar, A 4-GHz
130-nm address generation unit with 32-bit sparse-tree adder core, IEEE
J. Solid-State Circuits, vol. 38, no. 5, pp. 689–695, May 2003.
[10] Q. Wang, X. Song, M. Gu, and J. G. Sun, Functional verification of
high performance adders in Coq, J. Appl. Math., vol. 2014, 2014, Art.
no. 197252.
[11] S. Roy, M. Choudhury, R. Puri, and D. Z. Pan, Polynomial Time Algo-
rithm for Area and Power Efficient Adder Synthesis in HighPerformance
Designs, IEEE Trans. Comput.-Aided Design Integr. Circuits Syst., vol.
35, no. 5, pp. 820–831, May 2016.
[12] S. Knowles, A family of adders, in Proc. 15th IEEE Symp. Comput.
Arithmetic, Vail, CO, USA, 2001, pp. 277–284.
[13] S. Roy, M. Choudhury, R. Puri, and D. Z. Pan, Towards optimal
performance-area trade-off in adders by synthesis of parallel prefix
structures, IEEE Trans. Comput.-Aided Design Integr. Circuits Syst.,
vol. 33, no. 10, pp. 1517–1530, Oct. 2014.
[14] F. Liu, X. Song, Q. Tan, and G. Chen, Formal analysis of hybrid
prefix/carry-select arithmetic systems, Comput. J., vol. 54, no. 6, pp.
894–904, Jun. 2011.
[15] F. Liu, X. Song, Q. Tan and G. Chen, Formal Analysis of End-Around-
Carry Adder in Floating-Point Unit, in IEEE Transactions on Computer-
Aided Design of Integrated Circuits and Systems, vol. 29,no.10,pp.1655-
1659,Oct. 2010, doi: 10.1109/TCAD.2010.2052391.
[16] Q. Wang, X. Song, W. N. N. Hung, M. Gu, and J. Sun, Scalable
verification of a generic end-around-carry adder for floating-point units
by Coq, IEEE Trans. Comput.-Aided Design Integr. Circuits Syst., vol.
34, no. 1, pp. 150–154, Jan. 2015.
[17] Sunil M, Ankith R D, Manjunatha G D and Premananda B S, ”DESIGN
AND IMPLEMENTATION OF FASTER PARALLEL PREFIX KOGGE
STONE ADDER,” International Journal of Electrical and Electronic

14
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY DELHI. Downloaded on April 19,2025 at 09:10:57 UTC from IEEE Xplore. Restrictions apply.