Toward Formal Construction of Assembly Arithmetic Functions from Pseudo-code∗

Most cryptographic software relies on arithmetic functions, and these functions must be implemented correctly and efficiently. In practice, they are written by hand directly in assembly and undergo costly testing. Proof-assistants provide a way to avoid testing without sacrificing efficiency, but formal verification of low-level code is technically difficult. We propose a way to address the scalability issues raised by the formal verification of large arithmetic functions. We advocate formal construction from pseudo-code to split the effort into formal verification of an idealized implementation written in pseudo-code and a formal proof that this pseudo-code simulates the target assembly program. In this setting, properties of the assembly program can be derived from proofs at the simpler level of pseudo-code. As for the formal proof of the simulation, it can be made systematic, in particular when the target assembly program is built out of a library of more basic but already verified arithmetic functions. We illustrate this approach with preliminary but concrete examples.