A Computationally Surveyable Proof of the Group Properties of an Elliptic Curve
David M. Russinoff (ARM Ltd.)

TL;DR
This paper provides an elementary, formal, and mechanically verified proof of the group properties of Curve25519, ensuring correctness of its hardware implementation for Diffie-Hellman key exchange.
Contribution
It introduces a computationally surveyable proof of elliptic curve group properties, formalized in ACL2, with steps reproducible in any programming language.
Findings
Proof is formalized and mechanically verified in ACL2.
Proof is computationally surveyable and reproducible.
Ensures correctness of hardware implementation for Diffie-Hellman.
Abstract
We present an elementary proof of the group properties of the elliptic curve known as "Curve25519", as a component of a comprehensive proof of correctness of a hardware implementation of the associated Diffie-Hellman key agreement algorithm. The entire proof has been formalized and mechanically verified with ACL2, and is computationally surveyable in the sense that all steps that require mechanical support are presented in such a way that they may readily reproduced in any suitable programming language.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Residue Arithmetic · Formal Methods in Verification · Cryptographic Implementations and Security
A Computationally Surveyable Proof
of the Group Properties of an Elliptic Curve
David M. Russinoff
Abstract
We present an elementary proof of the abelian group properties of the elliptic curve known as Curve25519, as a component of a comprehensive proof of correctness of a hardware implementation of the associated Diffie-Hellman key agreement algorithm. The entire proof has been formalized and mechanically verified with ACL2, and is computationally surveyable in the sense that all steps that require mechanical support are presented in such a way that they may be readily reproduced in any suitable programming language.
1 Introduction
An effort is under way at Intel to develop and verify a formal model and a hardware implementation of the elliptic curve key agreement algorithm known as Curve25519 [3], using ACL2. The most challenging aspect of this problem is the proof of the abelian group properties of the curve, especially associativity. This result may be viewed either as a deep theorem of algebraic or projective geometry [7, 4], accessible only to experts in that field, or as an elementary but computationally intensive arithmetic exercise, involving, as Bernstein [3] observes, “standard (but lengthy) calculations”. Silverman and Tate [11] attempt to quantify the effort with a “tongue-in-cheek estimate”:
Of course, there are a lot of cases to consider …. But in a few days you will be able to check associativity using these formulas. So we need say nothing more about the proof of the associative law!
What remains to be said is that there is compelling evidence (see below) that an elementary hand proof of this result is a practical impossibility. The first serious attack on the problem, by Friedl [5], was a combination of mathematical analysis and symbolic computation with the CoCoA (Computations in Commutative Algebra) package. Building on Friedl’s results, Théry [12] later developed a comprehensive formal proof with Coq. (Both papers address the somewhat more general class of Weierstrass curves rather than the one on which we focus here, but there is no difference in computational complexity.) These two efforts, which together represent a significant achievement, may be contrasted in the terminology of automated reasoning [2]: Friedl’s work is accepting insofar as it treats CoCoA as a trusted oracle, whereas Théry’s proof is autarkic by virtue of performing all logical deductions and supporting computations within the same formal system.
From a traditional mathematical perspective, however, both of these results are open to the same common criticism of computer-assisted proofs. There is general agreement in the mathematical community that it is desirable for a proof to be surveyable in the sense that each of its assertions could be derived manually by a competent reader as a logical consequence of preceding assertions and otherwise established results, and that the proof is short enough to be comprehended. One goal behind this principle is correctness, but equally important is the desire for mathematical growth—the propagation and advancement of techniques and ideas.
In the realm of computing, this is often an unattainable objective—reliance on a mechanical proof assistant may be unavoidable. It is common to find in a published proof in this field, in lieu of a cogent argument, an appeal to the authority of an established proof system. This device is a stark realization of Tymoczko’s allegory of the infallible Martian genius whose proclamations go unquestioned—proof by “Simon Says” [13]. It may provide evidence of correctness but does little to illuminate the underlying mathematics.
Dependence on mechanical assistance, however, need not preclude a full exposition of a proof. For example, the correctness of a hardware divider typically depends on a relation between the value and indices of each entry of an array that is too large to be either generated or checked by hand, but it should be possible to characterize the computation in such a way that it can be understood and machine-checked by the skeptical reader.
This suggests a judicious weakening of the conventional notion of surveyability. A proof may be said to be computationally surveyable if its only departure from that notion is its dependence on unproved assertions that satisfy the following criteria:
- (1)
The assertion pertains to a function for which a clear constructive definition has been provided, and merely specifies the value of that function corresponding to a concrete set of arguments.
- (2)
The computation of this value has been performed mechanically by the author of the proof in a reasonably short time.
- (3)
A competent reader could readily code the function in the programming language of his choice and verify the asserted result on his own computing platform.
Such a proof, though still objectionable to those who insist on strict surveyability, can convey a comprehensive understanding of a theorem and is susceptible to a process of social review, thus oppugning a commonly stated basis for the objection.
Neither of the treatments of the elliptic curve group properties cited above attempts such a proof, perhaps because the supporting tool or its application to the problem at hand is too complicated to admit a concise specification. Thus, Friedl simply attributes unproved results to CoCoA, while Théry’s claims depend on an undisclosed “tactic” that has reportedly been implemented in Coq.
An integrated computationally surveyable proof of a result of this sort, which combines subtle mathematical analysis with intensive computation, is best carried out with the support of an interactive prover based on an efficient executable logic. We shall present such a proof of this theorem that has been formalized and mechanically checked in its entirety with ACL2. The computational results for which we rely solely on ACL2 for verification, as opposed to proof checking, (all of which are in Section 7) are labeled as Computations, and are thus clearly distinguished from other steps in the proof, which are listed as Lemmas. All computations are performed on S-expressions and are most naturally performed in LISP, but can be readily implemented in any language that provides linked lists. Moreover, our exposition is confined to conventional mathematical terminology and notation, with no reference to the ACL2 logic.
Our proof benefits significantly from the two earlier efforts, both in its overall approach and through its appropriation of specific lemmas. In particular, we follow [12] in the representation of polynomials in sparse Horner normal form, using a normalization procedure adapted from [6]. Furthermore, our Lemmas 2.1, 2.2, and 7.7 are variants of results found in [12] (two of which are inherited from [5]).
The supporting materials for this paper include several subdirectories of books/projects in the ACL2 repository. The main script resides in curve25519. The basis of Curve25519 is the primality of , which is proved in quadratic-reciprocity by Pratt’s method [8]and explained in [10]. Fermat’s Theorem ( when is not divisible by ), which allows the inversion operator in the field to be defined as , is also formalized in quadratic-reciprocity.
Our formalization of sparse Horner normal forms is in the subdirectory shnf. Following [6], we define an efficiently computable normalization of polynomial terms and an evaluation function on normal forms, and prove equality between the value of a polynomial and that of its representation, for all variable assignments. Thus, the equivalence of two polynomials we may be established by computing their normalizations and observing that they coincide.
Of course, the utility of this method rests on the property of completeness: equivalent polynomials always produce the same representation. According to the authors of the Coq proof, which does not address this property, it cannot even be stated within their formal framework. Our development includes a constructive proof of this result that we have formalized in ACL2, based on a function that computes, for a given pair of two polynomials, a list of variable assignments for which the values of the polynomials differ, whenever such a list exists. This result is not required for our present purpose, but is documented elsewhere [9].
The distinguishing features of our proof that enable the objective of computational surveyability are (1) a specialized rewriting procedure that reduces the normal form of a polynomial according to the curve equation (Definition 5.5), and (2) an encoding of group elements as integer triples, which facilitates symbolic computation of the group operation (Definition 6.3). Both of these functions require automated computation but admit concise specifications and correctness proofs. Furthermore, a modest improvement in efficiency over the more general Coq proof tactic is suggested by a comparison of execution times of the three computational results of [12] (9.2, 3.9, and 18.8 seconds for spec3_assoc, spec2_assoc, and spec3_assoc, respectively) and our versions of the same computations (3.78, 0.36, and 3.8 seconds for Computations 7, 8, and 9). We exploit this facility by performing several more intensive computations, thereby eliminating much of Théry’s analysis, which he characterizes as “really tedious”. In particular, Computation 10, which is proved in 26.2 seconds, disposes of a critical case of associativity. It is also worth noting that if the polynomial involved in this result were expanded into a sum of monomials, as might be done in a direct hand proof based on “standard computations”, the number of terms would exceed . Clearly, the reader who completes such a proof “in a few days” is exceptionally good with figures.
2 Curve25519
Let and . The primality of is proved in [10]. The field of order is the set with the operations of addition and multiplication modulo . Every naturally corresponds to the field element , which we denote as . The field operations will be denoted by the usual symbols: if , , and , then “”, “”, “”, “”, or “” may refer to an operation in either or , depending on context, whereas “” will only denote an operation in .
Definition 2.1
.
Our goal is to show that is an abelian group under the following operation:
Definition 2.2
Let and .
- (1)
.
- (2)
If , then .
- (3)
If , , and \lambda=\left\{\begin{array}[]{ll}\frac{y_{\_}2-y_{\_}1}{x_{\_}2-x_{\_}1}&\mbox{if x_{_}1\neq x_{_}2}\\ \frac{3x_{\_}1^{2}+2Ax_{\_}1+1}{2y_{\_}1}&\mbox{if x_{_}1=x_{_}2,}\end{array}\right. then , where and
Clearly, is the identity element, the inverse of is , and according to Corollary 1 of [10], the origin is the only element of order 2.
Remark. If we consider Definition 2.1 as an equation over instead of , then Definition 2.2 admits a simple geometric interpretation. Except when , the line connecting points and on the curve (or the tangent line at , in case ) intersects the curve at another point, . If we were to define the operation as , then analytic geometry would yield the formula in the definition. If , the third point of intersection is taken to be .
In the sequel, we shall assume that , , and are fixed elements of that are distinct from (but not necessarily from one another), in order to obviate repetition of such hypotheses. Any result pertaining to these points may be generalized by replacing them with arbitrary finite points of . We begin with two simple consequences of Definition 2.2.
Lemma 2.1
.
Proof: Suppose . Equating -coordinates, we have , which implies and hence (since is of odd characteristic ) , which implies . But cannot be 0, as this would imply . Thus, the equation reduces to
[TABLE]
which implies , contradicting .
Lemma 2.2
If , then either or .
Proof: If , then
[TABLE]
which implies . Similarly, if , then
[TABLE]
Therefore, we may assume . Equating the -coordinates of and , we have
[TABLE]
which implies , and hence either or .
3 Encoding Points on the Curve as Integer Triples
Our scheme for symbolic computation of the group operation is based on a mapping from to :
Definition 3.1
If , where is not divisible by , then
[TABLE]
and is said to be an encoding of .
Note that every admits the canonical encoding .
The motivation for this definition is that an encoding of can often be readily derived from encodings of and in certain cases of interest. We define a partial addition operation on corresponding to Definition 2.2:
Definition 3.2
Given and , is defined in two cases:
- (1)
If , then , where
[TABLE]
- (2)
If and , then , where
[TABLE]
Lemma 3.1
Let and , where is defined and if , then and . Then .
Proof: The arithmetic operations below are to be understood as operations in on the field elements corresponding to the integers involved.
We first consider the case . Let
[TABLE]
Then , where
[TABLE]
and
[TABLE]
Thus, .
In the remaining case, we have and . Let
[TABLE]
Then , where
[TABLE]
and
[TABLE]
Thus, .
4 Polynomial Terms and Sparse Horner Normal Form
In this section, we describe our formalization of sparse Horner forms as S-expressions. For this purpose, an S-expression is an integer, a symbol, or an ordered list of S-expressions. In the last case, , and for , we define . The set of all lists whose members are confined to a set is .
Under the usual ACL2 encoding of multi-variable polynomials, a polynomial term over a list of variable symbols is an S-expression constructed from integers and symbols in using the symbols +, -, *, and EXPT. The function evalp evaluates a term according to an alist that associates variables with integer values in the natural way. For example, if and , then is a term over and . The set of all polynomial terms over is denoted .
We shall represent polynomial terms as objects of the following type:
Definition 4.1
A sparse Horner form (SHF) is any of the following:
- (a)
An integer;
- (b)
A list (POP ), where and is a SHF
- (c)
A list (POW ), where and and are SHFs.
A SHF is normal if its components are normal and it is not either of the following:
- (a)
(POP ), where or or (POP );
- (b)
(POW ), where or (POW ).
* denotes the set of all normal SHFs, or SHNFs.*
The evaluation of a SHF with respect to a list of integers is defined as follows:
Definition 4.2
Let h be a SHF and let .
- (a)
If , then .
- (b)
If , then then .
- (c)
If and , then .
- (d)
If and (), then .
Our objective is to define, for a given variable list (), a mapping such that if () and (()()), then
[TABLE]
Thus, if two polynomials produce the same normal form, then they are equivalent.
A possible top-down approach to the definition of is as follows:
- (1)
If is an integer constant, then .
- (2)
Suppose occurs in . Find polynomials and such that , is not divisible by , and does not occur in . If and , then
[TABLE]
- (3)
Suppose does not occur in . Let be the first variable in that does occur in . If , then
[TABLE]
For example, consider the polynomial with variable ordering . Rewriting the polynomial as
[TABLE]
we find that the normalization is , where and . Continuing recursively, we arrive at the final result:
(POW 3 (POW 1 (POP 1 (POW 2 4 0)) 3)
(POP 1 (POW 4 2 5))).
It may be instructive to check that the value of this SHF for the list of values , for example, and the value of the represented polynomial for the corresponding alist, are both 207.
It is not difficult to see that a SHF generated by this procedure is indeed normal. Unfortunately, this approach is impractical because of the general difficulty of constructing the polynomials and in Case (2). Our preferred definition will provide a more efficient bottom-up procedure. We begin with the two basic normalizing functions pop and pow:
Definition 4.3
Let and .
- (a)
If or , then .
- (b)
If , then .
- (c)
Otherwise, .
Definition 4.4
Let , , and .
- (a)
If , then .
- (b)
If , then .
- (c)
Otherwise, .
The following properties of these functions are immediate consequences of the definitions:
Lemma 4.1
Let , , , and .
- (a)
* and .*
- (b)
If , then and .
We also define a ring structure on , Once we have computed the SHNFs for polynomials and , the ring operations “” and “” compute those for and .
Definition 4.5
Let and .
- (1)
If , then
- (a)
* and .*
- (b)
* and .*
- (c)
* and .*
- (2)
If , then and .
- (3)
If and , then
- (a)
* and .*
- (b)
* and .*
- (c)
* and .*
- (4)
If and , then
- (a)
* and .*
- (b)
* and .*
- (5)
If and , then and .
- (6)
If and , then
- (a)
.
- (b)
**
- (c)
.
- (d)
.
The definitions of negation and exponentiation are straightforward:
Definition 4.6
Let .
- (1)
If , then .
- (2)
If , then .
- (3)
If , then .
Definition 4.7
If and , then
[TABLE]
The following properties are easily proved by induction:
Lemma 4.2
Let , , , and .
- (a)
* and .*
- (b)
* and .*
- (c)
* and .*
- (d)
* and .*
We can now define the normalization procedure:
Definition 4.8
If , where is a list of distinct symbols, then
- (1)
.
- (2)
, .
- (3)
.
- (4)
.
- (5)
.
- (6)
.
- (7)
.
The reader may wish to check that the SHNF for the polynomial with respect to the variable list is once again
(POW 3 (POW 1 (POP 1 (POW 2 4 0)) 3)
(POP 1 (POW 4 2 5))).
Lemma 4.3
Let , where is a list of distinct symbols. Let be a list of integers with and
[TABLE]
Then and
[TABLE]
Proof: The case follows from Definition 4.2 and Lemma 4.1; the other cases follow from Definition 4.2, induction, and Lemma 4.2.
5 Polynomial Reduction
We shall focus on the case of a list of variables corresponding to the coordinates of the points , , and , as characterized in Section 2. We define the following lists:
Definition 5.1
(Y0 Y1 Y2 X0 X1 X2), (), and
((Y0 ) (Y1* ) (Y2 ) (X0 ) (X1 ) (X2 ))*
We abbreviate as , and for we abbreviate as .
The ordering of the variable list is designed to maximize the efficiency of the rewriting procedure defined below. This procedure operates on a SHF that represents a polynomial with respect to , which is effectively reduced, using the curve equation as a rewrite rule, to a polynomial that (a) has the same value (modulo ) as the given polynomial under the variable assignments of and (b) is at most linear in each of the variables Y.
The core of the rewriter is the function split, which reduces and splits a polynomial term into a sum of two polynomials, of which one is independent of a given Y and the other is linear in Y. More precisely, if and , then computes a pair of SHNFs that represent these polynomials.
The following SHNF is used in the reduction:
Definition 5.2
(POP (POW (POW (POW ) ) [math])).
Lemma 5.1
If , then .
Proof: This may be derived by expanding the definition of evalh.
Definition 5.3
Let , , and .
- (1)
If or , then .
- (2)
If , (POP ), and , then
[TABLE]
- (3)
Let (POW), , and .
- (a)
If , then
[TABLE]
- (b)
If and is even, then
[TABLE]
- (c)
If and is odd, then
[TABLE]
Lemma 5.2
Let , where , , and . Then .
Proof: We may assume that ; otherwise the claim is trivial. The proof is by induction on the structure of . The case (POP ) is straightforward:
[TABLE]
Suppose (POW ). By the definition of evalh,
[TABLE]
If , then this may be written as
[TABLE]
We may assume, therefore, that . If is even, then
[TABLE]
and similarly,
[TABLE]
if is odd, then we may rearrange the above expression for as
[TABLE]
which similarly reduces to .
Definition 5.4
If , , and , then
[TABLE]
Lemma 5.3
If , , and , then .
Proof: We instantiate Lemma 5.2 with and invoke Lemma 4.2.
Definition 5.5
If , then
[TABLE]
Lemma 5.4
If , then .
Proof: This is a consequence of Lemmas 5.3 and 4.3).
6 Encoding Points on the Curve as Term Triples
The evaluation of terms induces a mapping from to :
Definition 6.1
For , and if is not divisible by , then .
Clearly, under the following definitions, and .
Definition 6.2
* and for , .
Definition 3.2 suggests a partial addition on corresponding to the group operation on . This in combination with normalization (Definition 4.8) and reduction (Definition 5.5) will provide a practical means of establishing equivalence between expressions constructed from the above points by nested applications of , while avoiding the intractable task of explicitly computing those expressions.
Definition 6.3
For and , is defined in the following cases:
- (1)
If , then , where
[TABLE]
[TABLE]
[TABLE]
[TABLE]
- (2)
If and , then , where
[TABLE]
[TABLE]
[TABLE]
Lemma 6.1
Let and with , , and defined. Assume that if , then , and otherwise . Then .
Proof: Let . Clearly, the hypothesis implies that is defined. In light of Lemma 3.1, we need only show that .
We shall examine the case ; the remaining case is similar. Let , , and
[TABLE]
According to Definition 6.3,
(* 2 (* ))
and it is clear from the definition of evalp that
[TABLE]
It may similarly be shown that and . Thus,
[TABLE]
We also define a negation operator, with the obvious property:
Definition 6.4
For , .
Lemma 6.2
If and , then .
The next two lemmas, which combine the results of this section with those of Section 5, will be critical in establishing the group axioms: Lemma 6.3 for closure and Lemma 6.4 for commutativity and associativity.
Definition 6.5
Given , let
(- (EXPT ) (+ (EXPT ) (+ (* (EXPT (* ) )) (* (EXPT ))))).Then is an EC-encoding if .
Lemma 6.3
If is an EC-encoding and , then .
Proof: Let , , and . Then
[TABLE]
and
[TABLE]
By Lemma 5.4, , and therefore, in the field ,
[TABLE]
Dividing this equation by yields
[TABLE]
Definition 6.6
Given and , let
(* (EXPT * )),** ** ( (EXPT * )),*
(* (EXPT * )),** ** ( (EXPT * )).*
Then .
Lemma 6.4
Let and . If , , and , then .
Proof: Let , , , and . Then by Lemma 5.4,
[TABLE]
and
[TABLE]
Thus, in the field ,
[TABLE]
7 Abelian Group Axioms
It must be shown that if , then and . We may assume that the points are finite, since each of these properties is trivial otherwise, and without loss of generality, we may confine our attention to the fixed points , , and .
Computations 1–11 below are computational results of evaluating the functions that are specified by Definitions 5.5 (term reduction), 6.3 (addition of term triples), 6.4 (negation of a term triple), 6.5 (EC-encoding recognizer), and 6.6 (equivalence of term triples). The lemmas of this section are derived from these results using the corresponding Lemmas 5.4, 6.1, 6.2, 6.3, and 6.4.
Computation 1
* and are EC-encodings.*
Lemma 7.1** (Closure)**
.
Proof: If , then by Computation 1, Definition 6.2 and Lemmas 6.1,
[TABLE]
and by Lemma 6.3, . Similarly, .
Computation 2
.
Lemma 7.2** (Commutativity)**
.
Proof: We may assume . By Computation 2 and Lemmas 6.1 and 6.4,
[TABLE]
All remaining results pertain to associativity.
Computation 3
.
Computation 4
.
Lemma 7.3
.
Proof: This follows from Computations 3 and 4 and Lemmas 5.4, 6.1, 6.2, and 6.4.
Computation 5
.
Computation 6
**
Lemma 7.4
If , then .
Proof: This follows similarly from Computations 5 and 6.
Computation 7
.
Computation 8
.
Lemma 7.5
If and , then
[TABLE]
Proof: The claim follows immediately from Computations 7 and 8 and Lemmas 5.4, 6.1, and 6.4 except in the cases , , , and . We need only consider the first two of these cases; the other two are similar. Moreover, since , the second case is subsumed by the first. Thus, we may assume . Now (the left-hand side) is and by Lemma 7.4, .
Computation 9
.
Computation 10
.
Lemma 7.6
If , , and , then .
Proof: The case is trivial and the case is precluded by Lemma 2.1. All other cases are handled by Computations 9 and 10 and Lemmas 5.4, 6.1, and 6.4.
Computation 11
Let , ,
[TABLE]
and
[TABLE]
Then .
Lemma 7.7
If , then .
Proof: First note that we may assume that , for if , then
[TABLE]
and if , then
[TABLE]
contradicting . Furthermore, if , then , contradicting Lemma 2.1. Thus, we have and .
Retaining the notation of Computation 11, let
[TABLE]
and
[TABLE]
It follows from the definition of evalp that
[TABLE]
and
[TABLE]
By Lemma 6.1,
[TABLE]
and hence , which implies .
By Computation 11 and Lemma 5.4, , which implies . Thus, by Lemma 6.1,
[TABLE]
which implies . We need only consider the case .
Suppose that . Then , and by Lemma 7.10,
[TABLE]
Thus,
[TABLE]
By Lemma 2.2, , and hence .
Lemma 7.8
If , then .
Proof: and by Lemma 7.3,
[TABLE]
Therefore, we must show that .
If , then this follows from Lemma 7.4. On the other hand, if , then by Lemmas 7.7 and 7.3,
[TABLE]
Lemma 7.9
.
Proof: By Lemma 7.8, we may assume and . By Lemmas 2.1 and 7.5, we may assume that .
If , then
[TABLE]
But if , then the claim follows from Lemma 7.6.
Two final computations are required for the case and :
Computation 12
.
Computation 13
.
Lemma 7.10
.
Proof: We may assume that . Since Lemma 2.1 implies , it follows from Computation 13 that . Thus, the claim reduces to , which follows from Computation 12.
Lemma 7.11** (Associativity)**
.
Proof: By Lemmas 7.6 and 7.8, we may assume , and . By Lemma 7.6, we need only eliminate the cases and .
If , then and by Lemmas 7.3 and 7.7,
[TABLE]
Finally, if , then Lemma 7.9 implies , Lemma 2.1 then implies , and the claim follows from Lemma 7.10.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1]
- 2[2] Henk Barendregt & Erik Barendsen (2002): Autarchic Computations in Formal Proofs . Journal of Automated Reasoning 28, pp. 321–336, 10.1023/A:1015761529444 . · doi ↗
- 3[3] Daniel J. Bernstein (2006): Curve 25519: New Diffie-Hellman Speed Records . In: 9th International Conference on Theory and Practice of Public Key Cryptography , Springer, pp. 207–228, 10.1007/1174585314 . · doi ↗
- 4[4] Daniel J. Bernstein & Tanja Lange (2011): A Complete Set of Addition Laws for Incomplete Edwards Curves . Journal of Number Theory 131, pp. 858–872, 10.1016/j.jnt.2010.06.015 . · doi ↗
- 5[5] Stefan Friedl (1998): An Elementary Proof of the Group Law for Elliptic Curve .
- 6[6] Benjamin Gregoire & Assia Mahboubi (2005): Proving Equalities in a Commutative Ring Done Right in Coq . In: Proceedings of the 18th International Conference on Theorem Proving in Higher Order Logics , Springer-Verlag, pp. 98–113, 10.1007/115418687 . · doi ↗
- 7[7] Henri Poincaré (1901): Sur les Propriétés Arithmetiques des Courbes Algébriques . Lournalde Mathématiques Pures et Appliuées 7, pp. 121–233.
- 8[8] Vaughn Pratt (1975): Every Prime Has a Succinct Certification . SIAM Journal on Computing 4, 10.1137/0204018 . · doi ↗
