PolyAdd: Polynomial Formal Verification of Adder Circuits by Drechsler, Rolf
PolyAdd: Polynomial Formal Verification of Adder Circuits∗
Rolf Drechsler
Institute of Computer Science
University of Bremen
28359 Bremen, Germany
drechsler@uni-bremen.de
Abstract
Only by formal verification approaches functional cor-
rectness can be ensured. While for many circuits fast ver-
ification is possible, in other cases the approaches fail. In
general no efficient algorithms can be given, since the un-
derlying verification problem is NP-complete.
In this paper we prove that for different types of adder
circuits polynomial verification can be ensured based on
BDDs. While it is known that the output functions for ad-
dition are polynomially bounded, we show in the following
that the entire construction process can be carried out in
polynomial time. This is shown for the simple Carry Rip-
ple Adder, but also for fast adders like the Conditional Sum
Adder and the Carry Look Ahead Adder. Properties about
the adder function are proven and the core principle of poly-
nomial verification is described that can also be extended to
other classes of functions and circuit realizations.
1. Introduction
Ensuring the functional correctness of circuits and sys-
tems is one of the major challenges in today’s circuit and
system design. While simulation and emulation approaches
reach their limits due to the complexity of the system under
verification according to Moore’s Law, only formal proof
techniques can ensure correctness according to the specifi-
cation (see e.g. [7, 8]). In these approaches proof engines,
like BDD, SAT or SMT, are applied.
In practice these techniques work often well and can han-
dle circuits of several million gates. But it might also hap-
pen that the proof fails due to run time or memory con-
straints. One of the major difficulties is that this can hardly
∗Parts of this work have been supported by DFG within in Reinhart
Koselleck Project PolyVer: Polynomial Verification of Electronic Circuits
(DR 287/36-1).
be predicted resulting in non-robust behavior of the tools.
For this, a deeper understanding is required which circuits
can be handled efficiently and for which ones the formal
approach will fail.
In the context of the highly relevant class of arithmetic
circuits early studies on BDDs have shown that they are
not well-suited to verify multipliers [5], but using dedicated
data structures, like *BMDs [6] it was possible to represent
the output functions of a multiplier polynomially. In [11]
it has been shown that not only the outputs can be repre-
sented, but for a specific type of Wallace tree multiplier the
complete verification can be carried out polynomially.
In this paper, we consider circuits for addition of two bi-
nary numbers. While it is well known that the BDD size
for the adder function is only linear in the bit size [4], we
show that the complete construction process of the BDD
is also bounded polynomially. This is shown for three dif-
ferent adder architectures, namely the Carry Ripple Adder
(CRA), the Conditional Sum Adder (CSA) and the Carry
Look Ahead Adder. Theoretical bounds on the BDD sizes
are proven and it is shown that the complete symbolic sim-
ulation starting from the inputs to the outputs of the circuit
can by carried out polynomially. Furthermore, for specific
functions upper bounds on the BDD size are proven.
The paper is structured as follows: In Section 2 nota-
tions and definitions are reviewed to make the paper self-
contained. The adder function and BDDs are introduced.
For the three adders the circuit realization is reviewed in
Section 3. in Section 4 for the three adder architectures it
is proven that formal verification can be done efficiently.
Finally, the results are summarized and open problems are
addressed.
2. Notation and Definition
Let f : Bn → B be a Boolean function over variable set
Xn = {x1, . . . , xn}.
ar
X
iv
:2
00
9.
03
24
2v
2 
 [c
s.A
R]
  8
 Se
p 2
02
0
2.1. Adder Function
Let a, b and s be three binary numbers of n bits, where
s is the sum of a, b and an incoming carry bit c−1. The
relation between the sum s and the operands a and b can be
described by the following two equations:
∀n−1i=0 ci = aibi ∨ aici−1 ∨ bici−1 (1)
∀n−1i=0 si = ai ⊕ bi ⊕ ci−1 (2)
The variable ci is called the i-the carry bit.
The core cells of many adder architectures are the Half
Adder (HA) and Full Adder (FA) cells realizing a 1-bit ad-
dition without or with carry input, respectively.
The function table of the HA is shown in following table
ai bi ha1 ha0
0 0 0 0
0 1 0 1
1 0 0 1
1 1 1 0
It is easy to see that the function ha1 can be realized by and
AND-gate, while ha0 is described by an ⊕-gate, i.e.:
ha1 = ai · bi ha0 = ai ⊕ bi
Analogously it follows for the FA with inputs ai, bi and
ci−1:
fa1 = aibi ∨ ci−1(ai ∨ bi) fa0 = ai ⊕ bi ⊕ ci−1
2.2. Binary Decision Diagrams
Reduced ordered Binary Decision Diagrams (BDDs) [4,
9] are Directed Acyclic Graphs (DAGs) where a Shannon
decomposition
f = xifxi + xifxi(1 ≤ i ≤ n)
is carried out in each node.
Example 1. The BDD for the full adder is shown in Figure
1.
An important property of BDDs is that the synthesis op-
erations, like AND, OR or composition, can be carried out
in polynomial time and space. This can be described by
the operator if-then-else (ite) [4, 3]1. A sketch of the al-
gorithm is as follows, where Rh Rl denote the high- and
low-successors, respectively, and e.g. F1i is the cofactor to
1 with respect to variable i:
1Notice that in the following for the discussion and the proofs BDDs
without complemented edges are considered.
Figure 1. BDD for full adder
ite(F,G,H) {
if (terminal case OR
(F,G,H) in computed-table) {
return result;
} else {
let xi be the top variable of (F,G,H);
Rh = ite(F1i,G1i,H1i);
Rl = ite(F0i,G0i,H0i);
if (Rh = Rl) return Rh;
R = find_or_add_unique_table(v,Rl,Rh);
insert_computed_table(F,G,H,R);
return R;
}
}
The ite-operator has a polynomial worst case behavior,
i.e. for graphs F ,G andH the result is bound byO(|F |·|G|·
|H|). This bound holds under the assumption of an optimal
hashing in O(1). But also in the case of a worst case be-
havior of the hashing function, ite remains polynomial (see
[10]).
2.3. Symbolic Simulation
To build the BDDs for the output signals of a circuit, the
circuit is traversed in a topological order starting from the
inputs. For the inputs signals the corresponding BDDs are
initially generated. Then, for each gate in the circuit the cor-
responding synthesis operation based on ite is carried out.
This process is called symbolic simulation in the following.
Example 2. The symbolic simulation for a circuit consist-
ing of a single AND gate is shown in Figure 2.
Figure 2. Symbolic simulation for AND gate
Figure 3. Carry Ripple Adder
3. Circuit Realization
In this section different realizations for adder circuits are
briefly reviewed. Only the basic principles are reviewed as
far as it is needed for making the paper self-contained. For
more details see [2].
3.1. Carry Ripple Adder
The Carry Ripple Adder (CRA) simply consists of a se-
quence on n full adders. The cells are connected via the
carry chain (see Figure 3).
The CRA is very area efficient, since it only requires a
linear number of gates. But the CRA is also very slow, since
the delay – measured in the number of gates that has to be
traversed – is also linear in the number of inputs.
3.2. Conditional Sum Adder
The Conditional Sum Adder (CSA) can be recursively
described. While the lower n/2 bits are computed by a
CSA of bit-width n/2, for the higher n/2 bits the result is
computed by two CSAs in parallel, where one assumes an
incoming carry, while the other does not. Thus, the adder
makes use of the fact that the higher bits only depend on the
incoming carry from the lower half. Both results are pre-
computed and the correct result is selected by a multiplexer
Figure 4. Conditional Sum Adder
stage. The computation scheme is shown in Figure 4. For
the 1-bit adders, simply full adders can be used.
The CSA is a fast adder, i.e. it has a depth of O(log(n)).
The circuit has a gate count of O(n · log(n)).
3.3. Carry Look Ahead Adder
The Carry Look Ahead Adder (CLA) makes use of a
fast prefix computation in a block Pn (see Figure 5). From
Equation (2) it is obvious that it is sufficient to compute
the carry bits ci for all i. This can be done based on parallel
prefex computation of the generation and propagation prop-
erties for addition. These are described by function g and p,
respectively:
1. For 0 ≤ i < n: pi,i = ai ⊕ bi, gi,i = aibi
2. For i ≤ k < j: pj,i = pk,ipj,k+1,
gj,i = gj,k+1 + (gk,ipj,k+1),
This means that either a carry bit is generated in the upper
part or a carry is generated in the lower part and is propa-
gated through the higher part. Thus, the carry bits can be
computed as (0 ≤ i < n):
ci = gi,0 + pi,0c−1
The CLA has a logarithmic depth and a size linear in the
number of input variables.
4. Polynomial Verification
It is well known that the size of BDDs for the adder func-
tion is dependent on the variable ordering. It has also been
proven that the BDD size is linearly bounded (see Section
4.4 in [12]), where exact estimates are given for BDD sizes.
There, addition without the incoming carry bit has been
considered. The results can be extended to also consider
the incoming carry bit as it is required for all adder circuits
in the following.
Figure 5. Carry Look Ahead Adder
Theorem 1. 1. The sum bit si of an adder has the BDD
size bounded by 3i+ 7.
2. The carry bit ci of an adder has the BDD size bounded
by 3i+ 6.
Proof. We use the interleaved variable ordering from the
least to the most significant bits.
For the sum bits the results from Lemma 4.4.2 in [12]
can be generalized, where an upper bound of 3i+5 has been
proven for the adder function without an incoming carry bit.
For the additional carry bit two more nodes are required,
i.e. one for the carry bit itself and one for the a0 variable.
The same argument holds for the carry bit, but here on
the lowest level one node is saved, since in case of gen-
eration by ai and the incoming carry, bi does not have to
be tested any more (see Figure 6 for the case of 4 vari-
ables).
It is important to notice that these results were always
related to the representation size of the output functions, but
not for the entire construction process.
Remark 1. In the following, detailed bounds are not pro-
vided, since the goal of this paper is to show that the con-
struction process is polynomial.
Thus, it is sufficient to show that each individual step can
be carried out in polynomial time and space. We make use
of the following observation:
Remark 2. If for each internal signal the size of the BDD
representation and the number of gates in the circuit is poly-
nomially bounded in the number of inputs n, the whole cir-
cuit can be formally verified in polynomial time due to the
polynomially bounded synthesis operations on BDDs.
This method can be applied to general circuits, but is
used for adders only in the following. For the adder circuits
from Section 3 the upper bounds hold, that each circuit only
has a number of gates polynmial in the numer of inputs n.
4.1. Carry Ripple Adder
For the CRA it is very simple to see that the complete
construction is polynomially bounded. For the HA of the
least significant bit and all FAs the BDD can be locally con-
structed and has only a constant size. Due to the structure of
the CRA each carry output of a cell is connected to the carry
input of the next cell. The substitution of the input variable
can be carried out by the compose algorithm based on ite
and has a polynomial worst-case complexity. Furthermore,
according to Theorem 1 the size of the BDD for the carry
signal for all i is always linear. Thus, the whole construc-
tion process is polynomially bounded, since the composi-
tion only has to be carried out n times.
Theorem 2. The BDD for the CRA can be constructed poly-
nomially.
4.2. Conditional Sum Adder
The n bit CSA consists of three CSAs of bit-size n/2 and
a multiplexer stage. From Theorem 1 it follows that each of
the connecting signals shown in Figure 4 can be represented
by a BDD of linear size. Only the carry inputs have to be set
to 0 and 1, respectively. The only operation that has to be
carried out is the one corresponding to the MUX unit. But
this can be described by ite and is polynomially bounded.
Thus, we obtain:
Theorem 3. The BDD for the CSA can be constructed poly-
nomially.
Remark 3. The results of Theorems 2 and 3 can easily be
generalized to further adder types that are based on full
adders connected together using MUX cells, like e.g. the
Carry Select Adder in [1] with a runtime of O(
√
n).
4.3. Carry Look Ahead Adder
In the CLA the sum bits are computed by determining the
carry bits first and finally EXOR-ing them with the corre-
sponding ai and bi inputs according to Equation (2). Thus,
the core circuit computes the carry bits starting based on the
property of generation and propagation, i.e. functions p and
g. The union of propagation intervals is based on Boolean
AND-operations, i.e. larger interval only propagates a carry
bit, if the left and the right part of the interval do so. For the
generation part it holds that either the left part (using the
higher bits) already propagates or the lower part generates,
while the higher part propagates. In both cases, the struc-
ture consists of AND- and OR-operations only and it can be
seen that the whole structure can be represented by BDDs
of polynomial size. More formally, this can be proven as
follows:
Figure 6. BDD for 4-bit adder function
Lemma 1. 1. Function pj,i has the BDD size bounded by
3(j − i) (j > i).
2. Function gj,i has the BDD size bounded by 6(j−i)−6
(j > i).
Proof. For function pj,i it holds:
pj,i = (aj ⊕ bj)(aj−1 ⊕ bj−1) . . . (ai ⊕ bi)
The BDD for the EXOR of two variables has three nodes.
Since each variable only appears once, the corresponding
BDDs can simply be connected (see Figure 7 for the case of
4 variables).
Since the BDD is a cannonical representation, in
gj,i = gj,k+1 + (gk,ipj,k+1)
the choice of k does not influence the BDD size and we
choose k = j − 1 resulting in
gj,i = gj,j + (gj−1,ipj,j).
For each pair of variables al, bl at most 6 nodes can be gen-
erated resulting from all combinations of the EXOR and the
AND (see Figure 8 for the case of 4 variables). For the
top and bottom variables even some more nodes are saved,
i.e. two at the top level and one at the 2nd one, and accord-
ingly at the bottom. The exact estimate is not considered
(see Remark 1), since a polynomial upper bound case is
sufficient.
Based on this observation, the whole BDD for the CLA
can be computed based on ite.
Figure 7. BDD for p function for 4 variables
Theorem 4. The BDD for the CLA can be constructed poly-
nomially.
5. Conclusion
In this paper it has been proven for three different adder
architectures that the complete formal verification process
can be carried out polynomially. It was proven that the un-
derlying BDDs remain polynomial in the whole construc-
tion process. This was ensured by proving upper bounds
on the BDD sizes for each internal signal. While the BDD
sizes for the outputs of the adder functions were known to
be polynomially bounded, this is the first time that for ef-
ficient adder circuits of logarithmic run time a polynomial
proof process could be ensured.
It is focus of future work to identify further classes of
circuits and functions that can be polynomially verified us-
ing BDDs. Furthermore, alternative proof engines on the
Boolean level, like SAT or O(K)FDDs, can be considered.
Also extension to the word-level, like SMT or WLDDs, will
be studied.
Figure 8. BDD for g function for 4 variables
References
[1] B. Becker, R. Drechsler, R. Krieger, and S. Reddy. A fast
optimal robust path-delay-fault testable adder. In European
Design & Test Conf., pages 491–498, 1996.
[2] B. Becker, R. Drechsler, and P. Molitor. Technische Infor-
matik - Eine Einführung. Pearson Studium, 2005.
[3] K. Brace, R. Rudell, and R. Bryant. Efficient implementa-
tion of a BDD package. In Design Automation Conf., pages
40–45, 1990.
[4] R. Bryant. Graph-based algorithms for Boolean function
manipulation. IEEE Trans. on Comp., 35(8):677–691, 1986.
[5] R. Bryant. On the complexity of VLSI implementations and
graph representations of Boolean functions with application
to integer multiplication. IEEE Trans. on Comp., 40:205–
213, 1991.
[6] R. Bryant and Y.-A. Chen. Verification of arithmetic func-
tions with binary moment diagrams. In Design Automation
Conf., pages 535–541, 1995.
[7] R. Drechsler. Advanced Formal Verification. Kluwer Aca-
demic Publishers, 2004.
[8] R. Drechsler. Formal System Verification. Springer, 2018.
[9] R. Drechsler and B. Becker. Binary Decision Diagrams –
Theory and Implementation. Kluwer Academic Publishers,
1998.
[10] R. Drechsler and D. Sieling. Binary decision diagrams in
theory and practice. Software Tools for Technology Transfer,
3:112–136, 2001.
[11] M. Keim, M. Martin, B. Becker, R. Drechsler, and P. Moli-
tor. Polynomial formal verification of multipliers. In VLSI
Test Symp., pages 150–155, 1997.
[12] I. Wegener. Branching Programs and Binary Decision Di-
agrams - Theory and Application. SIAM Monographs on
Discrete Mathematics and Applications, 2000.
