




Science of Computer Programming 22 (1994) 107-135 
Designing arithmetic circuits by refinement in Ruby 
Geraint Jones , *,a Mary Sheeranb 
’ Programming Research Group, Oxford University Computing Laboratory, Wo@on Building, Parks Road, 
Oxford OXI 3QD, UK 
’ Informationsbehandling, Chalmers Tekniska HLgskola. S41296 GBteborg, Sweden 
Communicated by C. Morgan; revised October 1993 
Abstract 
This paper presents in some detail the systematic derivation of a static bit-level parallel 
algorithm to implement multiplication of integers, that is to say one which might be imple- 
mented as an electronic circuit. The circuit is well known, but the derivation shows that its 
design can be seen as the consequence of decisions made (and explained) in terms of the abstract 
algorithm. The systematic derivation serves both as an explanation of the circuit and as 
a demonstration that it is correct “by construction”. We believe that the technique is applicable 
to a wide range of similar algorithms. 
1. Introduction 
We advocate a style of “design by calculation” for the very fine-grained parallel 
algorithms that are implemented as regular arrays of electronic circuits. The design of 
such circuits is particularly difficult because the implementation medium imposes 
severe constraints on what is possible and what is reasonably efficient. In consequence 
the details of the final implementation have a pervasive influence on the whole design 
process, and it is regrettable that many such designs are presented with little or no 
abstract justification, and solely in the low-level terms of the final detailed implemen- 
tation. 
These same constraints, it seems to us, make it easier to apply the systematic design 
methods which are being used in the development of software algorithms. Our work is 
much influenced by that of Bird and Meertens [2,13], although in contrast to their use 
of functions we choose to use relations as our abstract programs. This same choice has 
* Corresponding author. E-mail: Geraint.Jones@comlab.oxford.ac.uk. 
0167-6423/94/$07.00 0 1994 Elsevier Science B.V. All rights reserved 
SSDI 0167-6423(93)E0016-S 
108 G. Jones. M. Sheeran/Science of Computer Programming 22 (1994) 107-135 
been made by the authors of [l] and there are close parallels [S] between the 
framework in which they work and ours. 
We represent by relations both abstract specifications of the desired behaviour of 
circuits and the components from which circuits are built. Ruby [lo] is a language of 
operations on relations in which the combining forms correspond naturally to the 
ways that components are connected in our target implementation. The algebra of 
these combining forms is a framework in which to refine the specification of an 
algorithm into an implementable form. 
The notion of an abstraction relation is important, as is the composition of an 
abstraction with the inverse of another abstraction. This is a representation changer: 
to device to consume one representation of some abstraction, and return another 
representation. In this paper we show that a multiplication circuit can be specified 
naturally as such a representation changer, and that the specification can be refined 
into a regular array of components, each of which is also a representation changer. 
These small representation changers are the sorts of devices which would be found in 
a hardware designer’s library of standard components, and are the parts from which 
the circuit would be built. The multiplier is not new; we first presented it much more 
informally in 1985 [14]. Here we present its derivation as a new account of how such 
a circuit might be designed. 
As well as explaining how a design came about, a derivation constitutes a proof that 
the implementation meets its specification. Usually such proofs are constructed after 
the circuit has been designed [4,16], and independently of the method used to produce 
the design [18]. With that approach the design process offers no help in the proof, nor 
does the verification offer any assistance in the design. Even when circuits are 
synthesised mechanically from parametric designs, after-the-fact verification of the 
synthesis functions [S] gives no guidance on their construction. 
2. Ruby 
We model the behaviour of circuits by binary relations, denoted in Ruby by 
expressions which have a form that suggests the shapes of the corresponding circuits 
as well as their behaviour. In this paper we confine our attention to combinational 
circuits, operating on simple data values. Lifting to time sequences of values, to 
describe the behaviour of circuits with internal state, is also a part of the interpretation 
of the Ruby expression. In this way our combinational designs can be transformed 
into very high throughput systolic designs [14], but this lifting is not covered in 
this paper. 
2.1. Basic structuring functions 
The most important structuring functions are relational composition and inverse 
(or converse): 
G. Jones, M. SheeranlScience ?f’Computer Programming 22 (1994) 107-135 109 
Fig. 1. R;S and R3 and [R, S] 
a(R;S)c e 3b.aRb & bSc 
aR-‘b e bRa 
Repeated composition is denoted by exponentiation: R ’ = R and R”+ ’ = R” ; R. These 
operators have many simply expressed properties: 
R;(S; T) = (R;S); T 
(R-l)-’ = R 
(R;S)-’ zz S-‘;R-’ 
(R”)- 1 = (R- l)n 
and it is these kinds of properties that we use in deriving implementations from the 
specification of a required behaviour. 
The pictures in this paper are drawn to a convention in which the domain of 
a relation is on the left and the range (or codomain) on the right, so that relational 
composition is as shown in Fig. 1. Taking the inverse of a relation corresponds to 
flipping the picture over so that the domain and range are swapped, 
The parallel composition of two circuits CR, S] relates a pair of values in the 
domain to a pair of values in the range if and only if the components are related by the 
corresponding component circuits, (a, b) [R, S] (x, y) o a R x & b S y. The identity 
relation id is defined by x id y o x = y. The functions fst and snd abbreviate 
frequently used instances of parallel composition: fst R = [R, id] and snd S= 
[id, S]. Among the properties of parallel composition that we will use are that 
[R, SIP’ = CR-‘, S-‘1 
IIR,Sl;CT VI = CR;T,S;Ul 
(fst R)-’ = fst(R-‘) 
fst R ; fst S = fst(R ; S) 
[R,S] =fstR;sndS 
= snd S:fst R 
110 G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 
2.2. Some primitive relations 
In addition to the full identity relation id, we introduce identities on finite sets 
of values, including subranges of the integers. For example, ) [IO, 1,2] ( is the identity 
on the set (0, 1,2}. Constant relations are identities on singleton sets. The rela- 
tion I[a . . b]l is the identity on integers in the range a to b inclusive, xj[a . . b]l y G 
x=y & a<x<b. 
The following primitive relations are useful building blocks: 
<a, b) 7c1c 0 a=c 
(a, b) 7c2 c =z+ b = c 
(a, b) swp (c, d) o a = d & b = c 
a fork (b, c> o a = b = c 
Note that the inverse of a projection is a perfectly good relation, which will occur often 
in our calculations: a component of its range is unconstrained. For the arithmetic 
circuits in this paper we will use 
(a, b) + c o a + b = c 
(a,b)xc Q axb=c 
Note that the symbols + and x are being used as the names of relations. For binary 
arithmetic, two other useful components are the relation x2 that relates an integer 
x to the even integer 2x, and s + = snd x2 ; + . 
2.3. Measuring the domain and range of a relation 
Despite the misleading notation, beware that R- ’ ; R is not always an identity 
relation. If f is a function from domain to range, then f -’ ; f is the identity on the 
range of f, that is, f = f ; f- ’ ; _f For more general relations, however, we can only 
assume that R is a subrelation of R ; R- ’ ; R. That is, R- ’ ; R may be bigger than the 
identity on the range of R. For example, the relation + - ’ ; + is the identity on the 
integers (written int), but + ; + - 1 relates a given pair of integers to every other pair of 
integers that has the same sum. 
It is convenient to introduce notations for the forms R-l ; R and R ; R- ’ : 
R> = R-‘;R 
<R = R;R-’ 
which we read as “R right” and “left R”, respectively. It can be shown that R> = 
(R>)-‘= <(R-‘)=(<(R-‘))-l. S ome examples: fork> is the identity on pairs 
whose elements are equal; swp > = [id, id] is the identity on all pairs. 
G. Jones, M. SheeranJScience of Computer Programming 22 (1994) 107-135 111 
In calculations, we often make and use assertions of the form A = A; B, so we 
introduce another abbreviation: A k B S+ A = A; B, which we read as “A guarantees 
B (on the right)“. Think of A k B as an assertion about the range of A. Some useful 
properties of k are 
BkC =+ A;BkC 
BkC;D =a B;CtD;C 
BtC;D& D;El-F a B;Ek-F 
Similarly, -I (guarantees on the left) captures assertions about the domain of a rela- 
tion: A -I B o A; B = B. Because A -1 B e B-’ k A-‘, the properties of -I are dual to 
those of the right-handed operator. 
2.4. Types 
Data types in Ruby are partial equivalence relations (pers), i.e. relations P that 
satisfy P t P-l. If A is a per and A -I R, then we say that R has (a possible) domain 
type A. Similarly, if B is a per and R I- B, say that R has range type B. A relation may 
have many such domain and range types. We write R: A - B as an abbreviation 
for Ai R & R t B. It is convenient to have data types that are relations because then 
types can be manipulated and reasoned about in just the same way as any other 
Ruby relation. The use of pers as types has been developed independently by 
Voermans [S]. 
The largest type is the full relation any for which x any y for any x and y. For 
example, the assertion snd any-l z1 expresses the fact that the second component of 
the domain value of the selector zn, is not constrained in any way: it is not connected to 
anything by the selector. 
We are now in a position to consider what we mean by R”. For R: T - T, R” 
must also have type T - T, and it must be both a left type and a right type 
of R. Accordingly, we choose R” to be the type T’ for which R : T’ - T’ and 
R : T - T =S T’ : T - T. This can be shown to be well-defined [ll]. 
2.5. Lists 
We collect data values into lists, and have structuring functions which construct 
relations to operate on them. The repeated parallel composition mapn R relates two 
n-lists if their corresponding elements are related by R, i.e. 
x(map,,R)y e #x= #y=n&Vi.XiRy, 
Triangle, another pointwise operator, relates the ith elements of two n-lists by R’ 
x(tri,,R)y o #x= #y=n&V’i.xiRiyi 
For example, map,, x 2 doubles each element of a list of IZ integers, while tri, x 2 relates 
the ith element of the list, xi, to xi2i, the relation (x2)’ being the identity on the 
integers. Fig. 2 shows instances of map and triangle. 
112 G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 
Fig. 2. map., Ii and triC R. 
The relation zip interleaves a pair of lists to give a list of pairs: (x, y) zip, z 
O#X= #y= #Z=n&V’i. (Xi,yi)=Zi. It satisfies 
[tri, A, tri, B] ; zip, = zip,; tri,[A, B] 
[ma% A, ma& B] ; zip, = zip,; map,[A, B] 
2.6. Circuits connected in two dimensions 
To broaden the range of circuit forms that can be described, we introduce a new 
convention for pictures of pair-to-pair relations: they can be viewed as four-sided tiles, 
with the domain on the left and top edges, and the range on the bottom and right 
edges. This ordering of the labels is chosen to be consistent with the labelling of 
circuits drawn under the earlier linear convention. 
The structuring function ++ (read “beside”) places two four-sided tiles side by side as 
shown in Fig. 3. The resulting relation is again pair-to-pair. 
(a, <b, c>> R * S ((d,e), f > * 39. (a, b) R (4 s> 8~ (9, c> S (e, f > 
Composing further relations around the edges of a beside can be done in various ways: 
[A, [B, C]];(R++S);[[D, E], F] = ([A, B];R;fst D)ct(snd C;S;[E, F]) 
and a relation on the arc between R and S can be bracketed with R or with S. 
(R;snd A)c*S = Ro(fst A;S) 
Perhaps the simplest pair-to-pair relation is [id, id]. Placing two of these side by side 
gives rsh = [id, id] c-f [id, id], which is also shown in Fig. 3. From the properties of 
beside, it follows that 
[A, [B, C]] ; rsh = rsh; [[A, B], C] 
which we will call “right-shifting” of [A, [B, C]]. 
G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 113 
b 
Fig. 3. <a, h) R (c, d) and layouts suggested by R ct S and rsh. 
Just as map generalises parallel composition, we can generalise the beside operator 
by an operator that connects a horizontal array of pair-to-pair relations: 
<a, x> (row, R) <Y, h) 
=#x=#y=n& 
3~. #z= n + 1 & U= ~0 & (Vi.(Zi,xi) R (yi, zi+l))& Z, = b 
If R:[A, II] - [C, A], then row,,, R:[A, map,,,, B]-[map,., C, A], although 
the corresponding result does not hold for rowo. It seems that there is no “ob- 
viously right” meaning for the row of zero width, but we have chosen here 
that (a, b) (row0 R) (c,d) if and only if a=d and b=c=(), that is rowoR 
=snd map0 id ; swp. 
Two properties of row used often in calculations are 
snd maa R; row, S; fst ma& T = row,(snd R; S; fst T) 
which we call “pushing maps into row”, and 
fst R;S = T;snd R * fst R;row,,+i S = row,,,, T;snd R 
which is “row induction”. Again there seems to be no right way of dealing with the 
empty row, which we will deal with separately if necessary. 
Complex wiring relations can be built from rows of simple cells: for example, the 
relation row,,(firk>++swp) can be customised to give some useful standard wiring 
relations. The relation that distributes a value across a list to give a list of pairs is 
dstl, = row,(snd 7~;~ ;(f~rk>t,swp));n~ 
= row,,(fork; snd nl); 7cl 
From the properties of row and of fork it can be shown that [A, map,, B] ; dstl, = 
dstl, ; map,[A, B]. Fig. 4 shows an instance of dstl. 
Since taking the inverse of a pair-to-pair relation corresponds to flipping its picture 
about the bottom-left to top-right diagonal, vertical patterns can be made by flipping, 
making horizontal patterns and then restoring the original orientation. We define 
1 (read “below”) and col as duals of c-) and row: 
RIS = (R-i++S-I)-’ 
col, R = (row, R-l)-’ 
114 G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 
Fig. 4. dstl, = row,(firk;snd nI);n, 
The properties of below and column can be derived from those of beside and row. The 
dual of rsh is MI = rsh- ’ = [id, id] 3 [id, id]. The inverse of row, (fork > c-) swp) is 
col,(fork > 5 swp) and we can make a “distribute right” wiring relation from this. 
dstr,, = col,,(fst ~;~;(fork>f swp));nl 
= col~(fork;fst n2);7r2 
Not all of the relations that we want to connect in these kinds of patterns are 
pair-to-pair. We use degenerate cases of the structuring functions already introduced 
to cope with those relations that do not quite have the right numbers of connections. 
For example, to make a continued version of a pair-to-value relation, we use a version 
of row that has some of its arcs removed. 
rdl, R = row,(R;n:;‘);rc, 
This operator is familiar from functional programming, where it is often called 
“reduce left” or “fold”. For example, to sum n integers: 
sum, = x;l;fst I[O]I;rdl, -t 
The l[O]l constrains the first component of the domain of the reduction to be zero, 
and the inverse projection hides this from the domain of sum. 
3. Abstraction and representation 
An abstraction relates concrete values to the abstract values that they represent. We 
say that abs is an abstraction if abs I- abs > If the assertion abs t abs > holds, then 
abs> is guaranteed to be a type. We call this range type of abs the abstract type. 
Similarly, <abs is guaranteed to be a type, and this domain type of abs is called the 
concrete type. This is really only a matter of convenience as this notion of abstraction 
is symmetric: if abs is an abstraction, so is abs -I. (An earlier paper [9] of ours on 
refinement in Ruby incorrectly denies this.) The relations which we call abstractions 
are those that are called dijiinctionals [8]: all functions are abstractions, as are all 
inverses of functions [15]. 
Since we want to design arithmetic ircuits, we will be considering abstractions onto 
the integers and subranges of the integers. The relations +, x , s+ and sum,, are all 
G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 115 
abstractions onto the integers. The relation x 2 is an abstraction not onto the integers 
but onto the euen integers, i.e. of the type (x2) > . 
In the abstraction sum,, each element of the list of integers in the domain has the 
same weight. We can give the elements of a list weights that are increasing powers of 
two by using a triangle of x 2 components. The resulting relation, which we call 
a ladder, is also an abstraction onto the integers. 
ladder,, = tri, x 2 ; sum,, 
We will be constructing circuits which operate on “voltage levels”, which are the 
values of the type sig = I[high, k~w]I. The abstraction bi, for “bit to integer”, relates 
abstract voltages to numbers in the set (0, l}. 
bi = {(high, l), (low, 0)} 
bi> = [[O, 111 
< bi = sig 
Similarly, we can represent the numbers 0 and - 1 by signals. We call the resulting 
“negative bit” a nit, and the abstraction is called ni for “negative bit to integer”. 
ni = {(high, - l), (low, 0)) 
ni>= I[-1,011 
tni = sig 
We can also represent numbers by pairs of signals in various ways. A pair of bits of the 
same weight can represent numbers in (0, 1,2). This abstraction is often used so we 
give it the name bb+. 
bb+ =[bi,bi];+ 
@b+)> = ICO, 1,211 
This is a redundant representation; the number 1 is represented both by the pair 
(high, low) and by the pair (low, high). This means that < (bb+) # [sig, sig], but 
rather it is the partial equivalence relation described by 
< (bb+) = {((low, low), (low, low)), ((high, high), (high, high)) 
((high, low), (high, low)), ((high, low), (low, high)) 
((low, high), (low, high)), ((low, high), (high, low))} 
This is the concrete type of pairs of equal weight bits. 
A pair of bits, one of weight 1 and one of weight 2, can represent numbers in 
(0, 1,2,3}. The corresponding abstraction relation is [bi, bi] ; s + . We call this a “bit 
116 G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 
step” and abbreviate it to bbs + . 
bbs+ bi],s+ 
(bbs+)> = ][O, 1,2,3]1 
<(bbs + ) = [sig, sig] 
A nit and a bit, each of weight one, can represent numbers in { - 1, 0, l}. This is 
a standard abstraction in arithmetic circuit design, and is usually called a wit. 
ti = [ni, bi]; + 
ti> = I[ - l,O, 111 
Again, <ti is a partial equivalence relation that is bigger than [sig, sig]. This is 
because the integer 0 is represented both by the pair (high, high) and by the pair 
(low, low). (We can write that assertion as ti;l[O]/ = fork-‘;sig;any;([0]1.) 
If we restrict the elements of the lists in the domain of a ladder to be bits, we get 
maL bi ; ladder,,, which is the well-known n-bit binary least-significant bit at the left 
representation of numbers in the range 0 to 2” - 1. The form map,, abs ; ladder,, where 
abs is an abstraction, appears so often that we abbreviate it to L, abs. We think of the 
n-bit binary abstraction as a “ladder of bits”. 
(L, bi)> = ([0 . . 2”- 111 
where L, abs = map,, abs ; ladder,, 
This is the type of numbers that can be represented as n-bit binary numerals. Because 
the abstraction is one-to-one, < ( L, bi) = map,, sig. 
The carry-save abstraction is a ladder of pairs of equal weight bits, which we can 
write as L, bb+. 
(L, bb+)> = j[O.. 2(2”- l)]\ 
Carry-save is a redundant abstraction both because bb+ is redundant, and because 
the value that can be represented at each step of the ladder is not constrained to be 
smaller than the radix (which is two). 
A number of useful transformations of these abstractions can be derived by 
induction on the lengths of the ladders, starting from the properties of the underlying 
arithmetic. The sum of two equal-length ladders can be written as a ladder of sums, 
provided the two concrete lists are first interleaved (or zipped together): 
CL,a, Lbl; + = zip,;L([a,bl; +I (1) 
because of the associativity and commutativity of addition. Similarly, the product of 
an abstraction and a ladder is a ladder of products: 
[a, L, b]; x = dstl,; L,,([a, b]; x) (2) 
G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 117 
[L,a,b]; x =&rn;L,([a,b]; x) (3) 
because multiplication distributes over addition. 
To push abstractions around in circuit descriptions, we use instances of the 
theorems about the structuring functions, for example by row induction 
fsta;Rt-sndu> =S fsta;row,R = row,(fsta;R;sndC’);sndu 
3.1. Representation changers 
Many design problems can naturally be cast as the implementation of representa- 
tion changers. This seems particularly to be the case for arithmetic circuits. The 
specification of a representation changer is the composition of an abstraction relation 
_ which relates a given concrete representation to its abstract meaning - and the 
inverse of another abstraction relation - which relates that abstract value to the 
desired concrete value. If a and b are abstractions, then a ; bm ’ relates the type <a to 
the type <b. Provided a> = b> the translation is complete and faithful in both 
directions; if they differ it is faithful only between those representations which corres- 
pond to abstract values which are in both types. 
We choose to think of our circuits as representation changers because simple 
representation changers can often be implementation directly in hardware. For 
example, [bi, bi] ; x ; biC 1 IS just an and gate, i.e. it is a relation between a pair of 
signals and a signal which relates (high, high) to high and any other pair to low. 
Similarly, bb + ; bbs + - ’ is a standard component in the digital designer’s repertoire 
(see Fig. 5): it is a “half-adder”, thought of as a function from two input bits to a sum 
and carry pair. That is, it performs addition to two one-bit binary numerals, produ- 
cing a two-bit answer. It can readily be implemented in any digital circuit technology: 
for example as an and-gate and an exclusive-or gate, or as an eight-bit read-only store. 
The representation changer [bi, ni] ; s + ; ti- 1 can also be implemented by a half- 
adder in which the carry flows from range to domain. It is a half-adder rotated 
through 90”, so that the domain is a pair consisting of one input and the carry-out, 
t t 
I- ------_-______-____, ,L_______-_-_----_____ _, 
0 I 1 I 
Fig. 5. A representation of a half-adder, bb + ; bbs+ _ ‘, and of one of its rotations which is equivalent to 
[bi,ni];s+;ti-‘. 
118 G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 
and the range is the pair of the other input and the sum output. Notice that we 
abstracted away from the distinction between inputs and outputs by choosing to 
represent circuits by relations. 
A “full adder” relates a bit and a pair of equal weight bits to a sum and carry pair, so 
it is [bi, bb +] ; + ; bbs + -I. Just as we did for a half-adder, we can implement he 
representation changer [bb + , ni] ; s + ; ti- ’ by a full adder rotated so that the carry- 
out is in the domain and the carry-in is in the range. The easiest way to check such 
assertions about small relations is to enumerate the values which they relate. 
3.2. Rejinement 
Representation changers that cannot immediately be implemented as hardware 
primitives must be re-expressed as networks of smaller epresentation changers. These 
smaller changers can then either be implemented irectly in hardware or rewritten as 
networks of yet smaller changers of representation. This refinement proceeds hier- 
archically, and stops when we reach cells that we know how to implement directly in 
hardware. 
We will need to know how to reorganise large changers of representation into 
networks of smaller ones. Because we want to refine to regular array circuits, we 
concentrate on ways of calculating with rows and columns. We have previously 
shown [9], using the Ruby equivalent of Horner’s rule [3] for polynomial evaluation, 
that 
snd ladder,; + ; +-‘;[Zadder,, x2”]-’ = row,(+ ;s+-‘) 
This allows us to calculate that for any a and b 
snd(L.a);+;+-l;[L,b, x2”]-’ 
= (definition of L,} 
(4) 
snd(map, a; ladder,); + ; + -I; [(map,, b; ladder,), x I?‘-’ 
= {properties of inverse) 
snd map,, a;snd ladder,; + ; + -‘; [ladder,, x2”]-‘;fst mapn b-’ 
= {equation (4)) 
snd ma& a;row,(+ ;s+-‘);fst map,, 6-l 
= {pushing maps into row> 
row,(snd a; + ;s+-‘;fst b-l) (5) 
showing that a representation changer which relates a carry-in and a ladder of as to 
a ladder of the same number of bs and a carry-out can be implemented by a row of 
components each of which relates one a and one b, connected by a carry chain. 
G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 119 
Similarly, for any a and b 
snd(L,a);s+; +-‘;[Lnb, x2”]-’ 
= {definition of s+ and (L, a); x2 = L,(a; x2)} 
snd(L,(u; x2)); + ; +-‘;[L, b, x2”]-’ 
= {equation (5)) 
row,(snd(u; x2); + ;s+-‘;fst b-l) 
= {definition of s+} 
row,,(snda;s+;s+-‘;fstb-‘) 
Taking inverses on both sides of (5) and (6) and renaming variables gives 




[L,u, x2”]; + ;s+ -‘; snd(L, b)-’ = col,(fst u;s+;s+-‘;snd b-l) (8) 
These four equations guide our refinements, so that if we are aiming for a column of 
components, for instance, we try to massage the expression to match the left-hand side 
either of (7) or of (8). 
A useful property of the composition of + and its inverse, which appears often in 
these expressions, is that 
+; +-’ = snd +-‘;rsh;fst +. (9) 
The left-hand side relates (a, b) and (c, d) if a + b = c + d, and the right-hand side 
similarly if there is some x for which b = x + d and a + x = c, which is the same 
constraint. From this, it follows that 
s+ ;s+ -l 
= {definition of s + } 
snd x2; +; +-‘;snd x2-’ 
= {equation (9)) 
snd(x2; +-‘);rsh;[+, x2-‘] 
= {right-shifting, rsh;snd x2-l = snd snd x2-‘;rsh} 
snd(x2; +-‘;snd x2-‘);rsh;fst + 
= {arithmetic of even numbers) 
snd(+-‘;fst x2);rsh;fst + 
120 G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 
= {right-shifting) 
snd +-I; rsh ; fst(snd x 2 ; fst +) 
= {definition of s +} 
snd + -‘;rsh;fsts+ (10) 
4. Small examples 
As small examples of the method, we will develop some well-known adder circuits 
by refinement of representation changers. 
To specify the addition of a carry-in bit to a binary number to give a binary number 
and a carry-out bit, the abstraction [bi, L, bi] ; + is composed with the inverse of 
[L, bi, (bi; x2”)]; +. This matches the pattern of (5). 
[bi,L,bi];+;+-‘;[L,bi,(bi;x2”)]-’ 
= {properties of inverse} 
fstbi;snd L,bi;+;+-‘;[L,bi, x2”]-‘;sndbi-’ 
= {equation (5)) 
fst bi;row,,(snd bi; + ;s+-l;fst biC’);snd bi-’ (11) 
The next step is to push the abstractions at each end of the row (fst bi and snd bi- ‘) 
onto the internal arcs of the row so that the components of the row are then 
themselves in the form of representation changers. This is done using a row induction. 
Using the two lemmas (which can be checked by enumeration) 
[bi, bi] ; + F 1 [O, 1,2] 1 
and 
I[O, 1,2](;s+-‘;fst bi I- snd bi> 
it can be shown that 
fstbi;(sndbi;f;s+-‘;fstbi-‘)t-sndbi> (12) 
This is then used as the condition for a row induction. 
fst bi;row,(snd bi; + ;s+-‘;fst bi-‘);snd bi-’ 
= {equation (12) and row induction} 
row,,( [bi, bi] ; f ; s + - ’ ; [bi, bi] _ ‘) ; snd < bi 
= (definitions of bb+ = [bi, bi]; + and bbs+ = [bi, bi]; s+} 
row,(bb + ; bbs -t - ‘) ; snd < bi 
G. Jones, M. Sheer-an/Science of Computer Programming 22 (1994) 107-135 121 
= {definition of halfadd = bb + ; bbs + -r and < bi = sig} 
row, halfadd; snd sig 
We can stop here because bb + ; bbs + 1 is just a half-adder. The snd sig on the right 
shows that if n = 0 the circuit consists of a single concrete wire - a thing that can carry 
a signal of type sig. 
The derivation of a circuit to add a bit to a carry-save number to give a binary 
number and a carry-out is almost identical. This time the component is a full adder: 
[bi,L,bb+];+;+-‘;[L,bi,(bi;~2”)]~’ 
= {equation (5)) 
fst bi;row,,(snd bbf ; + ;s+-‘;fst bi-‘);snd bi-’ 
= {fstbi;(sndbb+;+;s+- 1 ; fst bi- ‘) I- snd bi > and induction} 
row,,( [bi, bb +] ; + ; s + ’ ; [bi, bi] - ‘) ; snd < bi 
= {definition of bbsf = [bi, bi];s+ and <bi = sig) 
row,( [bi, bb +] ; + ; bbs + - ‘); snd sig 
= {definition of fulladd = [bi, bb+]; + ; bbs+ -‘l 
row, fulladd; snd sig 
In our third example, we relate a carry-save number and a top-carry that is a nit 
(rather than a bit) to a nit and a binary number. The process of refinement is the same 
as in the previous examples. We use one of (5) to (8) to introduce a row or column and 
then use either row or column induction to push the remaining abstractions inside the 
array: 
[L,bb+,(ni;x2”)];+;+-‘;[ni,L,bi]-1 
= {equation (7)) 
sndni;col,(fstbb+;s+; +-‘;snd bi-‘);fstni-I 
= {sndni>i(fstbb+;s+;+-‘;sndbi-‘);fstni-’ andinduction) 
snd <ni;col,([bb+,ni];s+;+-‘;[ni,bi]-’) 
= {definition of ti = [ni, bi] ; + and < ni = sigj 
snd sig;col,([bb+, ni];s+ ;ti-‘) 
= {definition of fulladd’ = [bb +, ni] ; s + ; ti- ’ > 
snd sig ; col, filladd’ 
122 G. Jones, M. SheeranJScience of Computer Programming 22 (1994) 107-135 
Fig. 6. col, filladd’ showing constraints on data-flow in an implementation. 
The column component is a full adder with a carry that flows from range to domain, 
so the whole circuit has an upward-flowing carry chain, as shown in Fig. 6. In the 
domain, the carry-save number is an input and the nit is an output ; in the range, the 
nit is an input and the binary number an output. This choice of inputs and outputs 
ensures that the full adder components are driven correctly. 
5. Derivation of an array multiplier 
In each of the above examples, refinement stopped after one iteration. In more 
complicated examples, one would expect to have to go down through several levels of 
hierarchy before reaching primitives. We now demonstrate this hierarproach in 
a substantial calculation, deriving the design of an n-bit by m-bit binary multiplier. 
The initial specification of the circuit is 
[L, bi, L, bi]; x ;(L,+, bi)-’ 
which is to say that it should relate a pair of an n-bit and an m-bit binary number to 
the (n + m)-bit number that represents their product. From (2) and (3) about the 
product of an abstraction and a ladder, we have that 
CL, bi, L, bi] ; x = dstl, ; L,([ L, bi, bi] ; x) 
= dstr,; L,([bi, L, bi]; x) 
but there seems to be no obvious next move. 
Because we have a wealth of laws involving carries, we will introduce a carry into 
the circuit. The carry will be represented in n-bit binary - a design decision that we 
G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 123 
L, bi a- 
3 L, bi 
i\ 
(L, bi)-‘v 
Fig. 7. ~=[L,bi,[L,bi,L,bi];x];+;+~‘;[L,bi,(L,bi;x2”)]-‘withm,n=4,6. 
have made before starting the deviation. We could have chosen a different representa- 
tion, and in [9] we derive a multiplier design which arises naturally from choosing 
carry-save representation for the carry at this point. 
To take account of the n-bit binary carry, the domain abstraction must be changed 
to 
[ L, bi, ([L, bi, L, bi] ; x)] ; + 
and in order to make an opportunity to apply (5) we change the range representation, 
so that the answer comes in two parts: the least significant m bits as a binary number, 
and the n most significant bits as a binary number of weight 2”. The corresponding 
abstraction is 
[L, bi,(L, bi; x2”)]; + 
so the specification of the circuit which we will develop is 
M= [L,bi,( L,bi,L,bi];x)];+;+-‘;[L,bi,(L,bi;x2”)]-’ 
an interpretation of which is shown in Fig. 7. 
The first step in the refinement is to rearrange the product of the two ladders of bits 
into a single ladder. We can then use (5) to introduce a row. 
124 G. Jones. M. SheeranlScience of Computer Programming 22 (1994) 107-135 
= {product of an abstraction and a ladder (equation (2))) 
snddstl,;[L,bi,L,([L,bi,bi];x)];+;+-’;[L,bi,(L,bi;x2”)]-’ 
= {equation (5)) 
[L, bi, dstl,] ; row,,,(snd([L, bi, bi] ; x); + ;s+-’ ;fst bi-‘); 
snd( L, bi)- ’ 
Next, we push the abstraction L, bi rightwards along the row; the result is a row of 
representation changers. By calculating the ranges of numbers that can be represented 
we can show that 
[L,bi,([L,bi,bi];x)] F [(L,bi)>,(L,bi)>] 
and 
[(L,bi)>,(L,bi)>];+;s+-‘;fstbiP’ksnd(L,bi)> 
Combining these judgements gives 
fst( L, bi) ; (snd( [ L, bi, bi] ; x) ; + ; s + - l; fst bi- ‘) k snd( L, bi) > (13) 
and, as in the previous examples, this can be used as the condition for a row induction. 
[L, bi, dstl,] ; row,(snd([ L, bi, bi] ; x) ; + ; s + - ’ ; fst bi- ‘); snd( L, bi)- 1 
= {row induction from equation (13)) 
snd dstl, ; 
row,,,([L,bi,([L,bi,bi];x)];+;s+-’;[bi,L,bi]-’); 
snd <(L, bi) 
TX {naming c 2 > 
snd dstl, ; row,,, c2 ; snd < (L, bi) 
where c2 = [L, bi, ([L, bi, bi] ; x)] ; + ; s + - ’ ; [bi, L, bi] - 1 
= ( <(L, bi) = map. sig} 
snd dstl, ; row,,, c2 ; snd map,, sig 
So A can be implemented by some wiring and a row of c2 cells ; we are now free to 
concentrate on the design of c2. 
Because c2 is the component of a row, it is a good idea to aim to implement it as 
a column (rather than a row) of components. Rows of rows do not make attractive 
layouts, but rows of columns do. This bias towards a column influences the refinement 
G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 125 
of c2, making it like a mirror image of the refinement so far: where we had dstl, we now 
have dstr ; where we had a row, we now have a column. 
The first steps are to rewrite [L, bi, bi] ; x as a ladder and to note that we can 
implement [bi, bi] ; x using an and gate. The resulting sum of two ladders can again be 
rewritten as a ladder, 
c2 = [L,bi,([L,bi,bi];x)];+;s+-l;[bi, L,bi]-’ 
= {product of a ladder and an abstraction (equation (3))) 
[L, bi, (dstr,, ; L,( [bi, bi] ; x))] ; + ; s + _ ’ ; [bi, L, bi]- ’ 
= {and; bi = [bi, bi] ; x ; biC 1 ; bi = [bi, bi] ; x} 
[L, bi, (dstr,, ; L,(and ; bi))] ; + ; s + - 1 ; [bi, L, bi] ’ 
= (sum of two ladders (equation (1)) 
snd dstr,,;zip,; L,([bi, and; bi]; +);s+-l;[bi, L, bi]-’ 
= (definition of bb + = [bi, bi] ; +} 
snd dstr,;zip,; L,(snd and; bb+);s+ -l; [bi, L, bi]-’ 
Unfortunately, the resulting pattern does not match our rule for introducing 
columns (8). We would like the abstraction on the left to be of the form [L, a, x2”] ; + 
but we have only a single ladder. Again we introduce a carry, this time forced to be 
zero, to get the required pattern. Adding zero to an integer makes no difference, and 
multiplying zero by 2” gives zero, so if a E int, it can be replaced by 
a = ~n;‘;L-a, Icolll; + 
=7C ;‘;C~>(lCOlI; x2”)l; + 
In this case, certainly L,(snd and; bb +) k int, so 
snd dstr,,;zip,; L,(snd and; bb+);s+-l; [bi, L, bi]-’ 
= {zero introduction) 
snd dstr, ; zip, ; TC 1’ ; 
[L,(sndund;bb+),(J[O]I;x2”)1; +;s+-‘;[bi, Lbil-’ 
= {equation (8)) 
snd dstr,;zip,;n;‘;snd)[O]I; 
col, (fst(snd and; bb+);s+ ;s+ -‘;snd bi-‘);fst bi-’ 
126 G. Jones, M. SheeranJScience of Computer Programming 22 (1994) 107-13.5 
= {naming c3 } 
snd dstr, ; zip,,; x; 1 ; snd)[O]);col” c,;fst bi-l 
where c3 = fst(snd and;bb+);s+;s+-‘;snd bi-’ 
Now we would like to push abstractions onto the internal arcs of the column. 
However, the most obvious strategy, of pushing bi- 1 from right to left, does not work. 
It is not the case that snd bi > k c,;fst bi-‘. In fact, since 
((high, (high,high), -l)(c,;fst bipl)(low,low) 
the relevant abstract wire in the circuit can even take a negative value. However, the 
internal arcs are of type ti > = I[ - 1, 0, 111, rather than bi > as we had hoped. 
Before pushing a trit abstraction through the column, we need to introduce 
snd ti- ’ at the right. This can be done because trits and bits are related by 
bi = n;‘;[low,sig];ti. 
That is to say, a bit represents the same integer as a trit in which the wire of negative 
weight is held low and the positive wire is connected to the same level as the given bit. 
The best way to proceed is to find a c4 for which c3 ;fst ti-’ = snd ti-’ ; c4 and 
then use column induction. 
c,;fst tie1 
=fst(sndand;bb+);s+;s+-‘;sndbi-‘;fstti-’ 
= {s+;s+-’ =snd +-‘;rsh;fsts+,equation(lO)} 
fst(sndand;bb+);snd +-‘;rsh;[(s+;ti-‘),bi-‘1 
= (right-shifting) 
snd(+-‘;snd bi-‘);rsh;fst(fst(snd and;bb+);s+ ;K’) 
= (snd ni>ifst b+;s+ ;ti-‘} 
snd(+-‘;snd bi-‘);rsh;fst([(snd and;bb+),ni>];s+;ti-‘) 
= {right-shifting, and definition of ni > = ni - ’ ; ni} 
snd(+-‘;[ni- , l.bi-‘]);rsh;fst([(sndand;bb+),ni];s+;ti-l) 
= {definition of ti = [ni, bi]; +) 
snd tip’. ,rsh;fst([(snd and;bb+), ni];s+;ti-‘) 
= { ti - 1 k snd sig and right-shifting} 
snd ti-‘. , rsh ; [( [(snd and ; bb +), nil ; s + ; ti _ ’ ), sigl 
leql alley 
aM wed aq$[[t~ %u!laq@ :lagdgIntu aq~.103 uo!muawaIdur! JSJIJ ay] salaldmo3 sy~ 
. (yroJt &s)pus f ~ 2 3L = 
(~~o~:~~s’~~v:([~](~ICUI))~USL~~~ = (r_?g:([~]()pus:,:u 
OS ‘ynoj : 6~s i ifuv : 1 [o] 1 = 1 _ y : ) [o] 1 ‘sp.18~~ Imba 30 .qcd B 
so J!.II t? SE olaz 30 uogeluasaldal ayL y iE?u!uyua.J aql amqurqa 01 so days ~euy ayL 
(Zuf[6j~ ‘MOI])Js4:‘3 lo3~(,~!ltl[o]l)pus: ,Ju:“d~~:~~$sp pus 
{ “2: ~ -13 pus = ~ _u 1s4: E3 u10q uogcmpur uurtqo~} = 
(“u f [&s ‘MOl] : r _ g)ls4 f F3 “lo:, : 1 [o] 1 pus f ~ 2 JL : “dlz : “n~sp us 
(13 : [Bis ‘~011 : 1 :u = Fq amps ‘sky SB slrq} = 
,_~q~s4:~~U~o~f~[o]~pustr1~:Ud~z:u~~spp~~ =ZS 
.dol aql $r? olaz c slaaw I! uayh paluatua[duIF 61pm~ pue 
‘mutyo3 aql dn paqsnd ‘umqo~ ayl30 urolloq aq$ IV pampoltu! s! uoympu! uwtqo3 
ayl “03 paau aA IE~I ~ _ 11 aqL .Z3 30 @sap ayl pa$aIdwoD $SOUIIT! aAeq aM ‘~aq~m3 
ICue pauyal aq lou paau *3 asrmaa jecyueq3aur 61aXwl s! uogeapap aql30 1sa.I aql Jnq 
‘Ll!nuaLGiuf aluos pagbal qloq uogtqtmIe3 aaoqe aql pm sly 30 uogmpowy aqL 
.md aql u! uaaq 
aaaq slaaqs epp 30 syooq se lsnf ‘lau8Fsap 2?uysgamd aql lo3!p??aJ 30 saIqc$ IvyI IDadxa 
aM .sluauodmoD p.wpua~s asn 01 sagpnwoddo a@?oDal ol a[qc aq 01 ama!ladxa 
pm 11;rys aqnbal 11 .Jappe IIn I? put? a#i puv ue ‘%I~~M 30 s~sysuo3 *3 IIaD aqL 
[&s ‘(,ppvllnj: puv pus 1s4)] : zp = $3 alaqm 
“2: r-?l PUS 
($3 %IpIHI} = 
[&s ‘(,ppv&: puv pus 1s4)] f ysn : I _ .21 pus 
{rm!:: +s:[zu‘+qq] = ,PPvllns 30 UowT4aPl = 
128 G. Jones, M. SheeranJScience of Computer Programming 22 (1994) 107-135 
This would not matter if we only needed to produce a netlist for input to some 
absolutely general automatic layout generator such as a programmer for configurable 
logic arrays, or a VLSI layout system. However, if we want to interface to a design 
system using a more structured circuit description, we must rearrange the wiring to 
give a more satisfactory implementation. Most refinements will naturally result in 
circuits that need to be improved by moving wires or components about. 
6. Rearrangement 
A further calculation, about as long as that which has gone before, will allow the 
wires of the implementation of the multiplier to be “combed out” into a regular 
pattern. The strategy for this part of the calculation is to represent as much as possible 
of the structure of the circuits as adjacent rows and columns of simple components 
- even the wiring - and then to interleave these rows and columns. 
Because the beside and below operators distribute over each other in this way: 
(AfB)cr(CID)=(A+kC)$(BoD) 
(a property which Richard Bird calls “abiding” [3]), it follows by induction that 
adjacent columns can be combined, 
(co& R) f-) (col, S) = col,(R w S) 
(row, R) 1 (row, S) = row,(R $ S) 
at least when n > 0, and similarly rows that are below each other can be com- 
bined ; and more generally row, col, R = col, row,, R, provided n > 0 and in > 0. 
The pattern 
AxB=((Afswp)o(swp$B) 
= (A ++ swp) 2: (swp t* B) 
which is illustrated in Fig. 8 is one which arises often in the course of these interleav- 
ings, and has the pleasant property that 
COIJA x B) = fst zip; 1 ; ((col, A) x (col, B)); snd zip, 
row,,(Az=zR)=sndzip;‘;((row,,A)X(row,B));fstzip, 
again provided n > 0, which can be used right-to-left to rewrite matching rows and 
columns as single structures of more complex cells, possibly eliminating the large 
number of wire crossings indicated by zip,. 
If R and S are relations for which R $ S = fst swp ; (S 5 R) ; snd swp, which is the 
case if either R or S is itself swp, then 
col,,(R 1 S) = fst zip, ; (col, R 2 col,, S); snd zip; 1 
G. Jones. M. SheeranlScience of Computer Programming 22 (1994) 107-135 129 
Fig. 8. R # S and row,(R KS). 
which can be used as a right-to-left rule to interleave two columns of largely 
independent cells. The dual is a statement about rows, that if R c-) S = 
sndswp;(ScrR);fstswp 
row,,(R c, S) = snd zip, ; (row, R w row, S); fst zip; I 
Not all the structure of the implementation of the multiplier yet consists of rows and 
columns, but we have already seen that the instances of dstr and dstl have implementa- 
tions as columns and rows of simpler cells, for 
dstr, = col,(fork; fst q); x2 
dstl, = row,(fork; snd 7~~); nl
and other structures and wiring components can also be expanded into rows and 
columns in this way, for 
map,, R = 7~;~; col&c,;R;~;‘);q 
= 712 -‘;row,(x2;R;x;1);z1 
map,, R; fork = mapJR;fork);~ip;~ 
fst map, R; swp = col,(fst R; swp) 
snd map, R ; swp = row,,(snd R ; swp) 
and so on. 
6.1. Tidying the wiring 
Although we performed this part of the calculation in about the same detail as the 
first part of the derivation, we are not satisfied that our presentation is yet sufficiently 
lucid, nor that it conveys any new insights, to justify its inclusion in full in this paper. 
In particular, it has proved very hard to control the size of the expressions and they 
are not easily read. Accordingly, we will only outline the shape of the calculation, 
confident in our ability if challenged to explain the calculation in more detail than 
a human reader could want. Indeed we intend that these calculations should be 
130 G. Jones, M. SheeranJScience of Computer Programming 22 (1994) 107-135 
explained to a machine that would check their accuracy, and machine assistance in 
such a detailed presentation is certainly necessary. 
Since we expect that the structure of the circuit will change as we bring in more 
wiring from the outside, the restructuring will be done from the inside out. The 
component in the middle of the circuit, if we agree to disregard cq which we claim is in 
essence already implemented, begins 
snd dstr, ; zip,, 
= {expanding dstr and interleaving the columns) 
rsh; [zip,, x2] ; col, c 5 ; n2 
where c5 = (7c1;7t;l)X(fst n;l;(swp 5 (n2;fork))) 
The component c5 can be simplified, by first expressing it in terms of beside and 
below, and then using the properties of the projections, the abiding of beside with 
below, and reassociating operations with left and right shifts. Thus we arrive at 
c5 = [In;‘, d;Wp I (nz;.h-k));Cn;‘, Ml 
which, since c5 is just a wiring relation, can be checked by showing that each side 
relates the same tuples in the same ways. Then by a further column induction 
snd dstr, ; zip, = rsh; fst zip, ; col, c6 ; rc2 
where c6 = fst TC ; ’ ; (swp t (7~~ ;fork)); snd lsh 
Substituting in the definition of c2, this column can be merged with the col, cq which 
it is beside, ultimately yielding 
c2 = snd snd(x;‘;snd(sig;fork)); 
((zip, ;nn;l) ++ (coMc, - 4)); 
fst(n2 ; n2 ; [low, sig]; n2) (14) 
When this is substituted back into the implementation of .M, it appears alongside an 
instance of dstl, which can be expanded as a row, and merged with it: 
A? = snd dstl,; row,,, c2 ; snd rnab sig 
= rsh;((row, c2) $ (dstl,;x;l));snd(q;map,, sig) 
= {expanding dstl and row below row} 
rsh;snd ma&x;‘; row&, 1 ((q ; fork) t-) swp)); snd(z, ; map,, sig) 
Now note that snd fst rnab id+ c2, from which it follows that the fork and swp in this 
expression are also n signals wide. These can be expanded and interleaved in the same 
way, and the resulting column combined with the col,(c6 c-) cq) obtained by 
G. Jones, M. SheeranJScience of Computer Programming 22 (1994) 107-135 131 
substituting for c2 using (14). The result of this calculation is 
&? = rsh;[zip,, ma~(~n;‘;snd(sig;fork))]; 
row, col, cell; (ma&(z2 ; [low, sig] ; z~), mapJzl ; sig)] 
where cell = fst(snd fork; rsh); ((cc ++ c4) 2 swp) 
(15) 
which is a grid of cells, surrounded by some simple wiring. 
The only part of the wiring which we would prefer not to implement is the instance 
of zip, which would involve n(n - 1)/2 wire crossings. We choose to have the user of 
the multiplier implement this, and change the specification of our design to 
fst zip, ’ ; lsh; 4. That is to say that we will offer the user a component which must be 
given one of the factors already interleaved with the carry-in. The user may well want 
the carry-in to be zero anyway, in which case the interleaving is much cheaper. 
6.2. Tidying the cell 
Now consider the cell of which this grid is composed. 
cell = fst(snd fork; rsh); ((c6 c, c4) 5 swp) 
where cs = fst rr;;‘;(swp $ (n,;fork));snd lsh 
c4 = rsh; [fst snd and; fulladd’, sig] 
It is now necessary to simplify the wiring of this cell, and further to make sure that 
each of the remaining components is in our repertoire of standard components. 
This means, for example, that we will not leave fork in the final implementation, 
because fork may in general involve forking a large bus of wires, involving many wire 
crossings. We will only be satisfied when each fork in the circuit divides a single signal 
wire, that is when each is an instance of sfork = sig ; fork. Similar considerations apply 
to the other primitive wiring tiles. 
A calculation about as long as that in the preceding section of the paper, but 
conceptually simpler in that it involves no rows and columns, shows that 
cell = (fst fst ~;~;((sswp 1 (~~;sfork)) 5: sswp);snd(snd sfork;srsh)) ti 
((fst(slsh; snd and);srsh; [ fulladd’, sig]) 2 (sswp ++ sswp)) 
where sfork = sig ; fork 
sswp = [sig, sig] ; swp 
slsh = [ [sig, sig], sig] ; lsh = [sig, sig] $ [sig, sig] 
srsh = [[sig, sig], [sig, sig]] ; rsh = [ [sig, sig], sig] c) [sig, sig] 
Fig. 9 illustrates a layout for the cell, suggested by this equation, annotated with 
indications of which wires are necessarily inputs to or outputs from the cell. 





Fig. 9. The cell of the multiplier. 
This completes the development of a bit-level regular array that implements the 
multiplier, because substituting back into (15), 
fst zip; ’ ; lsh ; A? = snd map,,,(x; ’ ; snd sfork); 
row, col, cell ; 
where cell is implemented entirely in terms of bit-operations. The layout which this 
suggests for fst zip- 1 ; lsh ; A! is shown in Fig. 10. 
Fig. 10. fst zipm’;lsh;d with WI = 4 and n = 6. 
G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 133 
This design is essentially the one in [14], where we presented it rather more 
abruptly. That paper systematically transforms the circuit into a bit-systolic array 
able to deliver a multiplication once on each cycle of a clock whose period is roughly 
the delay through a full adder. Notice that the circuit is hexagonally connected, 
although we were able to derive it without needing to introduce any special con- 
structors, nor to develop an algebra of hex-connected circuits. 
7. Conclusion 
We have shown in some detail how the design of a complex and subtle circuit is 
a natural consequence of a relatively abstract specification and some simple design 
decisions. These decisions are ones that can largely be explained at the level of the 
abstract specification. The most positive thing about this calculation is that it is an 
argument for the correctness of the design before thefact. That is to say that once the 
design has been done there is no need to construct a separate proof of correctness. 
That a derivation can be driven by high-level decisions is promising because it 
suggests that there is a systematic way of delineating a design space which could be 
explored for alternative implementations of the same specification. For example, the 
choice of representation for the carries has driven us to this design, whereas another 
choice would have produced the carry-save multiplier [9] ; other designs are suggested 
by the possibility of choosing some other base (than two) to represent any of the 
inputs or outputs or carries. Perhaps base four might yield a design with fewer, larger 
cells? We hope that as more experience is gained in deriving designs in this way, better 
methods will emerge of aiming more directly at good implementations. 
The derivation proceeds by refinement: a process of reducing the complexity of the 
data on the “wires” of the circuit until only bits remain, and all of the components are 
implementable. We found very useful the ability to deal in a uniform way both with 
the abstractions such as integers and multiplication, and with concrete signal levels 
and gates. Distinguishing between numbers and signal levels is something which we 
have not done in the past, and we believe that it makes the step to “known” hardware 
components easier to recognise. 
As far as was possible we tried to be honest about the design process: we followed 
the calculation through with no particular target implementation in mind. For 
example, at the point where we discovered that snd bi> fi c3; fst bi-l and were 
driven to introduce trits into the design, we did so “blindly”. One of us was unable to 
proceed with the design, and the other suggested this invention step with no global 
knowledge of the design, nor of the ultimate consequences of this decision. 
Notice that the two wires representing this trit in the final circuit carry signals in 
opposite directions. That is to say, one is an input to a component and the other is an 
output from it. The calculations in Ruby, and the introduction of the trit data type, 
were performed in complete ignorance of this fact. This abstraction from inputs and 
outputs is a consequence of the decision to represent circuits by relations, and 
134 G. Jones, M. SheeranlScience of Computer Programming 22 (1994) 107-135 
a valuable separation of concerns. The cost is of course that when claiming that we 
have implemented a primitive relation by some electronic component we must check 
that it has an appropriate allocation of inputs and outputs, compatible with those of 
the rest of the circuit of which it is a part. 
We think that the first half of the derivation presented in this paper is a convincing 
account of the development of the algorithm which is implemented by the final circuit. 
It is disappointing, however, that the rearrangement of the circuit remains tedious and 
difficult; we hope that this can be improved, perhaps by a better understanding of the 
sort of calculation involved. It is clear, however, that mechanical assistance in 
checking the details of our calculations would be a great help. The very low levels of 
circuit design are already heavily automated, and it is one of our aims to expand the 
range of such mechanical assistance to higher and more abstract levels of the design 
process. 
The techniques used here should be applicable to a range of similar arithmetic 
circuits, but we see no reason why they should not be extended to other fields. All that 
is necessary is that solutions can be constructed from components whose combina- 
tions have algebraic properties like those of the arithmetic building-blocks which we 
used here. We are investigating, as an example, the derivation of routing circuits 
implemented as arrays of binary decisions and arbiters [12]. 
Acknowledgement 
The work reported in this paper has been supported by grants from the UK Science 
and Engineering Research Council, and was done while Mary Sheeran held a Royal 
Society of Edinburgh BP Research Fellowship at the Department of Computing 
Science of the University of Glasgow. 
References 
[l] R.C. Backhouse, P.J. de Bruin, P.F. Hoogendijk, G. Malcolm, E. Voermans and J.C.S.P. van der 
Woude, A relational theory of datatypes (unpublished). 
[2] R.S. Bird, An introduction to the theory of lists, in: M. Broy, ed., Logic ofProgramming and Calculi of 
Discrete Design, NATO ASI Series F 36 (Springer, Berlin, 1987) 5-42. 
133 R.S. Bird, Lectures on constructive functional programming, in: M. Broy, ed., Constructive Methods in 
Computing Science, NATO ASI Series F 55 (Springer, Berlin, 1989) 151-216. 
[4] D. Borrione and A. Salem, Proving an on-line multiplier with OBJ and TACHE: a practical 
experience, in: L.J.M. Claesen, ed., Applied Formal Methodsfor Correct VLSI Design (North-Holland, 
Amsterdam, 1989). 
[S] S.-K. Chin, Verified synthesis functions for negabinary arithmetic hardware, in: L.J.M. Claesen, ed., 
Applied Formal Methods for Correct VLSI Design (North-Holland, Amsterdam, 1989). 
[6] L.J.M. Claesen, ed., Applied Formal Methodsfor Correct VLSI Design (North-Holland, Amsterdam, 
1989). 
[7] R. Heldal, C. Kehler Holst and P. Wadler, eds., Functional Programming, Glasgow, 2991, Workshops 
in Computing Series (Springer, Berlin, 1992). 
G. Jones, M. SheeranJScience of Computer Programming 22 (1994) 107-13.5 135 
[8] G. Hutton and E. Voermans, A calculational theory of pers as types, in: R. Heldal, C. Kehler Holst 
and P. Wadler, eds., Functional Programming, Glasgow, 1991, Workshops in Computing Series 
(Springer, Berlin, 1992). 
[9] G. Jones and M. Sheeran, Relations and refinement in circuit design, in: C.C. Morgan and 
J.C.P. Woodcock, eds., Proceedings of the Third Rejinement Workshop, 9-11 January 1990, Work- 
shops in Computing Series (Springer, Berlin, 1991) 133-152. 
[lo] G. Jones and M. Sheeran, Circuit design in Ruby, in: J. Staunstrup, ed., Formal Methods for Correct 
VLSI Design (North-Holland, Amsterdam, 1990) 13-70. 
[I l] G. Jones and M. Sheeran, A certain loss of identity, in: J. Launchbury and P. Sansom, eds., Functional 
Programming, Glasgow, 1992, Workshops in Computing Series (Springer, Berlin, 1992) 113-121. 
[12] M.B. Josephs, R.H. Mak, J.T. Udding, T. Verhoeff and J.T. Yantchev, High-level design of an 
asynchronous packet routing chip, in: J. Staunstrup and R. Sharp, eds., Designing Correct Circuits, 
Lyngby, 1992, IFIP Transactions A 5 (North-Holland, Amsterdam, 1992). 
[13] L.G.L.T. Meertens, Constructing a calculus of programs, in: J.L.A. van de Snepscheut, ed., Mathemat- 
ics of Program Construction, Lecture Notes in Computer Science 375 (Springer, Berlin, 1989). 
[14] M. Sheeran, Designing regular array architectures using higher-order functions, in: J.-P. Jouannaud, 
ed., Functional Programming Languages and Computer Architecture, Lecture Notes in Computer 
Science 201 (Springer, Berlin, 1985) 220-237. 
[15] M. Sheeran, A note on abstraction in Ruby, in: R. Heldal, C. Kehler Holst and P. Wadler, eds., 
Functional Programming, Glasgow, 1991, Workshops in Computing Series (Springer, Berlin, 1992). 
[16] M. Simonis, Formal verification of multipliers, in: L.J.M. Claesen, ed., Applied Formal Methods for 
Correct VLSI Design (North-Holland, Amsterdam, 1989). 
[17] J. Staunstrup and R. Sharp, eds., Designing Correct Circuits, Lyngby, 1992, IFIP Transactions A 5 
(North-Holland, Amsterdam, 1992). 
[18] D. Verkest, L. Claesen and H. De Man, A proof of the non-restoring division algorithm and its 
implementation on the Cathedral-II ALU, in: J. Staunstrup and R. Sharp, eds., Designing Correct 
Circuits, Lyngby, 1992, IFIP Transactions A 5 (North-Holland, Amsterdam, 1992). 
