A Formalization of Polytime Functions

We present a deep embedding of Bellantoni and Cook’s syntactic characterization of polytime functions. We prove formally that it is correct and complete with respect to the original characterization by Cobham that required a bound to be proved manually. Compared to the paper proof by Bellantoni and Cook, we have been careful in making our proof fully contructive so that we obtain more precise bounding polynomials and more efficient translations between the two characterizations. Another difference is that we consider functions on bitstrings instead of functions on positive integers. This latter change is motivated by the application of our formalization in the context of formal security proofs in cryptography. Based on our core formalization, we have started developing a library of polytime functions that can be reused to build more complex ones.

💡 Research Summary

This paper presents a comprehensive formalization of two seminal syntactic characterizations of polynomial‑time computable functions—Cobham’s class and the Bellantoni‑Cook class—within the proof assistant Coq, adapting both to operate on bit‑strings rather than on natural numbers. The motivation stems from the need in cryptographic security proofs to reason about the computational power of an adversary in a model‑independent way; Cobham’s original formulation requires a manually proved size bound for recursive definitions, which hinders automation, while Bellantoni‑Cook offers a fully syntactic alternative that eliminates explicit bounds.

The authors first develop a deep embedding of multivariate polynomials. A polynomial is represented as a pair consisting of the number of variables and a list of monomials, each monomial being a coefficient together with a list of variable‑exponent pairs. This representation supports constructive operations such as addition, multiplication, and substitution, all implemented as Coq functions. These polynomial utilities are later used to express the length‑bounding functions that appear in Cobham’s recursion scheme.

Next, the paper defines the syntax and semantics of Cobham’s class C for bit‑strings. The primitive operations include the constant empty string O, projections Πⁿᵢ, bit‑wise successor S_b, the “smash” operation # that concatenates a block of zeros of length |x|·|y|, composition Compₙ, and a restricted recursion Rec_g_h₀_h₁_j. An arity function A computes the number of arguments of each expression and validates well‑formedness. The semantics maps each constructor to a concrete bit‑string function; in particular, Rec is equipped with a “RecBounded” condition that enforces |f(y,x)| ≤ |j(y,x)|, guaranteeing a polynomial bound on the size of recursive results.

The Bellantoni‑Cook class B is then introduced with a clear separation between normal and safe arguments, written as “|” in the function signature. Its primitives are zero, projections πⁿ,ˢᵢ, bit‑wise successor s_b, predecessor pred, a three‑case conditional cond, composition compₙ,ₛ, and recursion rec_g_h₀_h₁. No external size‑bound function is required; the safe arguments are restricted to hold only the results of recursive calls, which automatically limits growth. A corresponding arity function A returns a pair (normal, safe) and validates the syntactic discipline.

A major contribution of the work is the construction of explicit, constructive translations between the two classes. The forward translation (Bellantoni‑Cook → Cobham) systematically encodes safe arguments as additional inputs to Cobham’s recursion and synthesizes the required bounding polynomial j from the polynomials associated with the Bellantoni‑Cook components (using the Pol_C construction). The reverse translation (Cobham → Bellantoni‑Cook) extracts the bounding polynomial j, decomposes it, and uses it to enforce the safe‑argument discipline required by Bellantoni‑Cook. Both translations are implemented as Coq functions and can be extracted to executable ML‑dialect code, providing a certified translator that can be used in practice.

Crucially, the authors give a constructive definition of the length‑bounding polynomial Pol_C(f) for any Cobham expression f. By structural induction on the syntax, Pol_C is built from the base polynomials of the primitives (e.g., Pol_C(O)=0, Pol_C(S_b)=x₀+1, Pol_C(#)=x₀·x₁+1) and combined through composition and recursion using min/max operators. This yields an explicit monotone polynomial that satisfies |f(x)| ≤ Pol_C(f)(|x|) for all inputs, eliminating the “existence‑only” statements of earlier works.

The formalization is not purely theoretical; the authors integrate the developed libraries into the CertiCrypt framework, which is used for machine‑checked cryptographic proofs. By providing concrete bounding polynomials, the need for ad‑hoc “free polynomial” assumptions disappears, strengthening the trustworthiness of security reductions. The paper demonstrates several examples of cryptographic primitives (hash functions, encryption schemes, signatures) where the adversary’s PPT behavior is modeled using the newly built Bellantoni‑Cook functions, and the resulting proofs are fully mechanized in Coq.

In the concluding sections, the authors discuss the impact of their work: (1) a fully constructive, machine‑checkable equivalence between Cobham’s and Bellantoni‑Cook’s characterizations for bit‑strings; (2) an automated, certified pipeline that translates functions between the two syntactic classes while preserving explicit polynomial bounds; (3) a practical library of poly‑time functions that can be reused in cryptographic security proofs. They also outline future directions, such as extending the framework to probabilistic polynomial‑time (PPT) functions, handling quantum adversaries, and optimizing the generated bounding polynomials for better performance in automated proof assistants.

Overall, the paper bridges a gap between implicit computational complexity theory and applied cryptographic verification, delivering both deep theoretical insights and concrete tooling that can be adopted by researchers and practitioners working on formally verified security protocols.