Extensibella: Extensibella Example: exactEval:security

Language Specification

File: syntax.sos

Module exactEval:security

Builds on exactEval:host

stmt ::= ...
       | secdecl(slev, typ, string, expr)


--------------------------------------- [Proj-Secdecl]
Names |{stmt}- secdecl(L, Ty, X, E) ~~>
               declare(Ty, X, E)



fun ::= ...
        /*secfun(name, ret ty, ret lev, ret var, init ret var val,
                 params, body)*/
      | secfun(string, typ, slev, string, value, [param], stmt)


----------------------------------------------------- [Proj-SecFun]
|{fun}- secfun(Name, RetTy, RetLev, RetVar, RVVal,
               Params, Body) ~~>
        fun(Name, RetTy, RetVar, RVVal, Params, Body)



param ::= ...
        | secparam(string, typ, slev)


--------------------------------------------------- [Proj-SecParam]
|{param}- secparam(Name, Ty, L) ~~> param(Name, Ty)



slev ::= private
       | public
Projection slev :



exprNames Scope::Ctx E N
-------------------------------------------- [SN-Secdecl]
{stmtNames Scope::Ctx secdecl(L, Ty, X, E) N
           (X::Scope)::Ctx}





no_lookup Scope X /*can't redeclare in scope*/
typeOf FC Scope::RestTC E Ty
--------------------------------------------- [T-Secdecl]
{stmtOK FC Scope::RestTC secdecl(L, Ty, X, E)
           ((X, Ty)::Scope)::RestTC}


/*check the function is well-typed with given types*/
paramTys Params ParamTys
stmtOK FC [(RetVar, RetTy)::ParamTys] Body FinalTC
/*check the function ctx contains the given types for this function*/
lookup FC FunName (RetTy, PTys)
values ParamTys PTys
/*no param with same name as return variable*/
no_lookup ParamTys RetVar
valueType RVVal RetTy
------------------------------------------------------ [T-SecFun]
funOK FC secfun(FunName, RetTy, RetLev, RetVar, RVVal,
                Params, Body)


paramTys Params NameTys
values NameTys PTys
--------------------------------------------------------- [GFI-SecFun]
{getFunInfo secfun(FunName, RetTy, RetLev, RetVar, RVVal,
                   Params, Body) FunName RetTy PTys}


------------------------------------- [PT-SecParam]
paramTy secparam(Name, Ty, L) Name Ty





evalExpr FE EE E V Scope::EE1 O
---------------------------------------------------------- [E-Secdecl]
evalStmt FE EE secdecl(L, Ty, X, E) ((X, V)::Scope)::EE1 O


paramNames Params PNames
-------------------------------------------------------- [GFEI-SecFun]
{getFunEvalInfo secfun(FunName, RetTy, RetLev, RetVar,
                       RVVal, Params, Body)
    FunName RetVar RVVal PNames Body}


------------------------------------ [PN-SecParam]
paramName secparam(Name, Ty, L) Name

File: analysis.sos

[Reduce File] [Raw File]

Module exactEval:security

/*
  The type [[(string, slev)]] is a set of scopes for security typing.
  As with typing and evaluation, the most recent scope is first.

  The type [(string, (slev, [slev]))] is the function context, listing
  the known functions with their return security slevs and argument
  security slevs.
*/
            /*fun ctx, level ctx, program counter, expression, level*/
Judgment level : {[(string, (slev, [slev]))] [[(string, slev)]] slev
                  expr* slev}
Fixed Judgment levelArgs : {
   [(string, (slev, [slev]))] [[(string, slev)]] slev args [slev]}
Fixed Judgment levelRecFields : {
   [(string, (slev, [slev]))] [[(string, slev)]] slev recFieldExprs slev}

     /*fun ctx, level ctx, programm counter, stmt, updated level ctx*/
Judgment secure : {[(string, (slev, [slev]))] [[(string, slev)]]
                   slev stmt* [[(string, slev)]]}

Judgment funSecure : [(string, (slev, [slev]))] fun*
Fixed Judgment paramSecs : [param] [(string, slev)]
Judgment paramSec : param* string slev
Fixed Judgment funsSecure : [(string, (slev, [slev]))] [fun]

Judgment getFunSec : fun* string slev [slev]
Fixed Judgment gatherFunSecCtx : [fun] [(string, (slev, [slev]))]

                   /*program, security levels of arguments to main*/
Judgment programSecure : program* [slev]





/********************************************************************
 Maximum of Security Levels
 ********************************************************************/

Judgment join : slev* slev slev

------------------------- [J-Public]
join public public public


---------------------- [J-Private-L]
join private L private


---------------------- [J-Private-R]
join L private private





/********************************************************************
 Expression, Argument, and Record Field Levels
 ********************************************************************/

---------------------------- [L-Num]
level SF SG Sl num(I) public


level SF SG Sl E1 L1
level SF SG Sl E2 L2
join L1 L2 L
----------------------------- [L-Plus]
level SF SG Sl plus(E1, E2) L


level SF SG Sl E1 L1
level SF SG Sl E2 L2
join L1 L2 L
------------------------------ [L-Minus]
level SF SG Sl minus(E1, E2) L


level SF SG Sl E1 L1
level SF SG Sl E2 L2
join L1 L2 L
----------------------------- [L-Mult]
level SF SG Sl mult(E1, E2) L


level SF SG Sl E1 L1
level SF SG Sl E2 L2
join L1 L2 L
---------------------------- [L-Div]
level SF SG Sl div(E1, E2) L


-------------------------- [L-True]
level SF SG Sl true public


--------------------------- [L-False]
level SF SG Sl false public


/*Because of short-circuiting evaluation, we need to treat and and or
  like ifThenElse, incorportaing the level of E1 into the PC of E2*/
level SF SG Sl E1 L1
join L1 Sl Sl1
level SF SG Sl1 E2 L2
join L1 L2 L
---------------------------- [L-And]
level SF SG Sl and(E1, E2) L


level SF SG Sl E1 L1
join L1 Sl Sl1
level SF SG Sl1 E2 L2
join L1 L2 L
--------------------------- [L-Or]
level SF SG Sl or(E1, E2) L


level SF SG Sl E L
----------------------- [L-Not]
level SF SG Sl not(E) L


level SF SG Sl E1 L1
level SF SG Sl E2 L2
join L1 L2 L
-------------------------------- [L-Greater]
level SF SG Sl greater(E1, E2) L


level SF SG Sl E1 L1
level SF SG Sl E2 L2
join L1 L2 L
--------------------------- [L-Eq]
level SF SG Sl eq(E1, E2) L


---------------------------------- [L-String]
level SF SG Sl stringLit(S) public


level SF SG Sl E1 L1
level SF SG Sl E2 L2
join L1 L2 L
---------------------------------- [L-AppString]
level SF SG Sl appString(E1, E2) L


lookupScopes X SG L
------------------------ [L-Name]
level SF SG Sl name(X) L


/*in private contexts, only private functions so we don't leak where
  we are by function output*/
lookup SF Fun (private, ArgLevs)
levelArgs SF SG private Args ArgLevs
------------------------------------------- [L-Call-Private]
level SF SG private call(Fun, Args) private


lookup SF Fun (RetLev, ArgLevs)
levelArgs SF SG public Args ArgLevs
----------------------------------------- [L-Call-Public]
level SF SG public call(Fun, Args) RetLev


secure SF []::SG Sl S SG1
level SF SG1 Sl E L
------------------------------- [L-StmtExpr]
level SF SG Sl stmtExpr(S, E) L


levelRecFields SF SG Sl Fields L
--------------------------------- [L-RecBuild]
level SF SG Sl recBuild(Fields) L


level SF SG Sl E L
----------------------------------------- [L-RecAccess]
level SF SG Sl recFieldAccess(E, Field) L


level SF SG Sl Msg L
----------------------------------- [L-Error]
level SF SG Sl errorExpr(Msg, Ty) L


names SG Names
Names |{expr}- E ~~> E_P
level SF SG Sl E_P L
------------------------ [L-Default]*
level SF SG Sl E L





============================= [LA-Nil]
levelArgs SF SG Sl nilArgs []


level SF SG Sl E L
levelArgs SF SG Sl A Rest
========================================= [LA-Cons]
levelArgs SF SG Sl consArgs(E, A) L::Rest





=============================================== [LRF-Nil]
levelRecFields SF SG Sl nilRecFieldExprs public


level SF SG Sl E LE
levelRecFields SF SG Sl RF LRF
join LE LRF L
===================================================== [LRF-Cons]
levelRecFields SF SG Sl consRecFieldExprs(F, E, RF) L





/********************************************************************
 Statement Security
 ********************************************************************/

----------------------- [S-Noop]
secure LF SG Sl noop SG


secure SF SG Sl S1 SG1
secure SF SG1 Sl S2 SG2
------------------------------- [S-Seq]
secure SF SG Sl seq(S1, S2) SG2


level SF Scope::SG public E public
no_lookup Scope X
--------------------------------------------- [S-Declare]
{secure SF Scope::SG public declare(Ty, X, E)
        ((X, public)::Scope)::SG}


level SF SG Sl E L
lookupScopes X SG private
------------------------------- [S-Assign-Private]
secure SF SG Sl assign(X, E) SG


level SF SG public E public
lookupScopes X SG public
----------------------------------- [S-Assign-Public]
secure SF SG public assign(X, E) SG


level SF SG Sl E L
lookupScopes Rec SG private
-------------------------------------------- [S-RecUpdate-Private]
secure SF SG Sl recUpdate(Rec, Fields, E) SG


level SF SG public E public
lookupScopes Rec SG public
------------------------------------------------ [S-RecUpdate-Public]
secure SF SG public recUpdate(Rec, Fields, E) SG


level SF SG Sl E L
join L Sl Sl1
secure SF []::SG Sl1 T SGT
secure SF []::SG Sl1 F SGF
-------------------------------------- [S-IfThenElse]
secure SF SG Sl ifThenElse(E, T, F) SG


/*
  We need to split security for while loops into public and private
  cases because our expressions can set variables.  If the condition
  could set public variables (program counter public) but the level of
  the condition be private, we could have two evalutaions of the loop,
  one that immediately uses E-While-False and one that uses
  E-While-True a few times.  This would set the public variable once
  in the former case but multiple times in the latter, making the
  values of the public variables differ.  Splitting it allows us to
  ensure we do not set public variables multiple times in one run but
  not another.
*/
level SF SG private E L /*safe to have any level here*/
secure SF []::SG private S Scope::SG1
------------------------------------- [S-While-Private]
secure SF SG private while(E, S) SG


level SF SG public E public
secure SF []::SG public S Scope::SG1
------------------------------------ [S-While-Public]
secure SF SG public while(E, S) SG


secure SF []::SG Sl S Scope::SG
------------------------------- [S-ScopeStmt]
secure SF SG Sl scopeStmt(S) SG


/*only print public values in public situations*/
level SF SG public E public
---------------------------------- [S-Print]
secure SF SG public printVal(E) SG


level SF Scope::SG Sl E L
no_lookup Scope X
-------------------------------------------------- [S-Secdecl-Private]
{secure SF Scope::SG Sl secdecl(private, Ty, X, E)
        ((X, private)::Scope)::SG}


level SF Scope::SG public E public
no_lookup Scope X
--------------------------------------- [S-Secdecl-Public]
{secure SF Scope::SG public
              secdecl(public, Ty, X, E)
           ((X, public)::Scope)::SG}


names SG Names
Names |{stmt}- S ~~> S_P
secure SF SG Sl S_P SG1
------------------------ [S-Default]*
secure SF SG Sl S SG1





/********************************************************************
 Function Security
 ********************************************************************/

/*
  Note we check function bodies are secure with the program counter
  starting at the level of the returned variable.  This ensures we can
  set the return variable in the body of the function if it is
  private.  A different approach might be useful for writing programs,
  but this works for reasoning.
*/

/*check the function is secure with given info*/
paramSecs Params ParamSecs
secure SF [(RetVar, public)::ParamSecs] public Body SG
/*check the function ctx agrees with this information*/
lookup SF FunName (public, PSecs)
values ParamSecs PSecs
------------------------------------------------------ [FS-Fun]
funSecure SF fun(FunName, RetTy, RetVar, RVVal,
                 Params, Body)


/*check the function is secure with given info*/
paramSecs Params ParamSecs
secure SF [(RetVar, RetLev)::ParamSecs] RetLev Body SG
/*check the function ctx agrees with this information*/
lookup SF FunName (RetLev, PSecs)
values ParamSecs PSecs
---------------------------------------------------------- [FS-SecFun]
funSecure SF secfun(FunName, RetTy, RetLev, RetVar, RVVal,
                    Params, Body)


|{fun}- F ~~> F_P
funSecure SF F_P
----------------- [FS-Default]*
funSecure SF F




================ [FSs-Nil]
funsSecure SF []


funSecure SF F
funsSecure SF Rest
===================== [FSs-Cons]
funsSecure SF F::Rest




------------------------------------ [PS-Param]
paramSec param(Name, Ty) Name public


------------------------------------- [PS-SecParam]
paramSec secparam(Name, Ty, L) Name L


|{param}- P ~~> P_P
paramSec P_P Name L
------------------- [PS-Default]*
paramSec P Name L




=============== [PSs-Nil]
paramSecs [] []


paramSec P Name L
paramSecs PRest SRest
=================================== [PSs-Cons]
paramSecs P::PRest (Name, L)::SRest





/********************************************************************
 Gather Function Information
 ********************************************************************/

paramSecs Params ParamSecs
values ParamSecs PSecs
--------------------------------------------- [GFS-Fun]
getFunSec fun(Name, RetTy, RetVar, RVVal,
              Params, Body) Name public PSecs


paramSecs Params ParamSecs
values ParamSecs PSecs
---------------------------------------------------- [GFS-SecFun]
getFunSec secfun(Name, RetTy, RetLev, RetVar, RVVal,
                 Params, Body) Name RetLev PSecs


|{fun}- F ~~> F_P
getFunSec F_P Name Lev PSecs
---------------------------- [GFS-Default]*
getFunSec F Name Lev PSecs




===================== [GFSC-Nil]
gatherFunSecCtx [] []


getFunSec F Name Lev PSecs
gatherFunSecCtx FRest SRest
==================================================== [GFSC-Cons]
gatherFunSecCtx F::FRest (Name, (Lev, PSecs))::SRest





/********************************************************************
 Program Security
 ********************************************************************/

gatherFunSecCtx Funs SF
getFunSec Main Name RetLev PSecs
funsSecure (Name, (RetLev, PSecs))::SF Funs
funSecure (Name, (RetLev, PSecs))::SF Main
------------------------------------------- [SP-Program]
programSecure program(Funs, Main) PSecs


|{program}- P ~~> P_P
programSecure P_P PSecs
----------------------- [SP-Default]*
programSecure P PSecs

Reasoning

[Show All Proofs] [Hide All Proofs] [Raw File]

Click on a command or tactic to see a detailed view of its use.

Module exactEval:security.


Prove_Constraint exactEval:host:proj_expr_unique.
Prove_Constraint exactEval:host:proj_expr_is.
Prove_Constraint exactEval:host:proj_expr_other.

Prove_Constraint exactEval:host:proj_stmt_unique. [Show Proof]

PrB: case PrB. search.
Prove_Constraint exactEval:host:proj_stmt_is. [Show Proof]

case IsS. search.
Prove_Constraint exactEval:host:proj_stmt_other. [Show Proof]

case IsS. search.

Prove_Constraint exactEval:host:proj_fun_unique. [Show Proof]

case PrB. search.
Prove_Constraint exactEval:host:proj_fun_is. [Show Proof]

case IsF. search.

Prove_Constraint exactEval:host:proj_param_unique. [Show Proof]

case PrB. search.
Prove_Constraint exactEval:host:proj_param_is. [Show Proof]

case IsP. search.

Prove_Constraint exactEval:host:proj_program_unique.
Prove_Constraint exactEval:host:proj_program_is.

Prove_Constraint exactEval:host:proj_typ_unique.
Prove_Constraint exactEval:host:proj_typ_is.


Extensible_Theorem
  is_slev_public_or_not : forall L,
    IsL : is_slev L ->
    L = public \/ (L = public -> false)
  on IsL. [Show Proof]

search. search.
Extensible_Theorem
  is_slev_private_or_not : forall L,
    IsL : is_slev L ->
    L = private \/ (L = private -> false)
  on IsL. [Show Proof]

search. search.
Extensible_Theorem
  is_slev_eq_or_not : forall L1 L2,
    IsL1 : is_slev L1 ->
    IsL2 : is_slev L2 ->
    L1 = L2 \/ (L1 = L2 -> false)
  on IsL1. [Show Proof]

%private
 Or: apply is_slev_private_or_not to IsL2. N: case Or.
   %private
    search.
   %not private
    right. intros E. case E. backchain N.
%public
 Or: apply is_slev_public_or_not to IsL2. N: case Or.
   %public
    search.
   %not public
    right. intros E. case E. backchain N.

Add_Proj_Rel exactEval:host:is_expr, exactEval:host:is_args,
             exactEval:host:is_recFieldExprs, exactEval:host:is_stmt.
Prove_Ext_Ind exactEval:host:is_expr, exactEval:host:is_args,
              exactEval:host:is_recFieldExprs, exactEval:host:is_stmt. [Show Proof]

apply IH to R4. search.

Prove exactEval:host:is_args_nilArgs_or_consArgs.
Prove exactEval:host:is_recFieldExprs_nilRecFieldExprs_or_consRecFieldExprs.


Prove exactEval:host:vars_unique.
Prove exactEval:host:vars_is.
Prove exactEval:host:vars_exist,
      exactEval:host:varsArgs_exist,
      exactEval:host:varsRecFields_exist.


Prove exactEval:host:stmtNames_is,
      exactEval:host:stmtNames_isCtx,
      exactEval:host:exprNames_is. [Show Proof]

%stmtNames_is
 case IsS. apply IH_E to _ _ SN1. search.
%stmtNames_isCtx
 case IsS. case IsCtx. search.

Prove exactEval:host:stmtNames_unique,
      exactEval:host:exprNames_unique. [Show Proof]

case IsS. SNB: case SNB. apply IH_E to _ _ SNA1 SNB. search.

Prove exactEval:host:stmtNames_keep_older. [Show Proof]

search.

Prove exactEval:host:stmtNames_exists,
      exactEval:host:exprNames_exists,
      exactEval:host:argsNames_exists,
      exactEval:host:recFieldNames_exists. [Show Proof]

apply IH_E to IsS4 IsCtx. search.

Prove exactEval:host:stmtNames_not_in_ctx,
      exactEval:host:exprNames_not_in_ctx. [Show Proof]

case IsS. apply IH_E to _ _ SN1 MemN MemsCtx.

Prove exactEval:host:stmtNames_relatedCtxs,
      exactEval:host:stmtNames_relatedCtxs_ctx_fwd,
      exactEval:host:stmtNames_relatedCtxs_ctx_back,
      exactEval:host:exprNames_relatedCtxs. [Show Proof]

%stmtNames_relatedCtxs
 case IsS. apply IH_E to _ _ _ RelAB RelBA SN1. search.
%stmtNames_relatedCtxs_ctx_fwd
 case IsS. SNB: case SNB. M: case Mems.
   %Mems-Here
    M: case M.
      %Mem-Here
       search.
      %Mem-Later
       M': apply RelAB to _ with X1 = X. case M'. search. search.
   %Mems-Later
    M': apply RelAB to _ with X1 = X. case M'. search. search.
%stmtNames_relatedCtxs_ctx_back
 SNB: case SNB. M: case Mems.
   %Mems-Here
    M: case M.
      %Mem-Here
       search.
      %Mem-Later
       M': apply RelBA to _ with X1 = X. case M'. search. search.
   %Mems-Later
    M': apply RelBA to _ with X1 = X. case M'. search. search.


Prove exactEval:host:stmtNames_increaseCtxs,
      exactEval:host:stmtNames_increaseCtxs_ctxs,
      exactEval:host:exprNames_increaseCtxs. [Show Proof]

%stmtNames_increaseCtxs
 case IsS. SNB: case SNB. apply IH_E to _ _ _ _ SNA1 SNB M. search.
%stmtNames_increaseCtxs_ctxs
 case IsS. SNB: case SNB. M: case M.
   %Mems-Here
    M: case M.
      %Mem-Here (X = X1)
       search.
      %Mem-Later
       M': apply RelAB to _ with X1 = X. case M'. search. search.
   %Mems-Later
    M': apply RelAB to _ with X1 = X. case M'. search. search.

Prove_Constraint exactEval:host:proj_exprNames.

Prove_Constraint exactEval:host:proj_stmtNames. [Show Proof]

SN: case SN. SN_P: case SN_P. case IsS.
apply exprNames_unique to _ _ SN SN_P. search.

Prove_Constraint exactEval:host:proj_stmtNames_names_forward. [Show Proof]

SN: case SN. SN_P: case SN_P. case IsS.
apply exprNames_unique to _ _ SN SN_P. search.

Prove_Constraint exactEval:host:proj_stmtNames_names_backward. [Show Proof]

SN: case SN. SN_P: case SN_P. case IsS.
apply exprNames_unique to _ _ SN SN_P. search.

Prove exactEval:host:typeOf_isTy,
      exactEval:host:stmtOK_isCtx. [Show Proof]

case IsS. case IsET. search.

Prove exactEval:host:stmtOK_keep_scopes. [Show Proof]

case L. search.
Prove exactEval:host:stmtOK_older_scopes_same. [Show Proof]

search.
Prove exactEval:host:stmtOK_first_scope_lookup_same. [Show Proof]

assert X1 = X -> false.
  intros E. case E. apply no_lookup to Ty1 L.
search.

Prove exactEval:host:typeOf_unique,
      exactEval:host:stmtOK_unique. [Show Proof]

TyB: case TyB. R: case Lkp. unfold.
  %lookup
   intros L. L: case L.
     %Lkp-Here
      search.
     %Lkp-Later
      apply R to L1. search.
  %no_lookup
   intros IsX1 NL. NL: case NL. apply R1 to _ NL1. search.
  %rest
   search.


Prove exactEval:host:paramTy_is. [Show Proof]

case IsP. search.
Prove exactEval:host:getFunInfo_is. [Show Proof]

case IsF. apply paramTys_is to _ GFI1. apply values_is_ty to _ GFI2.
search.

Prove exactEval:host:paramTy_exists. [Show Proof]

search.
Prove exactEval:host:getFunInfo_exists. [Show Proof]

PT: apply paramTys_exists to IsF6. Is: apply paramTys_is to _ PT.
apply values_exists_ty to Is. search.


Prove exactEval:host:evalExpr_isCtx,
      exactEval:host:evalExpr_isValue,
      exactEval:host:evalStmt_isCtx,
      exactEval:host:evalArgs_isCtx,
      exactEval:host:evalArgs_isValue,
      exactEval:host:evalRecFields_isCtx,
      exactEval:host:evalRecFields_isValue. [Show Proof]

case IsS. apply IH_V_E to _ _ _ Ev1.
IsEE2+: apply IH_C_E to _ _ _ Ev1. case IsEE2+. search.

Prove exactEval:host:evalExpr_isOutput,
      exactEval:host:evalStmt_isOutput,
      exactEval:host:evalArgs_isOutput,
      exactEval:host:evalRecFields_isOutput. [Show Proof]

case IsS. apply IH_E to _ _ _ Ev1. search.


Prove exactEval:host:paramName_is. [Show Proof]

case IsP. search.
Prove exactEval:host:getFunEvalInfo_is. [Show Proof]

case IsF. apply paramNames_is to _ GEFI1. search.


Prove exactEval:host:evalProgram_isOutput.


Prove exactEval:host:evalExpr_names_same,
      exactEval:host:evalStmt_names_same,
      exactEval:host:evalArgs_names_same,
      exactEval:host:evalRecFields_names_same. [Show Proof]

case IsS. NS: apply IH_E to _ _ _ Ev1. case NS. search.


Prove exactEval:host:evalExpr_newNameScopes,
      exactEval:host:evalExpr_newNameScopes_output,
      exactEval:host:evalExpr_newNameScopes_ctx,
      exactEval:host:evalStmt_newNameScopes_output,
      exactEval:host:evalStmt_newNameScopes,
      exactEval:host:evalArgs_newNameScopes,
      exactEval:host:evalArgs_newNameScopes_output,
      exactEval:host:evalArgs_newNameScopes_ctx,
      exactEval:host:evalRecFields_newNameScopes,
      exactEval:host:evalRecFields_newNameScopes_output,
      exactEval:host:evalRecFields_newNameScopes_ctx. [Show Proof]

%evalStmt_newNameScopes_output
 case IsS. EvB: case EvB. apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
%evalStmt_newNameScopes
 case IsS. EvB: case EvB. NNS': apply IH_C_E to _ _ _ _ EvA1 EvB _.
 apply IH_V_E to _ _ _ _ EvA1 EvB _. NNS': case NNS' (keep).
   %end
    LenB: apply length_exists_list_pair_string_value to IsB.
    LenB': case LenB (keep).
    LEq: apply newNameScopes_length to NNS LenB'.
    LenEE2+: apply evalExpr_keep_scopes to _ _ _ EvB LenB.
    LenEE2: case LenEE2+ (keep). apply length_is to LenB'.
    apply length_is to LenEE2. apply length_unique to NNS'1 LenEE2+.
    apply plus_integer_unique_addend to _ _ _ LenEE1 LenB'1.
    L: apply lt_plus_one to LenEE1 _.
    apply less_lesseq_flip_false to L LEq.
   %step
    search.

Add_Ext_Size exactEval:host:evalExpr,
             exactEval:host:evalArgs,
             exactEval:host:evalRecFields,
             exactEval:host:evalStmt.
Add_Proj_Rel exactEval:host:evalExpr,
             exactEval:host:evalArgs,
             exactEval:host:evalRecFields,
             exactEval:host:evalStmt.

Prove exactEval:host:evalExpr_newNameScopes_exists_ES,
      exactEval:host:evalStmt_newNameScopes_exists_ES,
      exactEval:host:evalArgs_newNameScopes_exists_ES,
      exactEval:host:evalRecFields_newNameScopes_exists_ES. [Show Proof]

 NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
 case IsS. EvA1: apply IH_E to _ _ _ _ EvB2 NNS'.
 Len_EE_A+: apply length_exists_list_pair_string_value to IsA.
 EvA1': apply drop_ext_size_evalExpr to EvA1.
 Len_EE_A': apply evalExpr_keep_scopes to _ _ _ EvA1' Len_EE_A+.
 Len: case Len_EE_A+. GEq: apply length_geq_0 to Len.
 apply length_is to Len. L: apply lt_plus_one to Len1 _.
 LEq: case GEq. apply lesseq_less_integer_transitive to LEq L.
 apply length_cons to Len_EE_A' _. search.

Prove exactEval:host:evalExpr_ctx_names,
      exactEval:host:evalStmt_ctx_names,
      exactEval:host:evalArgs_ctx_names,
      exactEval:host:evalRecFields_ctx_names. [Show Proof]

case IsS. SN: case SN. apply IH_E to _ _ _ _ _ _ Ev1.
backchain ctx_names_add.

Prove exactEval:host:evalExpr_newNameScopes_exists_back,
      exactEval:host:evalStmt_newNameScopes_exists_back,
      exactEval:host:evalArgs_newNameScopes_exists_back,
      exactEval:host:evalRecFields_newNameScopes_exists_back. [Show Proof]

case IsS. SN: case SN. EvB: apply IH_E to _ _ _ _ _ Ctxs SN EvA1 _.
C: apply evalExpr_ctx_names to _ _ _ _ Ctxs SN EvB. case C. search.

Prove exactEval:host:evalExpr_scopes_same,
      exactEval:host:evalExpr_scopes_same_ctx,
      exactEval:host:evalStmt_scopes_same,
      exactEval:host:evalStmt_scopes_same_ctx,
      exactEval:host:evalArgs_scopes_same,
      exactEval:host:evalArgs_scopes_same_ctx,
      exactEval:host:evalRecFields_scopes_same,
      exactEval:host:evalRecFields_scopes_same_ctx. [Show Proof]

%evalStmt_scopes_same
 case IsS. EvB: case EvB. apply IH_E to _ _ _ _ _ EvA1 EvB. search.
%evalStmt_scopes_same_ctx
 case IsS. EvB: case EvB. SS': apply IH_E_C to _ _ _ _ _ EvA1 EvB.
 apply IH_E to _ _ _ _ _ EvA1 EvB. SS': case SS'. unfold.
   %lookup forward
    intros L. L: case L.
      %Lkp-Here
       search.
      %Lkp-Later
       apply SS' to L1. search.
   %lookup back
    intros L. L: case L.
      %Lkp-Here
       search.
      %Lkp-Later
       apply SS'1 to L1. search.
   %rest
    search.

Prove exactEval:host:evalExpr_scopes_same_exists,
      exactEval:host:evalStmt_scopes_same_exists,
      exactEval:host:evalArgs_scopes_same_exists,
      exactEval:host:evalRecFields_scopes_same_exists. [Show Proof]

case IsS. EvB: apply IH_E to _ _ _ _ SS EvA1.
SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB.
case SS' (keep). apply evalExpr_isCtx to _ _ _ EvA1.
apply evalExpr_isCtx to _ _ _ EvB. search.

Prove_Constraint exactEval:host:proj_evalExpr_forward.
Prove_Constraint exactEval:host:proj_evalExpr_backward.

Prove_Constraint exactEval:host:proj_evalStmt_forward. [Show Proof]

Ev: case Ev. exists (((X, V)::Scope)::EE2). split.
  %eval
   search.
  %scopes_same
   case IsS. apply evalExpr_isValue to _ _ _ Ev.
   IsEE2+: apply evalExpr_isCtx to _ _ _ Ev. case IsEE2+.
   backchain scopes_same_reflexive.
Prove_Constraint exactEval:host:proj_evalStmt_backward. [Show Proof]

Ev: case Ev. exists (((X, V)::Scope)::EE2). split.
  %eval
   search.
  %scopes_same
   case IsS. apply evalExpr_isValue to _ _ _ Ev.
   IsEE2+: apply evalExpr_isCtx to _ _ _ Ev. case IsEE2+.
   backchain scopes_same_reflexive.

Prove_Ext_Ind exactEval:host:evalExpr,
              exactEval:host:evalArgs,
              exactEval:host:evalRecFields,
              exactEval:host:evalStmt. [Show Proof]

case IsS. apply ext_size_is_int_evalExpr to R2.
apply ext_size_pos_evalExpr to R2. Acc: case Acc.
L: apply lt_plus_one to R1 _. A: apply Acc to _ L.
apply IH to R2 A _ _ _. apply names_exists to IsEE. search.


Prove exactEval:host:paramName_unique. [Show Proof]

case PB. search.

Prove_Constraint exactEval:host:proj_paramName_forward. [Show Proof]

case PN. search.
Prove_Constraint exactEval:host:proj_paramName_back. [Show Proof]

case PN. search.

Prove exactEval:host:getFunEvalInfo_unique. [Show Proof]

case IsF. GFEIB: case GFEIB.
apply paramNames_unique to _ GFEIA1 GFEIB. search.


Prove_Constraint exactEval:host:proj_getFunEvalInfo_forward. [Show Proof]

case GFEI. search.
Prove_Constraint exactEval:host:proj_getFunEvalInfo_back. [Show Proof]

case GFEI. search.

Prove exactEval:host:evalProgram_unique.

Prove_Constraint exactEval:host:proj_evalProgram_forward.
Prove_Constraint exactEval:host:proj_evalProgram_back.


Prove exactEval:host:evalExpr_typePres_ctx,
      exactEval:host:evalExpr_typePres,
      exactEval:host:evalStmt_typePres,
      exactEval:host:evalArgs_typePres_Ctx,
      exactEval:host:evalArgs_typePres,
      exactEval:host:evalRecFields_typePres_Ctx,
      exactEval:host:evalRecFields_typePres. [Show Proof]

case IsS. Ty: case Ty. apply IH_T_E to _ _ _ _ _ Ty1 Ev1 _ _.
R: apply IH_C_E to _ _ _ _ _ Ty1 Ev1 _ _. R: case R. unfold.
  %lookup
   intros L. L: case L.
     %Lkp-Here
      search.
     %Lkp-Later
      apply R to L1. exists V1. split.
        %lookup ((X, V)::Scope) X1 V1
         search.
        %valueType V1 T
         search.
  %no_lookup
   intros N. N: case N. apply R1 to N1. search.
  %rest
   search.

Prove exactEval:host:paramTy_paramName_same. [Show Proof]

case PN. search.
Prove exactEval:host:funOK_getFunEvalInfo_related. [Show Proof]

GFEI: case GFEI.
Z: apply paramTys_values_names_zip_same to FOK1 FOK4 GFEI.
exists RetTy, PTys, ParamTys, FinalTC. search.


Prove exactEval:host:evalExpr_output_forms,
      exactEval:host:evalStmt_output_forms,
      exactEval:host:evalArgs_output_forms,
      exactEval:host:evalRecFields_output_forms. [Show Proof]

case IsS. apply IH_E to _ _ _ Ev1. search.

Prove exactEval:host:evalProgram_output_forms.


Prove exactEval:host:paramName_exists. [Show Proof]

search.
Prove exactEval:host:getFunEvalInfo_exists. [Show Proof]

apply paramNames_exists to IsF6. search.





/********************************************************************
    _____                      _ _
  / ____|                    (_) |
 | (___   ___  ___ _   _ _ __ _| |_ _   _
  \___ \ / _ \/ __| | | | '__| | __| | | |
  ____) |  __/ (__| |_| | |  | | |_| |_| |
 |_____/ \___|\___|\__,_|_|  |_|\__|\__, |
                                     __/ |
  _____                           _ |___/
 |  __ \                         | | (_)
 | |__) | __ ___  _ __   ___ _ __| |_ _  ___  ___
 |  ___/ '__/ _ \| '_ \ / _ \ '__| __| |/ _ \/ __|
 | |   | | | (_) | |_) |  __/ |  | |_| |  __/\__ \
 |_|   |_|  \___/| .__/ \___|_|   \__|_|\___||___/
                 | |
                 |_|
 Security Properties
 ********************************************************************/

/********************************************************************
 Properties about join
 ********************************************************************/
Extensible_Theorem
  join_is : forall L1 L2 R,
    Is1 : is_slev L1 ->
    Is2 : is_slev L2 ->
    J : join L1 L2 R ->
    is_slev R
  on J. [Show Proof]

%J-Public
 search.
%J-Private-L
 search.
%J-Private-R
 search.


%need this because we can't analyze it due to restrictions
Extensible_Theorem
  join_private_right : forall L R,
    Is : is_slev L ->
    J : join L private R ->
    R = private
  on J. [Show Proof]

%J-Private-L
 search.
%J-Private-R
 search.


Extensible_Theorem
  join_unique : forall L1 L2 LA LB,
    Is1 : is_slev L1 ->
    Is2 : is_slev L2 ->
    JA : join L1 L2 LA ->
    JB : join L1 L2 LB ->
    LA = LB
  on JA. [Show Proof]

%J-Public
 JB: case JB. search.
%J-Private-L
 JB: case JB.
   %J-Private-L
    search.
   %J-Private-R
    search.
%J-Private-R
 apply join_private_right to _ JB. search.


Extensible_Theorem
  join_private : forall L1 L2,
    Is1 : is_slev L1 ->
    Is2 : is_slev L2 ->
    J : join L1 L2 private ->
    L1 = private \/ L2 = private
  on J. [Show Proof]

%J-Private-L
 search.
%J-Private-R
 search.


Extensible_Theorem
  join_public : forall L1 L2,
    Is1 : is_slev L1 ->
    Is2 : is_slev L2 ->
    J : join L1 L2 public ->
    L1 = public /\ L2 = public
  on J. [Show Proof]

%J-Public
 search.




/********************************************************************
 Security is
 ********************************************************************/
Theorem lookup_is_slev : forall L X Lev,
  is_list (is_pair is_string is_slev) L -> lookup L X Lev ->
  is_slev Lev. [Show Proof]

induction on 2. intros Is L. L: case L.
  %Lkp-Here
   Is: case Is. case Is. search.
  %Lkp-Later
   case Is. apply IH to _ L1. search.


Theorem lookupScopes_is_slev : forall SG X Lev,
  is_list (is_list (is_pair is_string is_slev)) SG ->
  lookupScopes X SG Lev -> is_slev Lev. [Show Proof]

induction on 2. intros Is LS. LS: case LS.
  %LS-FirstScope
   case Is. apply lookup_is_slev to _ LS. search.
  %LS-Later
   case Is. apply IH to _ LS1. search.


Theorem lookupSecFun_is : forall SF F Lev PLs,
  is_list (is_pair is_string
          (is_pair is_slev (is_list is_slev))) SF ->
  lookup SF F (Lev, PLs) -> is_slev Lev /\ is_list is_slev PLs. [Show Proof]

induction on 2. intros Is L. L: case L.
  %Lkp-Here
   Is: case Is. Is: case Is. case Is2. search.
  %Lkp-Later
   case Is. apply IH to _ L1. search.


Theorem domain_is_sec : forall L D,
  is_list (is_pair is_string is_slev) L -> domain L D ->
  is_list is_string D. [Show Proof]

induction on 2. intros Is D. D: case D.
  %Dmn-Nil
   search.
  %Dmn-Cons
   Is: case Is. case Is. apply IH to _ D. search.


Theorem names_is_sec : forall SG Names,
  is_list (is_list (is_pair is_string is_slev)) SG ->
  names SG Names -> is_list is_string Names. [Show Proof]

induction on 2. intros Is N. N: case N.
  %Names-Nil
   search.
  %Names-Cons
   case Is. apply domain_is_sec to _ N. apply IH to _ N1.
   apply append_list_string_is to _ _ N2. search.


Theorem mem_is_sec : forall L IDS,
  is_list (is_pair is_string is_slev) L -> mem IDS L ->
  is_pair is_string is_slev IDS. [Show Proof]

induction on 2. intros Is M. M: case M.
  %Mem-Here
   case Is. search.
  %Mem-Later
   case Is. apply IH to _ M. search.


Extensible_Theorem
  level_is : forall SF SG PC E L,
    IsE : is_expr E ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    Lev : level SF SG PC E L ->
    is_slev L
  on Lev as IH_E,
  secure_is : forall SF SG PC S SG',
    IsS : is_stmt S ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    Sec : secure SF SG PC S SG' ->
    is_list (is_list (is_pair is_string is_slev)) SG'
  on Sec as IH_S
also
  levelArgs_is : forall SF SG PC A L,
    IsA : is_args A ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    Lev : levelArgs SF SG PC A L ->
    is_list is_slev L
  on Lev as IH_A,
  levelRecFields_is : forall SF SG PC RF L,
    IsRF : is_recFieldExprs RF ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    Lev : levelRecFields SF SG PC RF L ->
    is_slev L
  on Lev as IH_RF. [Show Proof]

%level_unique
 %L-Num
  search.
 %L-Plus
  case IsE. apply IH_E to _ _ _ Lev1. apply IH_E to _ _ _ Lev2.
  apply join_is to _ _ Lev3. search.
 %L-Minus
  case IsE. apply IH_E to _ _ _ Lev1. apply IH_E to _ _ _ Lev2.
  apply join_is to _ _ Lev3. search.
 %L-Mult
  case IsE. apply IH_E to _ _ _ Lev1. apply IH_E to _ _ _ Lev2.
  apply join_is to _ _ Lev3. search.
 %L-Div
  case IsE. apply IH_E to _ _ _ Lev1. apply IH_E to _ _ _ Lev2.
  apply join_is to _ _ Lev3. search.
 %L-True
  search.
 %L-False
  search.
 %L-And
  case IsE. apply IH_E to _ _ _ Lev1. apply IH_E to _ _ _ Lev3.
  apply join_is to _ _ Lev4. search.
 %L-Or
  case IsE. apply IH_E to _ _ _ Lev1. apply IH_E to _ _ _ Lev3.
  apply join_is to _ _ Lev4. search.
 %L-Not
  case IsE. apply IH_E to _ _ _ Lev1. search.
 %L-Greater
  case IsE. apply IH_E to _ _ _ Lev1. apply IH_E to _ _ _ Lev2.
  apply join_is to _ _ Lev3. search.
 %L-Eq
  case IsE. apply IH_E to _ _ _ Lev1. apply IH_E to _ _ _ Lev2.
  apply join_is to _ _ Lev3. search.
 %L-String
  search.
 %L-AppString
  case IsE. apply IH_E to _ _ _ Lev1. apply IH_E to _ _ _ Lev2.
  apply join_is to _ _ Lev3. search.
 %L-Name
  apply lookupScopes_is_slev to _ Lev1. search.
 %L-Call-Private
  apply lookupSecFun_is to _ Lev1. search.
 %L-Coll-Public
  apply lookupSecFun_is to _ Lev1. search.
 %L-StmtExpr
  case IsE. apply IH_S to _ _ _ Lev1. apply IH_E to _ _ _ Lev2.
  search.
 %L-RecBuild
  case IsE. apply IH_RF to _ _ _ Lev1. search.
 %L-RecAccess
  case IsE. apply IH_E to _ _ _ Lev1. search.
 %L-Error
  case IsE. apply IH_E to _ _ _ Lev1. search.
 %L-Default
  apply names_is_sec to _ Lev1. apply proj_expr_is to Lev2 _ _.
  apply IH_E to _ _ _ Lev3. search.
%secure_unique
 %S-Noop
  search.
 %S-Seq
  case IsS. apply IH_S to _ _ _ Sec1. apply IH_S to _ _ _ Sec2.
  search.
 %S-Declare
  case IsS. case IsSG. search.
 %S-Assign-Private
  search.
 %S-Assign-Public
  search.
 %S-RecUpdate-Private
  search.
 %S-RecUpdate-Public
  search.
 %S-IfThenElse
  search.
 %S-While-Private
  search.
 %S-While-Public
  search.
 %S-ScopeStmt
  search.
 %S-Print
  search.
 %S-Secdecl-Private
  case IsS. case IsSG. search.
 %S-Secdecl-Public
  case IsS. case IsSG. search.
 %S-Default
  apply names_is_sec to _ Sec1. apply proj_stmt_is to Sec2 _ _.
  apply IH_S to _ _ _ Sec3. search.
%levelArgs_unique
 Lev: case Lev (keep).
   %LA-Nil
    search.
   %LA-Cons
    case IsA. apply IH_E to _ _ _ Lev1. apply IH_A to _ _ _ Lev2.
    search.
%levelRecFields_unique
 Lev: case Lev (keep).
   %LRF-Nil
    search.
   %LRF-Cons
    case IsRF. apply IH_E to _ _ _ Lev1. apply IH_RF to _ _ _ Lev2.
    apply join_is to _ _ Lev3. search.




/********************************************************************
 Uniqueness of security
 ********************************************************************/
Extensible_Theorem
  level_unique : forall SF SG PC E LA LB,
    IsE : is_expr E ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    IsPC : is_slev PC ->
    LevA : level SF SG PC E LA ->
    LevB : level SF SG PC E LB ->
    LA = LB
  on LevA as IH_E,
  secure_unique : forall SF SG PC S SGA SGB,
    IsS : is_stmt S ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    IsPC : is_slev PC ->
    SecA : secure SF SG PC S SGA ->
    SecB : secure SF SG PC S SGB ->
    SGA = SGB
  on SecA as IH_S
also
  levelArgs_unique : forall SF SG PC A LA LB,
    IsA : is_args A ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    IsPC : is_slev PC ->
    LevA : levelArgs SF SG PC A LA ->
    LevB : levelArgs SF SG PC A LB ->
    LA = LB
  on LevA as IH_A,
  levelRecFields_unique : forall SF SG PC RF LA LB,
    IsRF : is_recFieldExprs RF ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    IsPC : is_slev PC ->
    LevA : levelRecFields SF SG PC RF LA ->
    LevB : levelRecFields SF SG PC RF LB ->
    LA = LB
  on LevA as IH_RF. [Show Proof]

%level_unique
 %L-Num
  case LevB. search.
 %L-Plus
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
  apply IH_E to _ _ _ _ LevA2 LevB1. apply level_is to _ _ _ LevA1.
  apply level_is to _ _ _ LevA2. apply join_unique to _ _ LevA3 LevB2.
  search.
 %L-Minus
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
  apply IH_E to _ _ _ _ LevA2 LevB1. apply level_is to _ _ _ LevA1.
  apply level_is to _ _ _ LevA2. apply join_unique to _ _ LevA3 LevB2.
  search.
 %L-Mult
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
  apply IH_E to _ _ _ _ LevA2 LevB1. apply level_is to _ _ _ LevA1.
  apply level_is to _ _ _ LevA2. apply join_unique to _ _ LevA3 LevB2.
  search.
 %L-Div
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
  apply IH_E to _ _ _ _ LevA2 LevB1. apply level_is to _ _ _ LevA1.
  apply level_is to _ _ _ LevA2. apply join_unique to _ _ LevA3 LevB2.
  search.
 %L-True
  case LevB. search.
 %L-False
  case LevB. search.
 %L-And
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
  apply level_is to _ _ _ LevA1. apply level_is to _ _ _ LevB.
  apply join_unique to _ _ LevA2 LevB1. apply join_is to _ _ LevA2.
  apply IH_E to _ _ _ _ LevA3 LevB2. apply level_is to _ _ _ LevA1.
  apply level_is to _ _ _ LevA3. apply join_unique to _ _ LevA4 LevB3.
  search.
 %L-Or
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
  apply level_is to _ _ _ LevA1. apply level_is to _ _ _ LevB.
  apply join_unique to _ _ LevA2 LevB1. apply join_is to _ _ LevA2.
  apply IH_E to _ _ _ _ LevA3 LevB2. apply level_is to _ _ _ LevA1.
  apply level_is to _ _ _ LevA3. apply join_unique to _ _ LevA4 LevB3.
  search.
 %L-Not
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB. search.
 %L-Greater
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
  apply IH_E to _ _ _ _ LevA2 LevB1. apply level_is to _ _ _ LevA1.
  apply level_is to _ _ _ LevA2. apply join_unique to _ _ LevA3 LevB2.
  search.
 %L-Eq
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
  apply IH_E to _ _ _ _ LevA2 LevB1. apply level_is to _ _ _ LevA1.
  apply level_is to _ _ _ LevA2. apply join_unique to _ _ LevA3 LevB2.
  search.
 %L-String
  case LevB. search.
 %L-AppString
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
  apply IH_E to _ _ _ _ LevA2 LevB1. apply level_is to _ _ _ LevA1.
  apply level_is to _ _ _ LevA2. apply join_unique to _ _ LevA3 LevB2.
  search.
 %L-Name
  case IsE. LevB: case LevB. apply lookupScopes_unique to LevA1 LevB.
  search.
 %L-Call-Private
  case IsE. LevB: case LevB. apply lookup_unique to LevA1 LevB.
  search.
 %L-Call-Public
  case IsE. LevB: case LevB. apply lookup_unique to LevA1 LevB.
  search.
 %L-StmtExpr
  case IsE. LevB: case LevB. apply IH_S to _ _ _ _ LevA1 LevB.
  apply secure_is to _ _ _ LevA1. apply IH_E to _ _ _ _ LevA2 LevB1.
  search.
 %L-RecBuild
  case IsE. LevB: case LevB. apply IH_RF to _ _ _ _ LevA1 LevB.
  search.
 %L-RecAccess
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
  search.
 %L-Error
  case IsE. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
  search.
 %L-Default
  apply names_is_sec to _ LevA1. apply proj_expr_is to LevA2 _ _.
  LevB: case LevB. apply names_unique to LevA1 LevB.
  apply proj_expr_unique to LevA2 LevB1 _ _ _ _ _.
  apply IH_E to _ _ _ _ LevA3 LevB2. search.
%secure_unique
 %S-Noop
  case SecB. search.
 %S-Seq
  case IsS. SecB: case SecB. apply IH_S to _ _ _ _ SecA1 SecB.
  apply secure_is to _ _ _ SecA1. apply secure_is to _ _ _ SecB.
  apply IH_S to _ _ _ _ SecA2 SecB1. search.
 %S-Declare
  case IsS. SecB: case SecB. search.
 %S-Assign-Private
  case IsS. SecB: case SecB.
    %S-Assign-Private
     search.
    %S-Assign-Public
     search.
 %S-Assign-Public
  case SecB.
    %S-Assign-Private
     search.
    %S-Assign-Public
     search.
 %S-RecUpdate-Private
  case SecB.
    %S-RecUpdate-Private
     search.
    %S-RecUpdate-Public
     search.
 %S-RecUpdate-Public
  case SecB.
    %S-RecUpdate-Private
     search.
    %S-RecUpdate-Public
     search.
 %S-IfThenElse
  case SecB. search.
 %S-While-Private
  case SecB. search.
 %S-While-Public
  case SecB. search.
 %S-ScopeStmt
  case SecB. search.
 %S-Print
  case SecB. search.
 %S-Secdecl-Private
  case SecB. search.
 %S-Secdecl-Public
  case SecB. search.
 %S-Default
  SecB: case SecB. apply names_is_sec to _ SecA1.
  apply proj_stmt_is to SecA2 _ _. apply names_unique to SecA1 SecB.
  apply proj_stmt_unique to SecA2 SecB1 _ _ _ _ _.
  apply IH_S to _ _ _ _ SecA3 SecB2. search.
%levelArgs_unique
 LevA: case LevA (keep).
   %LA-Nil
    case LevB. search.
   %LA-Cons
    case IsA. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
    apply IH_A to _ _ _ _ LevA2 LevB1. search.
%levelRecFields_unique
 LevA: case LevA (keep).
   %LRF-Nil
    case LevB. search.
   %LRF-Cons
    case IsRF. LevB: case LevB. apply IH_E to _ _ _ _ LevA1 LevB.
    apply IH_RF to _ _ _ _ LevA2 LevB1. apply level_is to _ _ _ LevA1.
    apply levelRecFields_is to _ _ _ LevA2.
    apply join_unique to _ _ LevA3 LevB2. search.




/********************************************************************
 Uniqueness of security
 ********************************************************************/
Extensible_Theorem
  secure_older_scopes : forall SF Scope SG PC S SG',
    IsS : is_stmt S ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev))
              (Scope::SG) ->
    Sec : secure SF (Scope::SG) PC S SG' ->
    exists Scope', SG' = Scope'::SG /\
       (forall X L, lookup Scope X L -> lookup Scope' X L)
  on Sec. [Show Proof]

%S-Noop
 search.
%S-Seq
 case IsS. A: apply IH to _ _ _ Sec1. apply secure_is to _ _ _ Sec1.
 B: apply IH to _ _ _ Sec2. exists Scope'1. split. search.
 intros L. L': apply A to L. apply B to L'. search.
%S-Declare
 exists (X, public)::Scope. split. search. intros L.
 assert X = X1 -> false.
   intros E. case E. apply no_lookup to Sec2 L.
 search.
%S-Assign-Private
 search.
%S-Assign-Public
 search.
%S-RecUpdate-Private
 search.
%S-RecUpdate-Public
 search.
%S-IfThenElse
 search.
%S-While-Private
 search.
%S-While-Public
 search.
%S-ScopeStmt
 search.
%S-Print
 search.
%S-Secdecl-Private
 exists (X, private)::Scope. split. search. intros L.
 assert X = X1 -> false.
   intros E. case E. apply no_lookup to Sec2 L.
 search.
%S-Secdecl-Public
 exists (X, public)::Scope. split. search. intros L.
 assert X = X1 -> false.
   intros E. case E. apply no_lookup to Sec2 L.
 search.
%S-Default
 apply names_is_sec to _ Sec1. apply proj_stmt_is to Sec2 _ _.
 apply proj_stmt_is to Sec2 _ _. apply IH to _ _ _ Sec3. search.




/********************************************************************
 Names in contexts related
 ********************************************************************/
Theorem names_same_scopes_same[V] :
  forall A B (C : list (list (pair string V))),
    is_list (is_list (is_pair is_string is_value)) A ->
    is_list (is_list (is_pair is_string is_value)) B ->
    names_same A C -> scopes_same A B -> names_same B C. [Show Proof]

induction on 3. intros IsA IsB NS SS. NS: case NS.
  %nil
   case SS. search.
  %cons
   SS: case SS. IsA: case IsA.  IsB: case IsB. unfold.
     %mem B -> mem C
      intros MB. IsP: apply mem_is to _ MB. IsX: case IsP.
      LB: apply is_list_mem_lookup to _ MB _. LA: apply SS1 to LB.
      MA: apply lookup_mem to LA. apply NS to MA. search.
     %mem C -> mem B
      intros MC. MA: apply NS1 to MC. IsP: apply mem_is to _ MA.
      IsX: case IsP. LA: apply is_list_mem_lookup to _ MA _.
      LB: apply SS to LA. MB: apply lookup_mem to LB. search.
     %rest
      apply IH to _ _ NS2 SS2. search.


Theorem zip_names_same[A, B] :
  forall (Names : list string) (A : list A) (B : list B) ZA ZB,
    zip Names A ZA -> zip Names B ZB -> names_same [ZA] [ZB]. [Show Proof]

induction on 1. intros ZA ZB. ZA: case ZA.
  %Zip-Nil
   case ZB. unfold. intros M. case M. intros M. case M. search.
  %Zip-Cons
   ZB: case ZB. NS: apply IH to ZA ZB. NS: case NS. unfold.
     %mems ->
      intros M. M: case M.
        %Mem-Here
         search.
        %Mem-Later
         apply NS to M. search.
     %mems <-
      intros M. M: case M.
        %Mem-Here
         search.
        %Mem-Later
         apply NS1 to M. search.
     %rest
      search.


Extensible_Theorem
  level_eval_names_same : forall E SF SG PC L FE EE V EE' O,
    IsE : is_expr E ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    NS : names_same EE SG ->
    Ev : evalExpr FE EE E V EE' O ->
    Lev : level SF SG PC E L ->
    names_same EE' SG
  on Ev,
  secure_eval_names_same : forall S SF SG PC SG' FE Scope EE EE' O,
    IsS : is_stmt S ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value))
              (Scope::EE) ->
    NS : names_same (Scope::EE) SG ->
    Ev : evalStmt FE (Scope::EE) S EE' O ->
    Sec : secure SF SG PC S SG' ->
    names_same EE' SG'
  on Ev,
  levelArgs_eval_names_same : forall A SF SG PC L FE EE V EE' O,
    IsA : is_args A ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    NS : names_same EE SG ->
    Ev : evalArgs FE EE A V EE' O ->
    Lev : levelArgs SF SG PC A L ->
    names_same EE' SG
  on Ev,
  levelRecFields_eval_names_same : forall RF SF SG PC L FE EE V EE' O,
    IsRF : is_recFieldExprs RF ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    NS : names_same EE SG ->
    Ev : evalRecFields FE EE RF V EE' O ->
    Lev : levelRecFields SF SG PC RF L ->
    names_same EE' SG
  on Ev. [Show Proof]

%ExtInd validity
 %secure_eval_names_same
  search.
 %level_eval_names_same
  search.
 %levelArgs_eval_names_same
  search.
 %levelRecFields_eval_names_same
  search.
%Actual property
 %level_eval_names_same
  %E-Num
   case Lev. search.
  %E-Plus
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev1. search.
  %E-Minus
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev1. search.
  %E-Mult
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev1. search.
  %E-Div
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev1. search.
  %E-True
   case Lev. search.
  %E-False
   case Lev. search.
  %E-And-True
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev2. search.
  %E-And-False1
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev. search.
  %E-And-False2
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev2. search.
  %E-Or-True1
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev. search.
  %E-Or-True2
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev2. search.
  %E-Or-False
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev2. search.
  %E-Not-True
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev. search.
  %E-Not-False
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev. search.
  %E-Greater-True
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev1. search.
  %E-Greater-False
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev1. search.
  %E-Eq-True
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev1. search.
  %E-Eq-False
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev1. search.
  %E-String
   case Lev. search.
  %E-AppString
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ NS Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply IH to _ _ _ _ _ _ Ev2 Lev1. search.
  %E-Name
   case Lev. search.
  %E-Call
   case IsE. Lev: case Lev.
     %L-Call-Private
      apply IH2 to _ _ _ _ _ NS Ev2 Lev1. search.
     %L-Call-Public
      apply IH2 to _ _ _ _ _ NS Ev2 Lev1. search.
  %E-StmtExpr
   case IsE. Lev: case Lev. apply names_same_add_scope to NS.
   apply IH1 to _ _ _ _ _ _ Ev1 Lev.
   apply evalStmt_isCtx to _ _ _ Ev1.
   apply evalExpr_isCtx to _ _ _ Ev2.
   apply secure_is to _ _ _ Lev.
   NS': apply IH to _ _ _ _ _ _ Ev2 Lev1. case NS'.
   apply secure_older_scopes to _ _ _ Lev. search.
  %E-RecBuild
   case IsE. Lev: case Lev. apply IH3 to _ _ _ _ _ _ Ev1 Lev. search.
  %E-RecAccess
   case IsE. Lev: case Lev. apply IH to _ _ _ _ _ _ Ev1 Lev. search.
  %E-Expr-Q
   Lev: case Lev. apply names_is to _ Ev1.
   apply names_is_sec to _ Lev.
   apply proj_expr_unique to Lev1 Ev2 _ _ _ _ _.
     %mem Names -> mem Names1
      intros M. apply names_same_names to NS Ev1 Lev M. search.
     %mem Names1 -> mem Names
      intros M. apply names_same_names_back to NS Ev1 Lev M. search.
   apply proj_expr_is to Lev1 _ _.
   NS': apply IH to _ _ _ _ _ _ Ev3 Lev2.
   EvP: apply proj_evalExpr_forward to Ev2 Ev1 _ _ _ Ev.
   apply evalExpr_unique to _ _ _ EvP Ev3.
   apply evalExpr_isCtx to _ _ _ Ev.
   apply evalExpr_isCtx to _ _ _ EvP.
   SS: apply scopes_same_symm to EvP1.
   apply names_same_scopes_same to _ _ NS' SS. search.
 %secure_eval_names_same
  %E-Noop
   case Sec. search.
  %E-Seq
   case IsS. Sec: case Sec. NS': apply IH1 to _ _ _ _ _ _ Ev1 Sec.
   apply evalStmt_isCtx to _ _ _ Ev1. apply secure_is to _ _ _ Sec.
   case NS. apply secure_older_scopes to _ _ _ Sec. case NS' (keep).
   apply IH1 to _ _ _ _ _ _ Ev2 Sec1. search.
  %E-Declare
   case IsS. Sec: case Sec. NS': apply IH to _ _ _ _ _ _ Ev1 Sec.
   R: case NS'. unfold.
     %mem EE -> mem SG
      intros M. M: case M.
        %Mem-Here (X1 = X)
         search.
        %Mem-Later
         apply R to M. search.
     %mem SG -> mem EE
      intros M. M: case M.
        %Mem-Here (X1 = X)
         search.
        %Mem-Later
         apply R1 to M. search.
     %rest
      search.
  %E-Assign
   case IsS. Sec: case Sec.
     %S-Assign-Private
      NS': apply IH to _ _ _ _ _ _ Ev1 Sec.
      apply evalExpr_isCtx to _ _ _ Ev1.
      NS'': apply replaceScopes_names_same to _ Ev2.
      NS2: apply names_same_symmetric to NS''.
      apply names_same_transitive to NS2 NS'. search.
     %S-Assign-Public
      NS': apply IH to _ _ _ _ _ _ Ev1 Sec.
      apply evalExpr_isCtx to _ _ _ Ev1.
      NS'': apply replaceScopes_names_same to _ Ev2.
      NS2: apply names_same_symmetric to NS''.
      apply names_same_transitive to NS2 NS'. search.
  %E-RecUpdate
   case IsS. Sec: case Sec.
     %S-Assign-Private
      NS': apply IH to _ _ _ _ _ _ Ev1 Sec.
      apply evalExpr_isCtx to _ _ _ Ev1.
      NS'': apply replaceScopes_names_same to _ Ev4.
      NS2: apply names_same_symmetric to NS''.
      apply names_same_transitive to NS2 NS'. search.
     %S-Assign-Public
      NS': apply IH to _ _ _ _ _ _ Ev1 Sec.
      apply evalExpr_isCtx to _ _ _ Ev1.
      NS'': apply replaceScopes_names_same to _ Ev4.
      NS2: apply names_same_symmetric to NS''.
      apply names_same_transitive to NS2 NS'. search.
  %E-If-True
   case IsS. Sec: case Sec. NS': apply IH to _ _ _ _ _ _ Ev1 Sec.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply names_same_add_scope to NS'.
   NS'': apply IH1 to _ _ _ _ _ _ Ev2 Sec2. case NS''.
   apply secure_older_scopes to _ _ _ Sec2. search.
  %E-If-False
   case IsS. Sec: case Sec. NS': apply IH to _ _ _ _ _ _ Ev1 Sec.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply names_same_add_scope to NS'.
   NS'': apply IH1 to _ _ _ _ _ _ Ev2 Sec3. case NS''.
   apply secure_older_scopes to _ _ _ Sec3. search.
  %E-While-True
   case IsS. Sec: case Sec (keep).
     %S-While-Private
      NS': apply IH to _ _ _ _ _ _ Ev1 Sec1.
      NS1: apply names_same_add_scope to NS'.
      apply evalExpr_isCtx to _ _ _ Ev1.
      NS'': apply IH1 to _ _ _ _ _ _ Ev2 Sec2.
      apply secure_older_scopes to _ _ _ Sec2. NS+: case NS''.
      IsEE4+: apply evalStmt_isCtx to _ _ _ Ev2. case IsEE4+.
      case NS. NS_: case NS1. case NS_2. case NS+2.
      apply IH1 to _ _ _ _ _ _ Ev3 Sec. search.
     %S-While-Public
      NS': apply IH to _ _ _ _ _ _ Ev1 Sec1.
      NS1: apply names_same_add_scope to NS'.
      apply evalExpr_isCtx to _ _ _ Ev1.
      NS'': apply IH1 to _ _ _ _ _ _ Ev2 Sec2.
      apply secure_older_scopes to _ _ _ Sec2. NS+: case NS''.
      IsEE4+: apply evalStmt_isCtx to _ _ _ Ev2. case IsEE4+.
      case NS. NS_: case NS1. case NS_2. case NS+2.
      apply IH1 to _ _ _ _ _ _ Ev3 Sec. search.
  %E-While-False
   case IsS. Sec: case Sec.
     %S-While-Private
      apply IH to _ _ _ _ _ _ Ev1 Sec. search.
     %S-While-Public
      apply IH to _ _ _ _ _ _ Ev1 Sec. search.
  %E-ScopeStmt
   case IsS. apply names_same_add_scope to NS. Sec: case Sec.
   NS': apply IH1 to _ _ _ _ _ _ Ev1 Sec. case NS'.
   apply secure_older_scopes to _ _ _ Sec. search.
  %E-Print-Int
   case IsS. Sec: case Sec. apply IH to _ _ _ _ _ _ Ev1 Sec. search.
  %E-Print-True
   case IsS. Sec: case Sec. apply IH to _ _ _ _ _ _ Ev1 Sec. search.
  %E-Print-False
   case IsS. Sec: case Sec. apply IH to _ _ _ _ _ _ Ev1 Sec. search.
  %E-Print-String
   case IsS. Sec: case Sec. apply IH to _ _ _ _ _ _ Ev1 Sec. search.
  %E-Secdecl
   case IsS. Sec: case Sec.
     %S-Secdecl-Private
       NS': apply IH to _ _ _ _ _ _ Ev1 Sec. R: case NS'. unfold.
        %mem EE -> mem SG
         intros M. M: case M.
           %Mem-Here (X1 = X)
            search.
           %Mem-Later
            apply R to M. search.
        %mem SG -> mem EE
         intros M. M: case M.
           %Mem-Here (X1 = X)
            search.
           %Mem-Later
            apply R1 to M. search.
        %rest
         search.
     %S-Secdecl-Public
      NS': apply IH to _ _ _ _ _ _ Ev1 Sec. R: case NS'. unfold.
        %mem EE -> mem SG
         intros M. M: case M.
           %Mem-Here (X1 = X)
            search.
           %Mem-Later
            apply R to M. search.
        %mem SG -> mem EE
         intros M. M: case M.
           %Mem-Here (X1 = X)
            search.
           %Mem-Later
            apply R1 to M. search.
        %rest
         search.
  %E-Stmt-Q
   Sec: case Sec. apply names_is to _ Ev1.
   apply names_is_sec to _ Sec.
   apply proj_stmt_unique to Sec1 Ev2 _ _ _ _ _.
     %mem Names -> mem Names1
      intros M. apply names_same_names to NS Ev1 Sec M. search.
     %mem Names1 -> mem Names
      intros M. apply names_same_names_back to NS Ev1 Sec M. search.
   apply proj_stmt_is to Sec1 _ _.
   NS': apply IH1 to _ _ _ _ _ _ Ev3 Sec2.
   EvP: apply proj_evalStmt_forward to Ev2 Ev1 _ _ _ Ev.
   apply evalStmt_unique to _ _ _ EvP Ev3.
   apply evalStmt_isCtx to _ _ _ Ev.
   apply evalStmt_isCtx to _ _ _ EvP.
   SS: apply scopes_same_symm to EvP1.
   apply names_same_scopes_same to _ _ NS' SS. search.
 %levelArgs_eval_names_same
  %EA-Nil
   case Lev. search.
  %EA-Cons
   case IsA. Lev: case Lev. apply IH to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH2 to _ _ _ _ _ _ Ev2 Lev1. search.
  %unknown K
   case Lev.
 %levelRecfields_eval_names_same
  %ERF-Nil
   case Lev. search.
  %ERF-Cons
   case IsRF. Lev: case Lev. apply IH to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH3 to _ _ _ _ _ _ Ev2 Lev1. search.
  %unknown K
   case Lev.




/********************************************************************
 Properties of public_equiv
 ********************************************************************/
Define public_equiv :
  list (list (pair string slev)) -> list (list (pair string value)) ->
  list (list (pair string value)) -> prop by
public_equiv [] [] [];
public_equiv (SScope::S) (Scope1::G1) (Scope2::G2) :=
  %lookup same for public
  (forall X V,
      lookup SScope X public -> lookup Scope1 X V ->
      lookup Scope2 X V) /\
  (forall X V,
      lookup SScope X public -> lookup Scope2 X V ->
      lookup Scope1 X V) /\
  %rest
  public_equiv S G1 G2.


Theorem no_lookup_names_same : forall A B X,
  is_list (is_pair is_string is_value) B ->
  (forall X IB, mem (X, IB) B ->
      exists (IA : value), mem (X, IA) A) ->
  no_lookup A X -> no_lookup B X. [Show Proof]

induction on 1. intros IsB MBA NA. IsB: case IsB.
  %nil
   search.
  %cons
   case IsB. MA: apply MBA to _ with X = A1.
   assert A1 = X -> false.
     intros E. case E. apply no_lookup_mem to NA MA.
   apply IH to IsB1 _ NA.
     intros M. MT: assert mem (X1, IB) ((A1, B1)::T). apply MBA to MT.
     search.
   search.


Theorem public_equiv_lookupScopes : forall S G1 G2 X V,
  public_equiv S G1 G2 -> names_same G1 S -> names_same G2 S ->
  is_list (is_list (is_pair is_string is_value)) G2 ->
  lookupScopes X S public ->
  lookupScopes X G1 V -> lookupScopes X G2 V. [Show Proof]

induction on 5. intros PE NSA NSB IsB LSS LS. LSS: case LSS.
  %LS-FirstScope
   PE: case PE. LS: case LS.
     %LS-FirstScope
      apply PE to LSS LS. search.
     %LS-Later
      MS: apply lookup_mem to LSS. NSA: case NSA.
      MA: apply NSA1 to MS. apply no_lookup_mem to LS MA.
  %LS-Later
   PE: case PE. LS: case LS.
     %LS-FirstScope
      MA: apply lookup_mem to LS. NSA: case NSA. MS: apply NSA to MA.
      NSB: case NSB. MB: apply NSB1 to MS.
      apply no_lookup_mem to LSS MS.
     %LS-Later
      NSA: case NSA. NSB: case NSB. IsB: case IsB.
      apply IH to PE2 _ _ _ LSS1 LS1.
      apply no_lookup_names_same to IsB _ LS.
        intros MB. MS: apply NSB to MB. apply NSA1 to MS. search.
      search.


Theorem public_equiv_trans : forall SG GA GB GC,
  public_equiv SG GA GB -> public_equiv SG GB GC ->
  public_equiv SG GA GC. [Show Proof]

induction on 1. intros PAB PBC. PAB: case PAB.
  %end
   case PBC. search.
  %step
   PBC: case PBC. rename Scope1 to AS. rename Scope2 to BS.
   rename Scope4 to CS. rename G1 to A. rename G2 to B.
   rename G4 to C. unfold.
     %lookup public ->
      intros LS LA. LB: apply PAB to LS LA. apply PBC to LS LB.
      search.
     %lookup public <-
      intros LS LC. LB: apply PBC1 to LS LC. apply PAB1 to LS LB.
      search.
     %rest
      apply IH to PAB2 PBC2. search.


Theorem public_equiv_refl : forall SG G,
  names_same G SG -> public_equiv SG G G. [Show Proof]

induction on 1. intros NS. NS: case NS.
  %end
   search.
  %step
   unfold.
     %lookup public ->
      intros LPub L. search.
     %lookup public <-
      intros LPub L. search.
     %rest
      apply IH to NS2. search.


Theorem public_equiv_symm : forall SG GA GB,
  public_equiv SG GA GB -> public_equiv SG GB GA. [Show Proof]

induction on 1. intros PE. PE: case PE.
  %end
   search.
  %step
   unfold.
     %lookup public ->
      search.
     %lookup public <-
      search.
     %rest
      apply IH to PE2. search.


Theorem public_equiv_scopes_same_snd : forall SG G GA GB,
  public_equiv SG G GB -> scopes_same GA GB -> public_equiv SG G GA. [Show Proof]

induction on 1. intros PE SS. PE: case PE.
  %last
   case SS. search.
  %step
   SS: case SS. unfold.
     %lookup public ->
      intros LS L1. L2: apply PE to LS L1. apply SS1 to L2. search.
     %lookup public <-
      intros LS L2. LS2: apply SS to L2. apply PE1 to LS LS2. search.
     %rest
      apply IH to PE2 _. search.


Theorem public_equiv_scopes_same_fst : forall SG G GA GB,
  public_equiv SG GB G -> scopes_same GA GB -> public_equiv SG GA G. [Show Proof]

induction on 1. intros PE SS. PE: case PE.
  %last
   case SS. search.
  %step
   SS: case SS. unfold.
     %lookup public ->
      intros LS L1. L: apply SS to L1. apply PE to LS L. search.
     %lookup public <-
      intros LS L2. L1: apply PE1 to LS L2. apply SS1 to L1. search.
     %rest
      apply IH to PE2 _. search.


Theorem public_equiv_add_scope : forall SG GA GB,
  public_equiv SG GA GB -> public_equiv ([]::SG) ([]::GA) ([]::GB). [Show Proof]

intros PE. unfold.
  %lookup public ->
   intros L. case L.
  %lookup public <-
   intros L. case L.
  %rest
   search.


Theorem public_equiv_add_public : forall SS SG AS GA BS GB X V,
  public_equiv (SS::SG) (AS::GA) (BS::GB) ->
  public_equiv (((X, public)::SS)::SG) (((X, V)::AS)::GA)
                                       (((X, V)::BS)::GB). [Show Proof]

intros PE. PE: case PE. unfold.
  %lookup public ->
   intros LS LA. LS: case LS.
     %LS-FirstScope
      LA: case LA.
        %LS-FirstScope
         search.
        %LS-Later
         apply LA to _.
     %LS-Later
      LA: case LA.
        %LS-FirstScope
         apply LS to _.
        %LS-Later
         apply PE to LS1 LA1. search.
  %lookup public <-
   intros LS LB. LS: case LS.
     %LS-FirstScope
      LB: case LB.
        %LS-FirstScope
         search.
        %LS-Later
         apply LB to _.
     %LS-Later
      LB: case LB.
        %LS-FirstScope
         apply LS to _.
        %LS-Later
         apply PE1 to LS1 LB1. search.
  %rest
   search.


Theorem public_equiv_add_other : forall SS SG AS GA BS GB X L VA VB,
  public_equiv (SS::SG) (AS::GA) (BS::GB) -> (L = public -> false) ->
  public_equiv (((X, L)::SS)::SG) (((X, VA)::AS)::GA)
                                  (((X, VB)::BS)::GB). [Show Proof]

intros PE NEq. PE: case PE. unfold.
  %lookup public ->
   intros LS LA. LS: case LS.
     %Lkp-Here
      apply NEq to _.
     %Lkp-Later
      LA: case LA.
        %Lkp-
         apply LS to _.
        %Lkp-Later
         apply PE to LS1 LA1. search.
  %lookup public <-
   intros LS LB. LS: case LS.
     %Lkp-Here
      apply NEq to _.
     %Lkp-Later
      LB: case LB.
        %Lkp-Here
         apply LS to _.
        %Lkp-Later
         apply PE1 to LS1 LB1. search.
  %rest
   search.


Theorem remove_all_eq_or_mem[Key, Item] :
  forall L L' (X Y : Key) (V : Item),
    remove_all L X L' -> mem (Y, V) L -> Y = X \/ mem (Y, V) L'. [Show Proof]

induction on 2. intros RA M. M: case M.
  %Mem-Here
   RA: case RA.
     %RA-Remove
      search.
     %RA-Keep
      search.
  %Mem-Later
   RA: case RA.
     %RA-Remove
      Or: apply IH to RA M. E: case Or.
        %Y = X
         search.
        %mem (Y, V) L'
         search.
     %RA-Keep
      Or: apply IH to RA1 M. E: case Or.
        %Y = X
         search.
        %mem (Y, V) R
         search.


Theorem public_equiv_replaceScopes_public : forall SG GA GB X V RA RB,
  public_equiv SG GA GB -> names_same GA SG -> names_same GB SG ->
  lookupScopes X SG public ->
  replaceScopes X V GA RA -> replaceScopes X V GB RB ->
  public_equiv SG RA RB. [Show Proof]

induction on 4. intros PE NSA NSB LS RA RB. LS: case LS.
  %LS-FirstScope
   RA: case RA.
     %RS-FirstScope
      RB: case RB.
        %RS-FirstScope
         PE: case PE. unfold.
           %lookup public ->
            intros LS LA. LA: case LA.
              %Lkp-Here
               search.
              %Lkp-Later
               LA': apply remove_all_lookup_other to RA1 LA1 _.
               LB': apply PE to _ LA'.
               apply remove_all_lookup_other_back to RB1 LB' _.
               search.
           %lookup public <-
            intros LS LB. LB: case LB.
              %Lkp-Here
               search.
              %Lkp-Later
               LB': apply remove_all_lookup_other to RB1 LB1 _.
               LA': apply PE1 to _ LB'.
               apply remove_all_lookup_other_back to RA1 LA' _.
               search.
           %rest
            search.
        %RS-Later
         NSA: case NSA. NSB: case NSB. MS: apply NSA to RA.
         MB: apply NSB1 to MS. apply no_lookup_mem to RB MB.
     %RS-Later
      NSA: case NSA. MS: apply lookup_mem to LS. MA: apply NSA1 to MS.
      apply no_lookup_mem to RA MA.
  %LS-Later
   RA: case RA.
     %RS-FirstScope
      NSA: case NSA. MS: apply NSA to RA.
      apply no_lookup_mem to LS MS.
     %RS-Later
      RB: case RB.
        %RS-FirstScope
         NSB: case NSB. MS: apply NSB to RB.
         apply no_lookup_mem to LS MS.
        %RS-Later
         PE: case PE. case NSA. case NSB.
         apply IH to PE2 _ _ LS1 RA1 RB1. search.


Theorem public_equiv_replaceScopes_other :
  forall SG GA GB X L VA VB RA RB,
    public_equiv SG GA GB -> names_same GA SG -> names_same GB SG ->
    lookupScopes X SG L -> (L = public -> false) ->
    replaceScopes X VA GA RA -> replaceScopes X VB GB RB ->
    public_equiv SG RA RB. [Show Proof]

induction on 4. intros PE NSA NSB LS NEq RA RB. LS: case LS.
  %LS-FirstScope
   RA: case RA.
     %RS-FirstScope
      RB: case RB.
        %RS-FirstScope
         PE: case PE. unfold.
           %lookup public ->
            intros LS' LA. LA: case LA.
              %Lkp-Here
               apply lookup_unique to LS' LS. apply NEq to _.
              %Lkp-Later
               LA': apply remove_all_lookup_other to RA1 LA1 _.
               LB': apply PE to _ LA'.
               apply remove_all_lookup_other_back to RB1 LB' _.
               search.
           %lookup public <-
            intros LS' LB. LB: case LB.
              %Lkp-Here
               apply lookup_unique to LS' LS. apply NEq to _.
              %Lkp-Later
               LB': apply remove_all_lookup_other to RB1 LB1 _.
               LA': apply PE1 to _ LB'.
               apply remove_all_lookup_other_back to RA1 LA' _.
               search.
           %rest
            search.
        %RS-Later
         NSB: case NSB. NSA: case NSA. MS: apply NSA to RA.
         MB: apply NSB1 to MS. apply no_lookup_mem to RB MB.
     %RS-Later
      MS: apply lookup_mem to LS. NSA: case NSA. MA: apply NSA1 to MS.
      apply no_lookup_mem to RA MA.
  %LS-Later
   RA: case RA.
     %RS-FirstScope
      NSA: case NSA. MS: apply NSA to RA.
      apply no_lookup_mem to LS MS.
     %RS-Later
      RB: case RB.
        %RS-FirstScope
         NSB: case NSB. MS: apply NSB to RB.
         apply no_lookup_mem to LS MS.
        %RS-Later
         PE: case PE. case NSA. case NSB.
         apply IH to _ _ _ LS1 _ RA1 RB1. search.


Theorem replaceScopes_public_equiv : forall SG L X V L' SL,
  names_same L SG -> replaceScopes X V L L' -> lookupScopes X SG SL ->
  (SL = public -> false) -> public_equiv SG L L'. [Show Proof]

induction on 2. intros NS RS LS NEq. RS: case RS.
  %RS-FirstScope
   LS: case LS.
     %LS-FirstScope
      NS: case NS. apply public_equiv_refl to NS2. unfold.
        %lookup public ->
         intros LP LL.
         assert X = X1 -> false.
           intros E. case E. apply lookup_unique to LS LP.
           backchain NEq.
         apply remove_all_lookup_other_back to RS1 LL _. search.
        %lookup public <-
         intros LP L+. L: case L+.
           %Lkp-Here
            apply lookup_unique to LS LP. apply NEq to _.
           %Lkp-Later
            apply remove_all_lookup_other to RS1 L1 _. search.
        %rest
         search.
     %LS-Later
      NS: case NS. MS: apply NS to RS. apply no_lookup_mem to LS MS.
  %RS-Later
   LS: case LS.
     %LS-FirstScope
      NS: case NS. MS: apply lookup_mem to LS. ML: apply NS1 to MS.
      apply no_lookup_mem to RS ML.
     %LS-Later
      case NS. apply IH to _ RS1 LS1 _. search.




/********************************************************************
 No public changes in private contexts
 ********************************************************************/
Extensible_Theorem
  stmt_not_public_no_public_change :
    forall S SF SScope SG PC SG' FE Scope EE Scope' EE' O,
      IsS : is_stmt S ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev))
                (SScope::SG) ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE : is_list (is_list (is_pair is_string is_value))
                (Scope::EE) ->
      NS : names_same (Scope::EE) (SScope::SG) ->
      Ev : evalStmt FE (Scope::EE) S (Scope'::EE') O ->
      Sec : secure SF (SScope::SG) PC S SG' ->
      NEq : (PC = public -> false) ->
      /*only the end of the ctxs are related, not the first scope*/
      public_equiv SG EE EE'
  on Ev as IH_S,
  expr_not_public_no_public_change :
    forall E SF SG PC L FE EE V EE' O,
      IsE : is_expr E ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
      NS : names_same EE SG ->
      Ev : evalExpr FE EE E V EE' O ->
      Lev : level SF SG PC E L ->
      NEq : (PC = public -> false) ->
      public_equiv SG EE EE'
  on Ev as IH_E,
  args_not_public_no_public_change :
    forall A SF SG PC L FE EE V EE' O,
      IsA : is_args A ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
      NS : names_same EE SG ->
      Ev : evalArgs FE EE A V EE' O ->
      Lev : levelArgs SF SG PC A L ->
      NEq : (PC = public -> false) ->
      public_equiv SG EE EE'
  on Ev as IH_A,
  recFields_not_public_no_public_change :
    forall RF SF SG PC L FE EE V EE' O,
      IsRF : is_recFieldExprs RF ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
      NS : names_same EE SG ->
      Ev : evalRecFields FE EE RF V EE' O ->
      Lev : levelRecFields SF SG PC RF L ->
      NEq : (PC = public -> false) ->
      public_equiv SG EE EE'
  on Ev as IH_RF. [Show Proof]

%ExtInd validity
 %stmt_not_public_no_public_change
  search.
 %expr_not_public_no_public_change
  search.
 %args_not_public_no_public_change
  search.
 %recFields_not_public_no_public_change
  search.
%Actual property
 %stmt_not_public_no_public_change
  %E-Noop
   case Sec. case NS. backchain public_equiv_refl.
  %E-Seq
   case IsS. Sec: case Sec. apply secure_older_scopes to _ _ _ Sec.
   NS': apply secure_eval_names_same to _ _ _ _ _ _ Ev1 Sec.
   case NS' (keep). PE1: apply IH_S to _ _ _ _ _ _ _ Ev1 Sec _.
   apply evalStmt_isCtx to _ _ _ Ev1. apply secure_is to _ _ _ Sec.
   PE2: apply IH_S to _ _ _ _ _ _ _ Ev2 Sec1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %E-Declare
   case IsS. Sec: case Sec. apply NEq to _.
  %E-Assign
   case IsS. Sec: case Sec.
     %S-Assign-Private
      PE: apply IH_E to _ _ _ _ _ _ _ Ev1 Sec _.
      NS': apply level_eval_names_same to _ _ _ _ _ _ Ev1 Sec.
      PE1: apply replaceScopes_public_equiv to _ Ev2 Sec1 _.
      case NS'. PE2: apply public_equiv_trans to PE PE1. case PE2.
      search.
     %S-Assign-Public
      apply NEq to _.
  %E-RecUpdate
   case IsS. Sec: case Sec.
     %S-RecUpdate-Private
      PE: apply IH_E to _ _ _ _ _ _ _ Ev1 Sec _.
      NS': apply level_eval_names_same to _ _ _ _ _ _ Ev1 Sec.
      PE1: apply replaceScopes_public_equiv to _ Ev4 Sec1 _.
      case NS'. PE2: apply public_equiv_trans to PE PE1. case PE2.
      search.
     %S-RecUpdate-Public
      apply NEq to _.
  %E-If-True
   case IsS. Sec: case Sec.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Sec _.
   apply level_is to _ _ _ Sec.
   assert Sl1 = public -> false.
     intros E. case E. apply join_public to _ _ Sec1. backchain NEq.
   NS': apply level_eval_names_same to _ _ _ _ _ _ Ev1 Sec.
   apply names_same_add_scope to NS'.
   apply evalExpr_isCtx to _ _ _ Ev1. apply join_is to _ _ Sec1.
   PE2: apply IH_S to _ _ _ _ _ _ _ Ev2 Sec2 _. PE2': case PE2.
   PE1': case PE1. apply public_equiv_trans to PE1'2 PE2'2. search.
  %E-If-False
   case IsS. Sec: case Sec.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Sec _.
   apply level_is to _ _ _ Sec.
   assert Sl1 = public -> false.
     intros E. case E. apply join_public to _ _ Sec1. backchain NEq.
   NS': apply level_eval_names_same to _ _ _ _ _ _ Ev1 Sec.
   apply names_same_add_scope to NS'.
   apply evalExpr_isCtx to _ _ _ Ev1. apply join_is to _ _ Sec1.
   PE2: apply IH_S to _ _ _ _ _ _ _ Ev2 Sec3 _. PE2': case PE2.
   PE1': case PE1. apply public_equiv_trans to PE1'2 PE2'2. search.
  %E-While-True
   case IsS. Sec: case Sec (keep).
     %S-While-Private
      PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Sec1 _.
      apply level_is to _ _ _ Sec1.
      NS': apply level_eval_names_same to _ _ _ _ _ _ Ev1 Sec1.
      apply names_same_add_scope to NS'.
      apply evalExpr_isCtx to _ _ _ Ev1.
      PE2: apply IH_S to _ _ _ _ _ _ _ Ev2 Sec2 _. PE2': case PE2.
      PE1': case PE1. PE3: apply public_equiv_trans to PE1'2 PE2'2.
      NS+: apply secure_eval_names_same to _ _ _ _ _ _ Ev2 Sec2.
      Is++: apply evalStmt_isCtx to _ _ _ Ev2. case Is++.
      apply secure_older_scopes to _ _ _ Sec2. case NS+.
      PE4: apply IH_S to _ _ _ _ _ _ _ Ev3 Sec _.
      apply public_equiv_trans to PE3 PE4. search.
     %S-While-Public
      apply NEq to _.
  %E-While-False
   case IsS. Sec: case Sec (keep).
     %S-While-Private
      PE: apply IH_E to _ _ _ _ _ _ _ Ev1 Sec1 _. case PE. search.
     %S-While-Public
      apply NEq to _.
  %E-ScopeStmt
   case IsS. Sec: case Sec. apply names_same_add_scope to NS.
   PE: apply IH_S to _ _ _ _ _ _ _ Ev1 Sec _. case PE. search.
  %E-Print-Int
   case Sec. apply NEq to _.
  %E-Print-True
   case Sec. apply NEq to _.
  %E-Print-False
   case Sec. apply NEq to _.
  %E-Print-String
   case Sec. apply NEq to _.
  %E-Secdecl
   case IsS. Sec: case Sec.
     %S-Secdecl-Private
      PE: apply IH_E to _ _ _ _ _ _ _ Ev1 Sec _. case PE. search.
     %S-Secdecl-Public
      PE: apply IH_E to _ _ _ _ _ _ _ Ev1 Sec _. case PE. search.
  %E-Stmt-Q
   Sec: case Sec. apply names_is to _ Ev1.
   apply names_is_sec to _ Sec.
   apply proj_stmt_unique to Sec1 Ev2 _ _ _ _ _.
     %mem Names -> mem Names1
      intros M. apply names_same_names to NS Ev1 Sec M. search.
     %mem Names1 -> mem Names
      intros M. apply names_same_names_back to NS Ev1 Sec M. search.
   apply proj_stmt_is to Sec1 _ _.
   NS': apply secure_eval_names_same to _ _ _ _ _ _ Ev3 Sec2.
   apply secure_older_scopes to _ _ _ Sec2. case NS' (keep).
   PE: apply IH_S to _ _ _ _ _ _ _ Ev3 Sec2 _.
   SS: apply proj_evalStmt_forward to Ev2 Ev1 _ _ _ Ev.
   apply evalStmt_unique to _ _ _ SS Ev3. SS': case SS1.
   apply public_equiv_scopes_same_snd to PE SS'2. search.
 %expr_not_public_no_public_change
  %E-Num
   backchain public_equiv_refl.
  %E-Plus
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %E-Minus
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %E-Mult
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %E-Div
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %E-True
   backchain public_equiv_refl.
  %E-False
   backchain public_equiv_refl.
  %E-And-True
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1. apply level_is to _ _ _ Lev.
   apply join_is to _ _ Lev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev2 _.
     intros E. case E. apply join_public to _ _ Lev1. backchain NEq.
   apply public_equiv_trans to PE1 PE2. search.
  %E-And-False1
   case IsE. Lev: case Lev. apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   search.
  %E-And-False2
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1. apply level_is to _ _ _ Lev.
   apply join_is to _ _ Lev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev2 _.
     intros E. case E. apply join_public to _ _ Lev1. backchain NEq.
   apply public_equiv_trans to PE1 PE2. search.
  %E-Or-True1
   case IsE. Lev: case Lev. apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   search.
  %E-Or-True2
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1. apply level_is to _ _ _ Lev.
   apply join_is to _ _ Lev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev2 _.
     intros E. case E. apply join_public to _ _ Lev1. backchain NEq.
   apply public_equiv_trans to PE1 PE2. search.
  %E-Or-False
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1. apply level_is to _ _ _ Lev.
   apply join_is to _ _ Lev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev2 _.
     intros E. case E. apply join_public to _ _ Lev1. backchain NEq.
   apply public_equiv_trans to PE1 PE2. search.
  %E-Not-True
   case IsE. Lev: case Lev. apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   search.
  %E-Not-False
   case IsE. Lev: case Lev. apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   search.
  %E-Greater-True
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %E-Greater-False
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %E-Eq-True
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %E-Eq-False
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %E-String
   backchain public_equiv_refl.
  %E-AppString
   case IsE. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %E-Name
   backchain public_equiv_refl.
  %E-Call
   case IsE. Lev: case Lev.
     %L-Call-Private
      apply IH_A to _ _ _ _ _ _ _ Ev2 Lev1 _. search.
     %L-Call-Public
      apply NEq to _.
  %E-StmtExpr
   case IsE. Lev: case Lev. apply names_same_add_scope to NS.
   NS': apply secure_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply secure_older_scopes to _ _ _ Lev. case NS' (keep).
   PE1: apply IH_S to _ _ _ _ _ _ _ Ev1 Lev _.
   apply evalStmt_isCtx to _ _ _ Ev1. apply secure_is to _ _ _ Lev.
   PE2: apply IH_E to _ _ _ _ _ _ _ Ev2 Lev1 _. PE': case PE2.
   apply public_equiv_trans to PE1 PE'2. search.
  %E-RecBuild
   case IsE. Lev: case Lev. apply IH_RF to _ _ _ _ _ _ _ Ev1 Lev _.
   search.
  %E-RecAccess
   case IsE. Lev: case Lev. apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   search.
  %E-Expr-Q
   Lev: case Lev. apply names_is to _ Ev1.
   apply names_is_sec to _ Lev.
   apply proj_expr_unique to Lev1 Ev2 _ _ _ _ _.
     %mem Names -> mem Names1
      intros M. apply names_same_names to NS Ev1 Lev M. search.
     %mem Names1 -> mem Names
      intros M. apply names_same_names_back to NS Ev1 Lev M. search.
   apply proj_expr_is to Lev1 _ _.
   PE: apply IH_E to _ _ _ _ _ _ _ Ev3 Lev2 _.
   SS: apply proj_evalExpr_forward to Ev2 Ev1 _ _ _ Ev.
   apply evalExpr_unique to _ _ _ SS Ev3.
   apply public_equiv_scopes_same_snd to PE SS1. search.
 %args_not_public_no_public_change
  %EA-Nil
   backchain public_equiv_refl.
  %EA-Cons
   case IsA. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   PE2: apply IH_A to _ _ _ _ _ _ _ Ev2 Lev1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %unknown K
   case Lev.
 %recFields_not_public_no_public_change
  %ERF-Nil
   backchain public_equiv_refl.
  %ERF-Cons
   case IsRF. Lev: case Lev.
   PE1: apply IH_E to _ _ _ _ _ _ _ Ev1 Lev _.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   PE2: apply IH_RF to _ _ _ _ _ _ _ Ev2 Lev1 _.
   apply public_equiv_trans to PE1 PE2. search.
  %unknown K
   case Lev.


Theorem while_no_public_change :
  forall SF SG PC SG' L Cond Body FE EE EE2 O,
    is_expr Cond -> is_stmt Body ->
    is_list (is_pair is_string
            (is_pair is_slev (is_list is_slev))) SF ->
    is_list (is_list (is_pair is_string is_slev)) SG ->
    is_slev PC ->
    is_list (is_pair is_string
            (is_pair is_string
            (is_pair is_value
            (is_pair (is_list is_string) is_stmt)))) FE ->
    is_list (is_list (is_pair is_string is_value)) EE ->
    names_same EE SG ->
    secure SF SG PC (while Cond Body) SG' ->
    level SF SG PC Cond L -> (L = public -> false) ->
    evalStmt FE EE (while Cond Body) EE2 O ->
    public_equiv SG EE EE2. [Show Proof]

induction on 12. intros IsC IsB IsSF IsSG IsPC IsFE IsEE NS Sec Lev
                        NEq Ev. Ev: case Ev.
  %E-While-True
   Sec: case Sec (keep).
     %S-While-Private
      apply level_unique to _ _ _ _ Sec1 Lev.
      NS': apply level_eval_names_same to _ _ _ _ _ _ Ev Lev.
      apply names_same_add_scope to NS'.
      PE1: apply expr_not_public_no_public_change to
              _ _ _ _ _ _ _ Ev Sec1 _.
      apply evalExpr_isCtx to _ _ _ Ev.
      PE2: apply stmt_not_public_no_public_change to
              _ _ _ _ _ _ _ Ev1 Sec2 _.
      PE3: apply public_equiv_trans to PE1 PE2.
      NS'': apply secure_eval_names_same to _ _ _ _ _ _ Ev1 Sec2.
      case NS''. apply secure_older_scopes to _ _ _ Sec2.
      IsEE4+: apply evalStmt_isCtx to _ _ _ Ev1. case IsEE4+.
      PE4: apply IH to _ _ _ _ _ _ _ _ Sec Lev _ Ev2.
      apply public_equiv_trans to PE3 PE4. search.
     %S-While-Public
      apply level_unique to _ _ _ _ Sec1 Lev. apply NEq to _.
  %E-While-False
   Sec: case Sec (keep).
     %S-While-Private
      apply expr_not_public_no_public_change to
         _ _ _ _ _ _ _ Ev Sec1 _. search.
     %S-While-Public
      apply level_unique to _ _ _ _ Sec1 Lev. apply NEq to _.




/********************************************************************
 Evaluation does not leak private information
 ********************************************************************/
%all public argument values are the same; private ones may differ
Define level_arg_vals :
       list slev -> list value -> list value -> prop by
level_arg_vals [] [] [];
level_arg_vals (public::SRest) (V::ARest) (V::BRest) :=
   level_arg_vals SRest ARest BRest;
level_arg_vals (L::SRest) (VA::ARest) (VB::BRest) :=
   (L = public -> false) /\ level_arg_vals SRest ARest BRest.


Theorem zip_level_arg_vals : forall S A B N ZA ZB ZS,
  level_arg_vals S A B -> zip N A ZA -> zip N B ZB -> zip N S ZS ->
  public_equiv [ZS] [ZA] [ZB]. [Show Proof]

induction on 1. intros LAV ZA ZB ZS. LAV: case LAV.
  %nil
   case ZA. case ZB. case ZS. unfold. intros L. case L. intros L.
   case L. search.
  %cons public
   ZA: case ZA. ZB: case ZB. ZS: case ZS. unfold.
     %lookups ->
      intros LS LA. LS: case LS.
        %Lkp-Here
         LA: case LA.
           %Lkp-Here
            search.
           %Lkp-Later
            apply LA to _.
        %Lkp-Later
         LA: case LA.
           %Lkp-Here
            apply LS to _.
           %Lkp-Later
            PE: apply IH to LAV ZA ZB ZS. PE: case PE.
            apply PE to LS1 LA1. search.
     %lookups <-
      intros LS LB. LS: case LS.
        %Lkp-Here
         LB: case LB.
           %Lkp-Here
            search.
           %Lkp-Later
            apply LB to _.
        %Lkp-Later
         LB: case LB.
           %Lkp-Here
            apply LS to _.
           %Lkp-Later
            PE: apply IH to LAV ZA ZB ZS. PE: case PE.
            apply PE1 to LS1 LB1. search.
     %rest
      search.
  %cons private
   ZA: case ZA. ZB: case ZB. ZS: case ZS. unfold.
     %lookups ->
      intros LS LA. LS: case LS.
        %Lkp-Here
         apply LAV to _.
        %Lkp-Later
         LA: case LA.
           %Lkp-Here
            apply LS to _.
           %Lkp-Later
            PE: apply IH to LAV1 ZA ZB ZS. PE: case PE.
            apply PE to LS1 LA1. search.
     %lookups <-
      intros LS LB. LS: case LS.
        %Lkp-Here
         apply LAV to _.
        %Lkp-Later
         LB: case LB.
           %Lkp-Here
            apply LS to _.
           %Lkp-Later
            PE: apply IH to LAV1 ZA ZB ZS. PE: case PE.
            apply PE1 to LS1 LB1. search.
     %rest
      search.


Theorem zip_is_sec : forall A B Z,
  is_list is_string A -> is_list is_slev B -> zip A B Z ->
  is_list (is_pair is_string is_slev) Z. [Show Proof]

induction on 3. intros IsA IsB Z. Z: case Z.
  %Zip-Nil
   search.
  %Zip-Cons
   case IsA. case IsB. apply IH to _ _ Z. search.


%security and evaluation fun ctxs are appropriately related
Define secFunCtxs : list (pair string (pair slev (list slev))) ->
       list (pair string (pair string (pair value
            (pair (list string) stmt)))) -> prop by
secFunCtxs SF FE :=
  forall FName RetLev PSecs RetVar RVVal PNames Body,
    lookup SF FName (RetLev, PSecs) ->
    lookup FE FName (RetVar, RVVal, PNames, Body) ->
    exists ZP SG, zip PNames PSecs ZP /\
                  secure SF [(RetVar, RetLev)::ZP] RetLev Body SG.


Extensible_Theorem
  %evaluation under public_equiv ctxs yields public_equiv ctxs
  stmt_secure : forall S SF SG PC SG' FE ScopeA EE_A EE_A' OA
                       ScopeB EE_B EE_B' OB,
    IsS : is_stmt S ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    IsPC : is_slev PC ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE_A : is_list (is_list (is_pair is_string is_value))
                (ScopeA::EE_A) ->
    IsEE_B : is_list (is_list (is_pair is_string is_value))
                (ScopeB::EE_B) ->
    SFC : secFunCtxs SF FE ->
    NSA : names_same (ScopeA::EE_A) SG ->
    NSB : names_same (ScopeB::EE_B) SG ->
    PE : public_equiv SG (ScopeA::EE_A) (ScopeB::EE_B) ->
    Sec : secure SF SG PC S SG' ->
    EvA : evalStmt FE (ScopeA::EE_A) S EE_A' OA ->
    EvB : evalStmt FE (ScopeB::EE_B) S EE_B' OB ->
    public_equiv SG' EE_A' EE_B'
  on EvA as IH_S,
  expr_secure :
    forall E SF SG PC L FE EE_A EE_A' VA OA EE_B EE_B' VB OB,
      IsE : is_expr E ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE_A : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsEE_B : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SFC : secFunCtxs SF FE ->
      NSA : names_same EE_A SG ->
      NSB : names_same EE_B SG ->
      PE : public_equiv SG EE_A EE_B ->
      Lev : level SF SG PC E L ->
      EvA : evalExpr FE EE_A E VA EE_A' OA ->
      EvB : evalExpr FE EE_B E VB EE_B' OB ->
      public_equiv SG EE_A' EE_B'
  on EvA as IH_E,
  args_secure :
    forall A SF SG PC L FE EE_A EE_A' VA OA EE_B EE_B' VB OB,
      IsA : is_args A ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE_A : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsEE_B : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SFC : secFunCtxs SF FE ->
      NSA : names_same EE_A SG ->
      NSB : names_same EE_B SG ->
      PE : public_equiv SG EE_A EE_B ->
      Lev : levelArgs SF SG PC A L ->
      EvA : evalArgs FE EE_A A VA EE_A' OA ->
      EvB : evalArgs FE EE_B A VB EE_B' OB ->
      public_equiv SG EE_A' EE_B'
  on EvA as IH_A,
  recFields_secure :
    forall RF SF SG PC L FE EE_A EE_A' VA OA EE_B EE_B' VB OB,
      IsRF : is_recFieldExprs RF ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE_A : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsEE_B : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SFC : secFunCtxs SF FE ->
      NSA : names_same EE_A SG ->
      NSB : names_same EE_B SG ->
      PE : public_equiv SG EE_A EE_B ->
      Lev : levelRecFields SF SG PC RF L ->
      EvA : evalRecFields FE EE_A RF VA EE_A' OA ->
      EvB : evalRecFields FE EE_B RF VB EE_B' OB ->
      public_equiv SG EE_A' EE_B'
  on EvA as IH_RF,
  %public terms produce the same values under public_equiv ctxs
  expr_level :
    forall E SF SG PC FE EE_A EE_A' VA OA EE_B EE_B' VB OB,
      IsE : is_expr E ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE_A : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsEE_B : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SFC : secFunCtxs SF FE ->
      NSA : names_same EE_A SG ->
      NSB : names_same EE_B SG ->
      PE : public_equiv SG EE_A EE_B ->
      Lev : level SF SG PC E public ->
      EvA : evalExpr FE EE_A E VA EE_A' OA ->
      EvB : evalExpr FE EE_B E VB EE_B' OB ->
      VA = VB
  on EvA as IH_E_L,
  recFields_level :
    forall RF SF SG PC FE EE_A EE_A' VA OA EE_B EE_B' VB OB,
      IsRF : is_recFieldExprs RF ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE_A : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsEE_B : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SFC : secFunCtxs SF FE ->
      NSA : names_same EE_A SG ->
      NSB : names_same EE_B SG ->
      PE : public_equiv SG EE_A EE_B ->
      Lev : levelRecFields SF SG PC RF public ->
      EvA : evalRecFields FE EE_A RF VA EE_A' OA ->
      EvB : evalRecFields FE EE_B RF VB EE_B' OB ->
      VA = VB
  on EvA as IH_RF_L,
  %arguments produce the same values for public ones
  args_level :
    forall A SF SG PC Ls FE EE_A EE_A' VA OA EE_B EE_B' VB OB,
      IsA : is_args A ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE_A : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsEE_B : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SFC : secFunCtxs SF FE ->
      NSA : names_same EE_A SG ->
      NSB : names_same EE_B SG ->
      PE : public_equiv SG EE_A EE_B ->
      Lev : levelArgs SF SG PC A Ls ->
      EvA : evalArgs FE EE_A A VA EE_A' OA ->
      EvB : evalArgs FE EE_B A VB EE_B' OB ->
      level_arg_vals Ls VA VB
  on EvA as IH_A_L. [Show Proof]

%ExtInd validity
 %stmt_secure
  search.
 %expr_secure
  search.
 %args_secure
  search.
 %recFieldExprs_secure
  search.
 %expr_level
  search.
 %recFields_level
  search.
 %args_level
  search.
%Actual property
 %stmt_secure
  %E-Noop
   case EvB. case Sec. search.
  %E-Seq
   case IsS. Sec: case Sec. EvB: case EvB.
   PE1: apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
   apply evalStmt_isCtx to _ _ _ EvA1.
   apply evalStmt_isCtx to _ _ _ EvB. apply secure_is to _ _ _ Sec.
   NSA': apply secure_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
   NSB': apply secure_eval_names_same to _ _ _ _ _ _ EvB Sec.
   case NSA. apply secure_older_scopes to _ _ _ Sec. case NSA' (keep).
   case NSB. case NSB' (keep). case PE1 (keep).
   apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA2 EvB1. search.
  %E-Declare
   case IsS. Sec: case Sec. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
   backchain public_equiv_add_public.
  %E-Assign
   case IsS. EvB: case EvB. Sec: case Sec.
     %S-Assign-Private
      PE': apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply public_equiv_replaceScopes_other to
         PE' _ _ Sec1 _ EvA2 EvB1. search.
     %S-Assign-Public
      PE': apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply public_equiv_replaceScopes_public to
         PE' _ _ Sec1 EvA2 EvB1. search.
  %E-RecUpdate
   case IsS. EvB: case EvB. Sec: case Sec.
     %S-RecUpdate-Private
      PE': apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply public_equiv_replaceScopes_other to
         PE' _ _ Sec1 _ EvA4 EvB3. search.
     %S-RecUpdate-Public
      PE': apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      LB: apply public_equiv_lookupScopes to PE _ _ _ Sec1 EvA2.
      apply lookupScopes_unique to LB EvB1.
      apply updateRecFields_unique to EvA3 EvB2.
      apply public_equiv_replaceScopes_public to
         PE' _ _ Sec1 EvA4 EvB3. search.
  %E-If-True
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-If-True
      PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply public_equiv_add_scope to PE1.
      NSA1: apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      apply names_same_add_scope to NSA1.
      NSB1: apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply names_same_add_scope to NSB1.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB. apply level_is to _ _ _ Sec.
      apply join_is to _ _ Sec1.
      PE2: apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec2 EvA2 EvB1.
      apply secure_older_scopes to _ _ _ Sec2. case PE2. search.
     %E-If-False
      NSA1: apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      apply names_same_add_scope to NSA1.
      NSB1: apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply names_same_add_scope to NSB1.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB. apply level_is to _ _ _ Sec.
      apply join_is to _ _ Sec1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Sec1.
        apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      PEA: apply stmt_not_public_no_public_change to
              _ _ _ _ _ _ _ EvA2 Sec2 _.
      PEB: apply stmt_not_public_no_public_change to
              _ _ _ _ _ _ _ EvB1 Sec3 _.
      PE': apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      PE1B: apply public_equiv_trans to PE' PEB.
      IsA+: apply evalStmt_isCtx to _ _ _ EvA2. case IsA+.
      case IsEE_A. PEA1: apply public_equiv_symm to PEA.
      apply public_equiv_trans to PEA1 PE1B. search.
  %E-If-False
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-If-True
      NSA1: apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      apply names_same_add_scope to NSA1.
      NSB1: apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply names_same_add_scope to NSB1.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB. apply level_is to _ _ _ Sec.
      apply join_is to _ _ Sec1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Sec1.
        apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      PEA: apply stmt_not_public_no_public_change to
              _ _ _ _ _ _ _ EvA2 Sec3 _.
      PEB: apply stmt_not_public_no_public_change to
              _ _ _ _ _ _ _ EvB1 Sec2 _.
      PE': apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      PE1B: apply public_equiv_trans to PE' PEB.
      IsA+: apply evalStmt_isCtx to _ _ _ EvA2. case IsA+.
      case IsEE_A. PEA1: apply public_equiv_symm to PEA.
      apply public_equiv_trans to PEA1 PE1B. search.
     %E-If-False
      PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply public_equiv_add_scope to PE1.
      NSA1: apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      apply names_same_add_scope to NSA1.
      NSB1: apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply names_same_add_scope to NSB1.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB. apply level_is to _ _ _ Sec.
      apply join_is to _ _ Sec1.
      PE2: apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec3 EvA2 EvB1.
      apply secure_older_scopes to _ _ _ Sec3. case PE2. search.
  %E-While-True
   case IsS. Sec: case Sec (keep).
     %S-While-Private
      EvB: case EvB.
        %E-While-True
         PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB.
         apply public_equiv_add_scope to PE1.
         NSA1: apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec1.
         apply names_same_add_scope to NSA1.
         NSB1: apply level_eval_names_same to _ _ _ _ _ _ EvB Sec1.
         apply names_same_add_scope to NSB1.
         apply evalExpr_isCtx to _ _ _ EvA1.
         apply evalExpr_isCtx to _ _ _ EvB.
         PE2: apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec2 EvA2 EvB1.
         apply secure_older_scopes to _ _ _ Sec2. case PE2.
         IsEE2+: apply evalStmt_isCtx to _ _ _ EvA2. case IsEE2+.
         IsEE4+: apply evalStmt_isCtx to _ _ _ EvB1. case IsEE4+.
         NSA2: apply secure_eval_names_same to _ _ _ _ _ _ EvA2 Sec2.
         NSB2: apply secure_eval_names_same to _ _ _ _ _ _ EvB1 Sec2.
         NSA': case NSA2. NSB': case NSB2. case NSA.
         case NSB'2. case NSA'2.
         apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec EvA3 EvB2. search.
        %E-While-False
         assert L = public -> false.
           intros E. case E.
           apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB.
         PEA: apply while_no_public_change to
                 _ _ _ _ _ _ _ _ Sec Sec1 _ EvA.
         PEB: apply expr_not_public_no_public_change to
                 _ _ _ _ _ _ _ EvB Sec1 _.
         PEA': apply public_equiv_symm to PEA.
         PEAB: apply public_equiv_trans to PEA' PE.
         apply public_equiv_trans to PEAB PEB. search.
     %S-While-Public
      EvB: case EvB.
        %E-While-True
         PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB.
         apply public_equiv_add_scope to PE1.
         NSA1: apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec1.
         apply names_same_add_scope to NSA1.
         NSB1: apply level_eval_names_same to _ _ _ _ _ _ EvB Sec1.
         apply names_same_add_scope to NSB1.
         apply evalExpr_isCtx to _ _ _ EvA1.
         apply evalExpr_isCtx to _ _ _ EvB.
         PE2: apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec2 EvA2 EvB1.
         apply secure_older_scopes to _ _ _ Sec2. case PE2.
         IsEE2+: apply evalStmt_isCtx to _ _ _ EvA2. case IsEE2+.
         IsEE4+: apply evalStmt_isCtx to _ _ _ EvB1. case IsEE4+.
         NSA2: apply secure_eval_names_same to _ _ _ _ _ _ EvA2 Sec2.
         NSB2: apply secure_eval_names_same to _ _ _ _ _ _ EvB1 Sec2.
         NSA': case NSA2. NSB': case NSB2. case NSA.
         case NSB'2. case NSA'2.
         apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec EvA3 EvB2. search.
        %E-While-False
         apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB.
  %E-While-False
   case IsS. Sec: case Sec (keep).
     %S-While-Private
      EvB: case EvB (keep).
        %E-While-True
         assert L = public -> false.
           intros E. case E.
           apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB1.
         PEB: apply while_no_public_change to
                 _ _ _ _ _ _ _ _ Sec Sec1 _ EvB.
         PEA: apply expr_not_public_no_public_change to
                 _ _ _ _ _ _ _ EvA1 Sec1 _.
         PEA': apply public_equiv_symm to PEA.
         PEAB: apply public_equiv_trans to PEA' PE.
         apply public_equiv_trans to PEAB PEB. search.
        %E-While-False
         apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB1. search.
     %S-While-Public
      EvB: case EvB.
        %E-While-True
         apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB.
        %E-While-False
         apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB. search.
  %E-ScopeStmt
   case IsS. Sec: case Sec. EvB: case EvB.
   apply public_equiv_add_scope to PE.
   apply names_same_add_scope to NSA.
   apply names_same_add_scope to NSB.
   PE': apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. case PE'.
   search.
  %E-Print-Int
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-Print-Int
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-String
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
  %E-Print-True
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-Print-Int
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-String
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
  %E-Print-False
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-Print-Int
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-String
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
  %E-Print-String
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-Print-Int
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %E-Print-String
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
  %E-Secdecl
   case IsS. EvB: case EvB. Sec: case Sec.
     %S-Secdecl-Private
      PE': apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      backchain public_equiv_add_other.
     %S-Secdecl-Public
      PE': apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      backchain public_equiv_add_public.
  %E-Stmt-Q
   Sec: case Sec. apply names_is to _ EvA1.
   apply names_is_sec to _ Sec.
   apply proj_stmt_unique to Sec1 EvA2 _ _ _ _ _.
     %mem Names -> mem Names1
      intros M. apply names_same_names to NSA EvA1 Sec M. search.
     %mem Names1 -> mem Names
      intros M. apply names_same_names_back to NSA EvA1 Sec M. search.
   apply proj_stmt_is to Sec1 _ _.
   case NSA (keep). apply secure_older_scopes to _ _ _ Sec2.
   %get a projection and evaluation using B
   NSB-: apply names_same_symmetric to NSB.
   NSAB: apply names_same_transitive to NSA NSB-.
   NamesB: apply names_exists to IsEE_B.
   apply names_is to _ EvA1. apply names_is to _ NamesB.
   PrB: apply proj_stmt_other to EvA2 _ _ _ with L' = N.
   apply proj_stmt_unique to EvA2 PrB _ _ _ _ _.
     %mem N -> mem Names
      intros M. NSBA: apply names_same_symmetric to NSAB.
      apply names_same_names to NSBA NamesB EvA1 M. search.
     %mem Names -> mem N
      intros M. apply names_same_names to NSAB EvA1 NamesB M. search.
   EvB': apply proj_evalStmt_forward to PrB NamesB _ _ _ EvB.
   %get scopes_same for A
   EvA': apply proj_evalStmt_forward to EvA2 EvA1 _ _ _ EvA.
   apply evalStmt_unique to _ _ _ EvA' EvA3.
   %use IH to get public_equiv for projections
   apply proj_stmt_is to PrB _ _.
   PE_Pr: apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec2 EvA3 EvB'.
   %lift it back with scopes_same
   PE': apply public_equiv_scopes_same_snd to PE_Pr EvB'1.
   apply public_equiv_scopes_same_fst to PE' EvA'1. search.
 %expr_secure
  %E-Num
   case EvB. search.
  %E-Plus
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %E-Minus
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %E-Mult
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %E-Div
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %E-True
   case EvB. search.
  %E-False
   case EvB. search.
  %E-And-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-And-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1. search.
     %E-And-False1
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply evalExpr_isCtx to _ _ _ EvA1. apply level_is to _ _ _ Lev.
      apply join_is to _ _ Lev1.
      PEA: apply expr_not_public_no_public_change to
              _ _ _ _ _ _ _ EvA2 Lev2 _.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      PEA': apply public_equiv_symm to PEA.
      apply public_equiv_trans to PEA' PE1. search.
     %E-And-False2
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1. search.
  %E-And-False1
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-And-True
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply evalExpr_isCtx to _ _ _ EvB. apply level_is to _ _ _ Lev.
      apply join_is to _ _ Lev1.
      PEB: apply expr_not_public_no_public_change to
              _ _ _ _ _ _ _ EvB1 Lev2 _.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply public_equiv_trans to PE1 PEB. search.
     %E-And-False1
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
     %E-And-False2
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply evalExpr_isCtx to _ _ _ EvB. apply level_is to _ _ _ Lev.
      apply join_is to _ _ Lev1.
      PEB: apply expr_not_public_no_public_change to
              _ _ _ _ _ _ _ EvB1 Lev2 _.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply public_equiv_trans to PE1 PEB. search.
  %E-And-False2
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-And-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1. search.
     %E-And-False1
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply evalExpr_isCtx to _ _ _ EvA1. apply level_is to _ _ _ Lev.
      apply join_is to _ _ Lev1.
      PEA: apply expr_not_public_no_public_change to
              _ _ _ _ _ _ _ EvA2 Lev2 _.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      PEA': apply public_equiv_symm to PEA.
      apply public_equiv_trans to PEA' PE1. search.
     %E-And-False2
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1. search.
  %E-Or-True1
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Or-True1
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
     %E-Or-True2
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply evalExpr_isCtx to _ _ _ EvB. apply level_is to _ _ _ Lev.
      apply join_is to _ _ Lev1.
      PEB: apply expr_not_public_no_public_change to
              _ _ _ _ _ _ _ EvB1 Lev2 _.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply public_equiv_trans to PE1 PEB. search.
     %E-Or-False
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply evalExpr_isCtx to _ _ _ EvB. apply level_is to _ _ _ Lev.
      apply join_is to _ _ Lev1.
      PEB: apply expr_not_public_no_public_change to
              _ _ _ _ _ _ _ EvB1 Lev2 _.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply public_equiv_trans to PE1 PEB. search.
  %E-Or-True2
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Or-True1
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply evalExpr_isCtx to _ _ _ EvA1. apply level_is to _ _ _ Lev.
      apply join_is to _ _ Lev1.
      PEA: apply expr_not_public_no_public_change to
              _ _ _ _ _ _ _ EvA2 Lev2 _.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      PEA': apply public_equiv_symm to PEA.
      apply public_equiv_trans to PEA' PE1. search.
     %E-Or-True2
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1. search.
     %E-Or-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1. search.
  %E-Or-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Or-True1
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      PE1: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply evalExpr_isCtx to _ _ _ EvA1. apply level_is to _ _ _ Lev.
      apply join_is to _ _ Lev1.
      PEA: apply expr_not_public_no_public_change to
              _ _ _ _ _ _ _ EvA2 Lev2 _.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      PEA': apply public_equiv_symm to PEA.
      apply public_equiv_trans to PEA' PE1. search.
     %E-Or-True2
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1. search.
     %E-Or-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1. search.
  %E-Not-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Not-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
     %E-Not-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
  %E-Not-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Not-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
     %E-Not-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
  %E-Greater-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Greater-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
     %E-Greater-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %E-Greater-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Greater-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
     %E-Greater-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %E-Eq-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Eq-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
     %E-Eq-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %E-Eq-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Eq-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
     %E-Eq-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %E-String
   case EvB. search.
  %E-AppString
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %E-Name
   case EvB. search.
  %E-Call
   case IsE. EvB: case EvB. Lev: case Lev.
     %L-Call-Private
      apply IH_A to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
     %L-Call-Public
      apply IH_A to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %E-StmtExpr
   case IsE. EvB: case EvB. Lev: case Lev.
   apply names_same_add_scope to NSA.
   apply names_same_add_scope to NSB.
   apply public_equiv_add_scope to PE.
   apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalStmt_isCtx to _ _ _ EvA1.
   apply evalStmt_isCtx to _ _ _ EvB. apply secure_is to _ _ _ Lev.
   apply secure_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply secure_eval_names_same to _ _ _ _ _ _ EvB Lev.
   PE': apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply secure_older_scopes to _ _ _ Lev. case PE'. search.
  %E-RecBuild
   case IsE. EvB: case EvB. Lev: case Lev.
   apply IH_RF to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
  %E-RecAccess
   case IsE. EvB: case EvB. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
  %E-Expr-Q
   Lev: case Lev. apply names_is to _ EvA1.
   apply names_is_sec to _ Lev.
   apply proj_expr_unique to Lev1 EvA2 _ _ _ _ _.
     %mem Names -> mem Names1
      intros M. apply names_same_names to NSA EvA1 Lev M. search.
     %mem Names1 -> mem Names
      intros M. apply names_same_names_back to NSA EvA1 Lev M. search.
   apply proj_expr_is to Lev1 _ _.
   %get a projection and evaluation using B
   NSB-: apply names_same_symmetric to NSB.
   NSAB: apply names_same_transitive to NSA NSB-.
   NamesB: apply names_exists to IsEE_B.
   apply names_is to _ EvA1. apply names_is to _ NamesB.
   PrB: apply proj_expr_other to EvA2 _ _ _ with L' = N.
   apply proj_expr_unique to EvA2 PrB _ _ _ _ _.
     %mem N -> mem Names
      intros M. NSBA: apply names_same_symmetric to NSAB.
      apply names_same_names to NSBA NamesB EvA1 M. search.
     %mem Names -> mem N
      intros M. apply names_same_names to NSAB EvA1 NamesB M. search.
   EvB': apply proj_evalExpr_forward to PrB NamesB _ _ _ EvB.
   %get scopes_same for A
   EvA': apply proj_evalExpr_forward to EvA2 EvA1 _ _ _ EvA.
   apply evalExpr_unique to _ _ _ EvA' EvA3.
   %use IH to get public_equiv for projections
   apply proj_expr_is to PrB _ _.
   PE_Pr: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA3 EvB'.
   %lift it back with scopes_same
   PE': apply public_equiv_scopes_same_snd to PE_Pr EvB'1.
   apply public_equiv_scopes_same_fst to PE' EvA'1. search.
 %args_secure
  %EA-Nil
   case EvB. search.
  %EA-Cons
   case IsA. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply IH_A to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %unknown K
   case Lev.
 %recFieldExprs_secure
  %ERF-Nil
   case EvB. search.
  %ERF-Cons
   case IsRF. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply IH_RF to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %unknown K
   case Lev.
 %expr_level
  %E-Num
   case EvB. search.
  %E-Plus
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply level_is to _ _ _ Lev. apply level_is to _ _ _ Lev1.
   apply join_public to _ _ Lev2.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply plus_integer_unique to EvA3 EvB2. search.
  %E-Minus
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply level_is to _ _ _ Lev. apply level_is to _ _ _ Lev1.
   apply join_public to _ _ Lev2.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply minus_integer_unique to EvA3 EvB2. search.
  %E-Mult
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply level_is to _ _ _ Lev. apply level_is to _ _ _ Lev1.
   apply join_public to _ _ Lev2.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply multiply_integer_unique to EvA3 EvB2. search.
  %E-Div
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply level_is to _ _ _ Lev. apply level_is to _ _ _ Lev1.
   apply join_public to _ _ Lev2.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply divide_integer_unique to EvA3 EvB2. search.
  %E-True
   case EvB. search.
  %E-False
   case EvB. search.
  %E-And-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-And-True
      search.
     %E-And-False1
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply level_is to _ _ _ Lev2. apply join_public to _ _ Lev3.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
     %E-And-False2
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply level_is to _ _ _ Lev2. apply join_public to _ _ Lev3.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
  %E-And-False1
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-And-True
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply level_is to _ _ _ Lev2. apply join_public to _ _ Lev3.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
     %E-And-False1
      search.
     %E-And-False2
      search.
  %E-And-False2
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-And-True
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply level_is to _ _ _ Lev2. apply join_public to _ _ Lev3.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
     %E-And-False1
      search.
     %E-And-False2
      search.
  %E-Or-True1
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Or-True1
      search.
     %E-Or-True2
      search.
     %E-Or-False
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply level_is to _ _ _ Lev2. apply join_public to _ _ Lev3.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
  %E-Or-True2
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Or-True1
      search.
     %E-Or-True2
      search.
     %E-Or-False
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply level_is to _ _ _ Lev2. apply join_public to _ _ Lev3.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
  %E-Or-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Or-True1
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply level_is to _ _ _ Lev2. apply join_public to _ _ Lev3.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
     %E-Or-True2
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply level_is to _ _ _ Lev2. apply join_public to _ _ Lev3.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
     %E-Or-False
      search.
  %E-Not-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Not-True
      search.
     %E-Not-False
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
  %E-Not-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Not-True
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
     %E-Not-False
      search.
  %E-Greater-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Greater-True
      search.
     %E-Greater-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply level_is to _ _ _ Lev1.
      apply join_public to _ _ Lev2.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      L: case EvA3. apply less_lesseq_flip_false to L EvB2.
  %E-Greater-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Greater-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply level_is to _ _ _ Lev1.
      apply join_public to _ _ Lev2.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      L: case EvB2. apply less_lesseq_flip_false to L EvA3.
     %E-Greater-False
      search.
  %E-Eq-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Eq-True
      search.
     %E-Eq-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply level_is to _ _ _ Lev1.
      apply join_public to _ _ Lev2.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply EvB2 to _.
  %E-Eq-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Eq-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply level_is to _ _ _ Lev. apply level_is to _ _ _ Lev1.
      apply join_public to _ _ Lev2.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply EvA3 to _.
     %E-Eq-False
      search.
  %E-String
   case EvB. search.
  %E-AppString
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply level_is to _ _ _ Lev. apply level_is to _ _ _ Lev1.
   apply join_public to _ _ Lev2.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply append_unique to EvA3 EvB2. search.
  %E-Name
   Lev: case Lev. EvB: case EvB.
   LB: apply public_equiv_lookupScopes to PE _ _ _ Lev EvA1.
   apply lookupScopes_unique to EvB LB. search.
  %E-Call
   case IsE. EvB: case EvB. Lev: case Lev.
   LAV: apply IH_A_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply lookup_unique to EvB EvA1. FR: case SFC (keep).
   FS: apply FR to Lev EvA1.
   PE': apply zip_level_arg_vals to LAV EvA3 EvB2 FS.
   apply public_equiv_add_public to PE' with X = RetVar, V = RVVal.
   IsFP: apply lookup_is_value_funCtx to _ EvA1. IsF: case IsFP.
   IsF: case IsF1. IsF: case IsF2.
   apply evalArgs_isValue to _ _ _ EvA2.
   apply evalArgs_isValue to _ _ _ EvB1.
   apply zip_is to _ _ EvA3. apply zip_is to _ _ EvB2.
   apply zip_names_same to _ _ with
      ZA = (RetVar, RVVal)::InitEnv1, ZB = (RetVar, public)::ZP.
   apply zip_names_same to _ _ with
      ZA = (RetVar, RVVal)::InitEnv, ZB = (RetVar, public)::ZP.
   apply levelArgs_is to _ _ _ Lev1.
   apply zip_is_sec to _ _ _ with Z = (RetVar, public)::ZP.
   PEF: apply IH_S to _ _ _ _ _ _ _ _ _ _ _ FS1 EvA4 EvB3.
   SOS: apply secure_older_scopes to _ _ _ FS1.
   LS: apply SOS to _ with X = RetVar.
   apply evalStmt_isCtx to _ _ _ EvA4.
   apply evalStmt_isCtx to _ _ _ EvB3.
   apply secure_eval_names_same to _ _ _ _ _ _ EvA4 FS1.
   apply secure_eval_names_same to _ _ _ _ _ _ EvB3 FS1.
   LB: apply public_equiv_lookupScopes to PEF _ _ _ _ EvA6.
   apply lookupScopes_unique to EvB5 LB. search.
  %E-StmtExpr
   case IsE. Lev: case Lev. EvB: case EvB.
   apply names_same_add_scope to NSA.
   apply names_same_add_scope to NSB.
   apply public_equiv_add_scope to PE.
   apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalStmt_isCtx to _ _ _ EvA1.
   apply evalStmt_isCtx to _ _ _ EvB.
   apply secure_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply secure_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply secure_is to _ _ _ Lev.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %E-RecBuild
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_RF_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
  %E-RecAccess
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply lookup_unique to EvA2 EvB1. search.
  %E-Expr-Q
   Lev: case Lev. apply names_is to _ EvA1.
   apply names_is_sec to _ Lev.
   apply proj_expr_unique to Lev1 EvA2 _ _ _ _ _.
     %mem Names -> mem Names1
      intros M. apply names_same_names to NSA EvA1 Lev M. search.
     %mem Names1 -> mem Names
      intros M. apply names_same_names_back to NSA EvA1 Lev M. search.
   apply proj_expr_is to Lev1 _ _.
   %get a projection and evaluation using B
   NSB-: apply names_same_symmetric to NSB.
   NSAB: apply names_same_transitive to NSA NSB-.
   NamesB: apply names_exists to IsEE_B.
   apply names_is to _ EvA1. apply names_is to _ NamesB.
   PrB: apply proj_expr_other to EvA2 _ _ _ with L' = N.
   apply proj_expr_unique to EvA2 PrB _ _ _ _ _.
     %mem N -> mem Names
      intros M. NSBA: apply names_same_symmetric to NSAB.
      apply names_same_names to NSBA NamesB EvA1 M. search.
     %mem Names -> mem N
      intros M. apply names_same_names to NSAB EvA1 NamesB M. search.
   EvB': apply proj_evalExpr_forward to PrB NamesB _ _ _ EvB.
   %get values same for A and A projection
   EvA': apply proj_evalExpr_forward to EvA2 EvA1 _ _ _ EvA.
   apply evalExpr_unique to _ _ _ EvA' EvA3.
   %use IH to get same values for projections
   apply proj_expr_is to PrB _ _.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA3 EvB'. search.
 %recFields_level
  %ERF-Nil
   case EvB. search.
  %ERF-Cons
   case IsRF. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply level_is to _ _ _ Lev. apply levelRecFields_is to _ _ _ Lev1.
   apply join_public to _ _ Lev2.
   apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_RF_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %unknown K
   case Lev.
 %args_level
  %EA-Nil
   case EvB. case Lev. search.
  %EA-Cons
   case IsA. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply level_is to _ _ _ Lev. apply levelArgs_is to _ _ _ Lev1.
   Or: apply is_slev_public_or_not to _ with L = L. N: case Or.
     %public
      apply IH_E_L to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_A_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
     %not public
      apply IH_A_L to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1. search.
  %unknown K
   case Lev.


Extensible_Theorem
  stmt_not_public_no_output :
    forall S SF SG PC SG' FE Scope EE EE' O,
      IsS : is_stmt S ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE : is_list (is_list (is_pair is_string is_value))
                (Scope::EE) ->
      SFC : secFunCtxs SF FE ->
      NS : names_same (Scope::EE) SG ->
      Ev : evalStmt FE (Scope::EE) S EE' O ->
      Sec : secure SF SG PC S SG' ->
      NEq : (PC = public -> false) ->
      O = []
  on Ev as IH_S,
  expr_not_public_no_output :
    forall E SF SG PC L FE EE V EE' O,
      IsE : is_expr E ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
      SFC : secFunCtxs SF FE ->
      NS : names_same EE SG ->
      Ev : evalExpr FE EE E V EE' O ->
      Lev : level SF SG PC E L ->
      NEq : (PC = public -> false) ->
      O = []
  on Ev as IH_E,
  args_not_public_no_output :
    forall A SF SG PC L FE EE V EE' O,
      IsA : is_args A ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
      SFC : secFunCtxs SF FE ->
      NS : names_same EE SG ->
      Ev : evalArgs FE EE A V EE' O ->
      Lev : levelArgs SF SG PC A L ->
      NEq : (PC = public -> false) ->
      O = []
  on Ev as IH_A,
  recFields_not_public_no_output :
    forall RF SF SG PC L FE EE V EE' O,
      IsRF : is_recFieldExprs RF ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
      SFC : secFunCtxs SF FE ->
      NS : names_same EE SG ->
      Ev : evalRecFields FE EE RF V EE' O ->
      Lev : levelRecFields SF SG PC RF L ->
      NEq : (PC = public -> false) ->
      O = []
  on Ev as IH_RF. [Show Proof]

%ExtInd validity
 %stmt_not_public_no_output
  search.
 %expr_not_public_no_output
  search.
 %args_not_public_no_output
  search.
 %recFields_not_public_no_output
  search.
%Actual property
 %stmt_not_public_no_output
  %E-Noop
   search.
  %E-Seq
   case IsS. Sec: case Sec.
   apply IH_S to _ _ _ _ _ _ _ _ Ev1 Sec _. case Ev3.
   apply evalStmt_isCtx to _ _ _ Ev1. apply secure_is to _ _ _ Sec.
   NS': apply secure_eval_names_same to _ _ _ _ _ _ Ev1 Sec.
   case NS. apply secure_older_scopes to _ _ _ Sec. case NS' (keep).
   apply IH_S to _ _ _ _ _ _ _ _ Ev2 Sec1 _. search.
  %E-Declare
   case IsS. Sec: case Sec.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Sec _. search.
  %E-Assign
   case IsS. Sec: case Sec.
     %S-Assign-Private
      apply IH_E to _ _ _ _ _ _ _ _ Ev1 Sec _. search.
     %S-Assign-Public
      apply IH_E to _ _ _ _ _ _ _ _ Ev1 Sec _. search.
  %E-RecUpdate
   case IsS. Sec: case Sec.
     %S-RecUpdate-Private
      apply IH_E to _ _ _ _ _ _ _ _ Ev1 Sec _. search.
     %S-RecUpdate-Public
      apply IH_E to _ _ _ _ _ _ _ _ Ev1 Sec _. search.
  %E-If-True
   case IsS. Sec: case Sec.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Sec _. case Ev3.
   apply evalExpr_isCtx to _ _ _ Ev1. apply level_is to _ _ _ Sec.
   apply join_is to _ _ Sec1.
   NS': apply level_eval_names_same to _ _ _ _ _ _ Ev1 Sec.
   apply names_same_add_scope to NS'.
   assert Sl1 = public -> false.
     intros E. case E. apply join_public to _ _ Sec1. backchain NEq.
   apply IH_S to _ _ _ _ _ _ _ _ Ev2 Sec2 _. search.
  %E-If-False
   case IsS. Sec: case Sec.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Sec _. case Ev3.
   apply evalExpr_isCtx to _ _ _ Ev1. apply level_is to _ _ _ Sec.
   apply join_is to _ _ Sec1.
   NS': apply level_eval_names_same to _ _ _ _ _ _ Ev1 Sec.
   apply names_same_add_scope to NS'.
   assert Sl1 = public -> false.
     intros E. case E. apply join_public to _ _ Sec1. backchain NEq.
   apply IH_S to _ _ _ _ _ _ _ _ Ev2 Sec3 _. search.
  %E-While-True
   case IsS. Sec: case Sec (keep).
     %S-While-Private
      apply IH_E to _ _ _ _ _ _ _ _ Ev1 Sec1 _. case Ev4.
      apply evalExpr_isCtx to _ _ _ Ev1.
      NS': apply level_eval_names_same to _ _ _ _ _ _ Ev1 Sec1.
      apply names_same_add_scope to NS'.
      apply IH_S to _ _ _ _ _ _ _ _ Ev2 Sec2 _. case Ev5.
      IsEE4+: apply evalStmt_isCtx to _ _ _ Ev2. case IsEE4+.
      NS+: apply secure_eval_names_same to _ _ _ _ _ _ Ev2 Sec2.
      apply secure_older_scopes to _ _ _ Sec2. NS-: case NS+.
      case NS. case NS-2 (keep).
      apply IH_S to _ _ _ _ _ _ _ _ Ev3 Sec _. search.
     %S-While-Public
      apply NEq to _.
  %E-While-False
   case IsS. Sec: case Sec.
     %S-While-Private
      apply IH_E to _ _ _ _ _ _ _ _ Ev1 Sec _. search.
     %S-While-Public
      apply NEq to _.
  %E-ScopeStmt
   case IsS. Sec: case Sec. apply names_same_add_scope to NS.
   apply IH_S to _ _ _ _ _ _ _ _ Ev1 Sec _. search.
  %E-Print-Int
   case Sec. apply NEq to _.
  %E-Print-True
   case Sec. apply NEq to _.
  %E-Print-False
   case Sec. apply NEq to _.
  %E-Print-String
   case Sec. apply NEq to _.
  %E-Secdecl
   case IsS. Sec: case Sec.
     %S-Secdecl-Private
      apply IH_E to _ _ _ _ _ _ _ _ Ev1 Sec _. search.
     %S-Secdecl-Public
      apply NEq to _.
  %E-Stmt-Q
   Sec: case Sec. apply names_is to _ Ev1.
   apply names_is_sec to _ Sec.
   apply proj_stmt_unique to Sec1 Ev2 _ _ _ _ _.
     %mem Names -> mem Names1
      intros M. apply names_same_names to NS Ev1 Sec M. search.
     %mem Names1 -> mem Names
      intros M. apply names_same_names_back to NS Ev1 Sec M. search.
   apply proj_stmt_is to Sec1 _ _.
   NS': apply secure_eval_names_same to _ _ _ _ _ _ Ev3 Sec2.
   case NS. apply secure_older_scopes to _ _ _ Sec2. case NS' (keep).
   apply IH_S to _ _ _ _ _ _ _ _ Ev3 Sec2 _.
   SS: apply proj_evalStmt_forward to Ev2 Ev1 _ _ _ Ev.
   apply evalStmt_unique to _ _ _ SS Ev3. search.
 %expr_not_public_no_output
  %E-Num
   search.
  %E-Plus
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev4.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %E-Minus
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev4.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %E-Mult
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev4.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %E-Div
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev4.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %E-True
   search.
  %E-False
   search.
  %E-And-True
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev3.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1. apply level_is to _ _ _ Lev.
   apply join_is to _ _ Lev1. assert Sl1 = public -> false.
     intros E. case E. apply join_public to _ _ Lev1. backchain NEq.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev2 _. search.
  %E-And-False1
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. search.
  %E-And-False2
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev3.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1. apply level_is to _ _ _ Lev.
   apply join_is to _ _ Lev1. assert Sl1 = public -> false.
     intros E. case E. apply join_public to _ _ Lev1. backchain NEq.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev2 _. search.
  %E-Or-True1
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. search.
  %E-Or-True2
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev3.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1. apply level_is to _ _ _ Lev.
   apply join_is to _ _ Lev1. assert Sl1 = public -> false.
     intros E. case E. apply join_public to _ _ Lev1. backchain NEq.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev2 _. search.
  %E-Or-False
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev3.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1. apply level_is to _ _ _ Lev.
   apply join_is to _ _ Lev1. assert Sl1 = public -> false.
     intros E. case E. apply join_public to _ _ Lev1. backchain NEq.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev2 _. search.
  %E-Not-True
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. search.
  %E-Not-False
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. search.
  %E-Greater-True
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev4.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %E-Greater-False
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev4.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %E-Eq-True
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev3.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %E-Eq-False
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev4.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %E-String
   search.
  %E-AppString
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev4.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %E-Name
   search.
  %E-Call
   case IsE. Lev: case Lev.
     %L-Call-Private
      apply IH_A to _ _ _ _ _ _ _ _ Ev2 Lev1 _. case Ev5.
      apply evalArgs_isValue to _ _ _ Ev2. FR: case SFC (keep).
      FS: apply FR to Lev Ev1.
      IsFP: apply lookup_is_value_funCtx to _ Ev1. IsF: case IsFP.
      IsF: case IsF1. IsF: case IsF2. apply zip_is to _ _ Ev3.
      apply zip_names_same to _ _ with
         ZA = (RetVar, RVVal)::InitEnv, ZB = (RetVar, private)::ZP.
      apply levelArgs_is to _ _ _ Lev1.
      apply zip_is_sec to _ _ _ with Z = (RetVar, private)::ZP.
      apply IH_S to _ _ _ _ _ _ _ _ Ev4 FS1 _. search.
     %L-Call-Public
      apply NEq to _.
  %E-StmtExpr
   case IsE. Lev: case Lev. apply names_same_add_scope to NS.
   apply IH_S to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev3.
   apply secure_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalStmt_isCtx to _ _ _ Ev1. apply secure_is to _ _ _ Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %E-RecBuild
   case IsE. Lev: case Lev.
   apply IH_RF to _ _ _ _ _ _ _ _ Ev1 Lev _. search.
  %E-RecAccess
   case IsE. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. search.
  %E-Expr-Q
   Lev: case Lev. apply names_is to _ Ev1.
   apply names_is_sec to _ Lev.
   apply proj_expr_unique to Lev1 Ev2 _ _ _ _ _.
     %mem Names -> mem Names1
      intros M. apply names_same_names to NS Ev1 Lev M. search.
     %mem Names1 -> mem Names
      intros M. apply names_same_names_back to NS Ev1 Lev M. search.
   apply proj_expr_is to Lev1 _ _.
   NS': apply level_eval_names_same to _ _ _ _ _ _ Ev3 Lev2.
   apply IH_E to _ _ _ _ _ _ _ _ Ev3 Lev2 _.
   SS: apply proj_evalExpr_forward to Ev2 Ev1 _ _ _ Ev.
   apply evalExpr_unique to _ _ _ SS Ev3. search.
 %args_not_public_no_output
  %EA-Nil
   search.
  %EA-Cons
   case IsA. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev3.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH_A to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %unknown K
   case Lev.
 %recFields_not_public_no_output
  %ERF-Nil
   search.
  %ERF-Cons
   case IsRF. Lev: case Lev.
   apply IH_E to _ _ _ _ _ _ _ _ Ev1 Lev _. case Ev3.
   apply level_eval_names_same to _ _ _ _ _ _ Ev1 Lev.
   apply evalExpr_isCtx to _ _ _ Ev1.
   apply IH_RF to _ _ _ _ _ _ _ _ Ev2 Lev1 _. search.
  %unknown K
   case Lev.


Extensible_Theorem
  secure_output : forall S SF SG PC SG' FE ScopeA EE_A EE_A' OA
                       ScopeB EE_B EE_B' OB,
    IsS : is_stmt S ->
    IsSF : is_list (is_pair is_string
                   (is_pair is_slev (is_list is_slev))) SF ->
    IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
    IsPC : is_slev PC ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE_A : is_list (is_list (is_pair is_string is_value))
                (ScopeA::EE_A) ->
    IsEE_B : is_list (is_list (is_pair is_string is_value))
                (ScopeB::EE_B) ->
    SFC : secFunCtxs SF FE ->
    NSA : names_same (ScopeA::EE_A) SG ->
    NSB : names_same (ScopeB::EE_B) SG ->
    PE : public_equiv SG (ScopeA::EE_A) (ScopeB::EE_B) ->
    Sec : secure SF SG PC S SG' ->
    EvA : evalStmt FE (ScopeA::EE_A) S EE_A' OA ->
    EvB : evalStmt FE (ScopeB::EE_B) S EE_B' OB ->
    OA = OB
  on EvA as IH_S,
  expr_secure_output :
    forall E SF SG PC L FE EE_A EE_A' VA OA EE_B EE_B' VB OB,
      IsE : is_expr E ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE_A : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsEE_B : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SFC : secFunCtxs SF FE ->
      NSA : names_same EE_A SG ->
      NSB : names_same EE_B SG ->
      PE : public_equiv SG EE_A EE_B ->
      Lev : level SF SG PC E L ->
      EvA : evalExpr FE EE_A E VA EE_A' OA ->
      EvB : evalExpr FE EE_B E VB EE_B' OB ->
      OA = OB
  on EvA as IH_E,
  args_secure_output :
    forall A SF SG PC L FE EE_A EE_A' VA OA EE_B EE_B' VB OB,
      IsA : is_args A ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE_A : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsEE_B : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SFC : secFunCtxs SF FE ->
      NSA : names_same EE_A SG ->
      NSB : names_same EE_B SG ->
      PE : public_equiv SG EE_A EE_B ->
      Lev : levelArgs SF SG PC A L ->
      EvA : evalArgs FE EE_A A VA EE_A' OA ->
      EvB : evalArgs FE EE_B A VB EE_B' OB ->
      OA = OB
  on EvA as IH_A,
  recFields_secure_output :
    forall RF SF SG PC L FE EE_A EE_A' VA OA EE_B EE_B' VB OB,
      IsRF : is_recFieldExprs RF ->
      IsSF : is_list (is_pair is_string
                     (is_pair is_slev (is_list is_slev))) SF ->
      IsSG : is_list (is_list (is_pair is_string is_slev)) SG ->
      IsPC : is_slev PC ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE_A : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsEE_B : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SFC : secFunCtxs SF FE ->
      NSA : names_same EE_A SG ->
      NSB : names_same EE_B SG ->
      PE : public_equiv SG EE_A EE_B ->
      Lev : levelRecFields SF SG PC RF L ->
      EvA : evalRecFields FE EE_A RF VA EE_A' OA ->
      EvB : evalRecFields FE EE_B RF VB EE_B' OB ->
      OA = OB
  on EvA as IH_RF. [Show Proof]

%ExtInd validity
 %secure_output
  search.
 %expr_secure_output
  search.
 %args_secure_output
  search.
 %recFields_secure_output
  search.
%Actual property
 %secure_output
  %E-Noop
   case EvB. search.
  %E-Seq
   case IsS. Sec: case Sec. EvB: case EvB.
   apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
   apply stmt_secure to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
   apply evalStmt_isCtx to _ _ _ EvA1.
   apply evalStmt_isCtx to _ _ _ EvB. apply secure_is to _ _ _ Sec.
   NSA': apply secure_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
   NSB': apply secure_eval_names_same to _ _ _ _ _ _ EvB Sec.
   case NSA. apply secure_older_scopes to _ _ _ Sec. case NSA' (keep).
   case NSB' (keep).
   apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA2 EvB1.
   apply append_unique to EvA3 EvB2. search.
  %E-Declare
   case IsS. Sec: case Sec. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
  %E-Assign
   case IsS. Sec: case Sec.
     %S-Assign-Private
      EvB: case EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %S-Assign-Public
      EvB: case EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
  %E-RecUpdate
   case IsS. Sec: case Sec.
     %S-RecUpdate-Private
      EvB: case EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
     %S-RecUpdate-Public
      EvB: case EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
  %E-If-True
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-If-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      NSA': apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      NSB': apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply names_same_add_scope to NSA'.
      apply names_same_add_scope to NSB'.
      PE': apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply public_equiv_add_scope to PE'.
      apply level_is to _ _ _ Sec. apply join_is to _ _ Sec1.
      apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec2 EvA2 EvB1.
      apply append_unique to EvA3 EvB2. search.
     %E-If-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply level_is to _ _ _ Sec. apply join_is to _ _ Sec1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Sec1.
        apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      %A branch evaluation produces empty output
      apply evalExpr_isCtx to _ _ _ EvA1.
      NSA': apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      apply names_same_add_scope to NSA'.
      apply stmt_not_public_no_output to _ _ _ _ _ _ _ _ EvA2 Sec2 _.
      apply append_nil_right to EvA3.
      %B branch evaluation produces empty output
      apply evalExpr_isCtx to _ _ _ EvB.
      NSB': apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply names_same_add_scope to NSB'.
      apply stmt_not_public_no_output to _ _ _ _ _ _ _ _ EvB1 Sec3 _.
      apply append_nil_right to EvB2. search.
  %E-If-False
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-If-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply level_is to _ _ _ Sec. apply join_is to _ _ Sec1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Sec1.
        apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      %A branch evaluation produces empty output
      apply evalExpr_isCtx to _ _ _ EvA1.
      NSA': apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      apply names_same_add_scope to NSA'.
      apply stmt_not_public_no_output to _ _ _ _ _ _ _ _ EvA2 Sec3 _.
      apply append_nil_right to EvA3.
      %B branch evaluation produces empty output
      apply evalExpr_isCtx to _ _ _ EvB.
      NSB': apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply names_same_add_scope to NSB'.
      apply stmt_not_public_no_output to _ _ _ _ _ _ _ _ EvB1 Sec2 _.
      apply append_nil_right to EvB2. search.
     %E-If-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      NSA': apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec.
      NSB': apply level_eval_names_same to _ _ _ _ _ _ EvB Sec.
      apply names_same_add_scope to NSA'.
      apply names_same_add_scope to NSB'.
      PE': apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply public_equiv_add_scope to PE'.
      apply level_is to _ _ _ Sec. apply join_is to _ _ Sec1.
      apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec3 EvA2 EvB1.
      apply append_unique to EvA3 EvB2. search.
  %E-While-True
   case IsS. Sec: case Sec (keep).
     %S-While-Private
      apply stmt_not_public_no_output to _ _ _ _ _ _ _ _ EvA Sec _.
      apply stmt_not_public_no_output to _ _ _ _ _ _ _ _ EvB Sec _.
      search.
     %S-While-Public
      EvB: case EvB.
        %E-While-True
         apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB.
         apply evalExpr_isCtx to _ _ _ EvA1.
         apply evalExpr_isCtx to _ _ _ EvB.
         NSA': apply level_eval_names_same to _ _ _ _ _ _ EvA1 Sec1.
         NSB': apply level_eval_names_same to _ _ _ _ _ _ EvB Sec1.
         apply names_same_add_scope to NSA'.
         apply names_same_add_scope to NSB'.
         PE': apply expr_secure to
                 _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB.
         apply public_equiv_add_scope to PE'.
         apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec2 EvA2 EvB1.
         IsEE2+: apply evalStmt_isCtx to _ _ _ EvA2. case IsEE2+.
         IsEE4+: apply evalStmt_isCtx to _ _ _ EvB1. case IsEE4+.
         NSA'': apply secure_eval_names_same to _ _ _ _ _ _ EvA2 Sec2.
         NSB'': apply secure_eval_names_same to _ _ _ _ _ _ EvB1 Sec2.
         PE'': apply stmt_secure to
                  _ _ _ _ _ _ _ _ _ _ _ Sec2 EvA2 EvB1.
         NSA-: case NSA''. NSB-: case NSB''. PE-: case PE''.
         case NSA. case NSB. apply secure_older_scopes to _ _ _ Sec2.
         case NSA-2 (keep). case NSB-2 (keep).
         apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec EvA3 EvB2.
         apply append_unique to EvA4 EvB3.
         apply append_unique to EvA5 EvB4. search.
        %E-While-False
         apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB.
  %E-While-False
   case IsS. Sec: case Sec (keep).
     %S-While-Private
      apply stmt_not_public_no_output to _ _ _ _ _ _ _ _ EvA Sec _.
      apply stmt_not_public_no_output to _ _ _ _ _ _ _ _ EvB Sec _.
      search.
     %S-While-Public
      EvB: case EvB.
        %E-While-True
         apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB.
        %E-While-False
         apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec1 EvA1 EvB. search.
  %E-ScopeStmt
   case IsS. Sec: case Sec. EvB: case EvB.
   apply names_same_add_scope to NSA.
   apply names_same_add_scope to NSB.
   apply public_equiv_add_scope to PE.
   apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB. search.
  %E-Print-Int
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-Print-Int
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply append_unique to EvA2 EvB1. search.
     %E-Print-True
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
     %E-Print-False
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
     %E-Print-String
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
  %E-Print-True
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-Print-Int
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
     %E-Print-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply append_unique to EvA2 EvB1. search.
     %E-Print-False
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
     %E-Print-String
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
  %E-Print-False
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-Print-Int
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
     %E-Print-True
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
     %E-Print-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply append_unique to EvA2 EvB1. search.
     %E-Print-String
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
  %E-Print-String
   case IsS. Sec: case Sec. EvB: case EvB.
     %E-Print-Int
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
     %E-Print-True
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
     %E-Print-False
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
     %E-Print-String
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      apply append_unique to EvA2 EvB1. search.
  %E-Secdecl
   case IsS. Sec: case Sec.
     %S-Secdecl-Private
      EvB: case EvB. apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      search.
     %S-Secdecl-Public
      EvB: case EvB. apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Sec EvA1 EvB.
      search.
  %E-Stmt-Q
   Sec: case Sec. apply names_is to _ EvA1.
   apply names_is_sec to _ Sec.
   apply proj_stmt_unique to Sec1 EvA2 _ _ _ _ _.
     %mem Names -> mem Names1
      intros M. apply names_same_names to NSA EvA1 Sec M. search.
     %mem Names1 -> mem Names
      intros M. apply names_same_names_back to NSA EvA1 Sec M. search.
   apply proj_stmt_is to Sec1 _ _.
   case NSA (keep). apply secure_older_scopes to _ _ _ Sec2.
   %get a projection and evaluation using B
   NSB-: apply names_same_symmetric to NSB.
   NSAB: apply names_same_transitive to NSA NSB-.
   NamesB: apply names_exists to IsEE_B.
   apply names_is to _ EvA1. apply names_is to _ NamesB.
   PrB: apply proj_stmt_other to EvA2 _ _ _ with L' = N.
   apply proj_stmt_unique to EvA2 PrB _ _ _ _ _.
     %mem N -> mem Names
      intros M. NSBA: apply names_same_symmetric to NSAB.
      apply names_same_names to NSBA NamesB EvA1 M. search.
     %mem Names -> mem N
      intros M. apply names_same_names to NSAB EvA1 NamesB M. search.
   EvB': apply proj_evalStmt_forward to PrB NamesB _ _ _ EvB.
   %get same output for A
   EvA': apply proj_evalStmt_forward to EvA2 EvA1 _ _ _ EvA.
   apply evalStmt_unique to _ _ _ EvA' EvA3.
   %use IH to get same output for projections
   apply proj_stmt_is to PrB _ _.
   PE_Pr: apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Sec2 EvA3 EvB'. search.
 %expr_secure_output
  %E-Num
   case EvB. search.
  %E-Plus
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply append_unique to EvA4 EvB3. search.
  %E-Minus
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply append_unique to EvA4 EvB3. search.
  %E-Mult
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply append_unique to EvA4 EvB3. search.
  %E-Div
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply append_unique to EvA4 EvB3. search.
  %E-True
   case EvB. search.
  %E-False
   case EvB. search.
  %E-And-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-And-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
      apply append_unique to EvA3 EvB2. search.
     %E-And-False1
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply expr_not_public_no_output to _ _ _ _ _ _ _ _ EvA2 Lev2 _.
      apply append_nil_right to EvA3. search.
     %E-And-False2
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
      apply append_unique to EvA3 EvB2. search.
  %E-And-False1
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-And-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply expr_not_public_no_output to _ _ _ _ _ _ _ _ EvB1 Lev2 _.
      apply append_nil_right to EvB2. search.
     %E-And-False1
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
     %E-And-False2
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply expr_not_public_no_output to _ _ _ _ _ _ _ _ EvB1 Lev2 _.
      apply append_nil_right to EvB2. search.
  %E-And-False2
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-And-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
      apply append_unique to EvA3 EvB2. search.
     %E-And-False1
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply expr_not_public_no_output to _ _ _ _ _ _ _ _ EvA2 Lev2 _.
      apply append_nil_right to EvA3. search.
     %E-And-False2
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
      apply append_unique to EvA3 EvB2. search.
  %E-Or-True1
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Or-True1
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
     %E-Or-True2
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply expr_not_public_no_output to _ _ _ _ _ _ _ _ EvB1 Lev2 _.
      apply append_nil_right to EvB2. search.
     %E-Or-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply expr_not_public_no_output to _ _ _ _ _ _ _ _ EvB1 Lev2 _.
      apply append_nil_right to EvB2. search.
  %E-Or-True2
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Or-True1
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply expr_not_public_no_output to _ _ _ _ _ _ _ _ EvA2 Lev2 _.
      apply append_nil_right to EvA3. search.
     %E-Or-True2
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
      apply append_unique to EvA3 EvB2. search.
     %E-Or-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
      apply append_unique to EvA3 EvB2. search.
  %E-Or-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Or-True1
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      NEq: assert L2 = public -> false.
        intros E. case E.
        apply expr_level to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      assert Sl1 = public -> false.
        intros E. case E. apply join_public to _ _ Lev1.
        backchain NEq.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply expr_not_public_no_output to _ _ _ _ _ _ _ _ EvA2 Lev2 _.
      apply append_nil_right to EvA3. search.
     %E-Or-True2
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
      apply append_unique to EvA3 EvB2. search.
     %E-Or-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply level_is to _ _ _ Lev. apply join_is to _ _ Lev1.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA2 EvB1.
      apply append_unique to EvA3 EvB2. search.
  %E-Not-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Not-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
     %E-Not-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
  %E-Not-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Not-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
     %E-Not-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
  %E-Greater-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Greater-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply append_unique to EvA4 EvB3. search.
     %E-Greater-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply append_unique to EvA4 EvB3. search.
  %E-Greater-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Greater-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply append_unique to EvA4 EvB3. search.
     %E-Greater-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply append_unique to EvA4 EvB3. search.
  %E-Eq-True
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Eq-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply append_unique to EvA3 EvB2. search.
     %E-Eq-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply append_unique to EvA3 EvB3. search.
  %E-Eq-False
   case IsE. Lev: case Lev. EvB: case EvB.
     %E-Eq-True
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply append_unique to EvA4 EvB2. search.
     %E-Eq-False
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply evalExpr_isCtx to _ _ _ EvA1.
      apply evalExpr_isCtx to _ _ _ EvB.
      apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
      apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
      apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
      apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply append_unique to EvA4 EvB3. search.
  %E-String
   case EvB. search.
  %E-AppString
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply append_unique to EvA4 EvB3. search.
  %E-Name
   case EvB. search.
  %E-Call
   case IsE. EvB: case EvB. Lev: case Lev.
     %L-Call-Private
      apply IH_A to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply evalArgs_isValue to _ _ _ EvA2.
      apply evalArgs_isValue to _ _ _ EvB1.
      apply lookup_unique to EvB EvA1. FR: case SFC (keep).
      FS: apply FR to Lev EvA1.
      LAV: apply args_level to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      PE': apply zip_level_arg_vals to LAV EvA3 EvB2 FS.
      apply public_equiv_add_other to PE' _ with
         X = RetVar, VA = RVVal, VB = RVVal, L = private.
      IsFP: apply lookup_is_value_funCtx to _ EvA1. IsF: case IsFP.
      IsF: case IsF1. IsF: case IsF2. apply zip_is to _ _ EvA3.
      apply zip_is to _ _ EvB2. apply levelArgs_is to _ _ _ Lev1.
      apply zip_names_same to _ _ with
         ZA = (RetVar, RVVal)::InitEnv1, ZB = (RetVar, private)::ZP.
      apply zip_names_same to _ _ with
         ZA = (RetVar, RVVal)::InitEnv, ZB = (RetVar, private)::ZP.
      apply zip_is_sec to _ _ _ with Z = (RetVar, private)::ZP.
      apply IH_S to _ _ _ _ _ _ _ _ _ _ _ FS1 EvA4 EvB3.
      apply append_unique to EvA5 EvB4. search.
     %L-Call-Public
      apply IH_A to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      apply evalArgs_isValue to _ _ _ EvA2.
      apply evalArgs_isValue to _ _ _ EvB1.
      apply lookup_unique to EvB EvA1. FR: case SFC (keep).
      FS: apply FR to Lev EvA1.
      LAV: apply args_level to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
      PE': apply zip_level_arg_vals to LAV EvA3 EvB2 FS.
      apply lookupSecFun_is to _ Lev.
      assert public_equiv [(RetVar, L)::ZP] [(RetVar, RVVal)::InitEnv]
                          [(RetVar, RVVal)::InitEnv1].
        Or: apply is_slev_public_or_not to _ with L = L. case Or.
          %public
           apply public_equiv_add_public to PE' with
              X = RetVar, V = RVVal. search.
          %not public
           apply public_equiv_add_other to PE' _ with
              X = RetVar, VA = RVVal, VB = RVVal, L = L. search.
      IsFP: apply lookup_is_value_funCtx to _ EvA1. IsF: case IsFP.
      IsF: case IsF1. IsF: case IsF2. apply zip_is to _ _ EvA3.
      apply zip_is to _ _ EvB2. apply levelArgs_is to _ _ _ Lev1.
      apply zip_names_same to _ _ with
         ZA = (RetVar, RVVal)::InitEnv1, ZB = (RetVar, L)::ZP.
      apply zip_names_same to _ _ with
         ZA = (RetVar, RVVal)::InitEnv, ZB = (RetVar, L)::ZP.
      apply zip_is_sec to _ _ _ with Z = (RetVar, L)::ZP.
      apply IH_S to _ _ _ _ _ _ _ _ _ _ _ FS1 EvA4 EvB3.
      apply append_unique to EvA5 EvB4. search.
  %E-StmtExpr
   case IsE. Lev: case Lev. EvB: case EvB.
   apply names_same_add_scope to NSA.
   apply names_same_add_scope to NSB.
   apply public_equiv_add_scope to PE.
   apply IH_S to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalStmt_isCtx to _ _ _ EvA1.
   apply evalStmt_isCtx to _ _ _ EvB.
   apply secure_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply secure_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply stmt_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply secure_is to _ _ _ Lev.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply append_unique to EvA3 EvB2. search.
  %E-RecBuild
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_RF to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
  %E-RecAccess
   case IsE. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB. search.
  %E-Expr-Q
   Lev: case Lev. apply names_is to _ EvA1.
   apply names_is_sec to _ Lev.
   apply proj_expr_unique to Lev1 EvA2 _ _ _ _ _.
     %mem Names -> mem Names1
      intros M. apply names_same_names to NSA EvA1 Lev M. search.
     %mem Names1 -> mem Names
      intros M. apply names_same_names_back to NSA EvA1 Lev M. search.
   apply proj_expr_is to Lev1 _ _.
   %get a projection and evaluation using B
   NSB-: apply names_same_symmetric to NSB.
   NSAB: apply names_same_transitive to NSA NSB-.
   NamesB: apply names_exists to IsEE_B.
   apply names_is to _ EvA1. apply names_is to _ NamesB.
   PrB: apply proj_expr_other to EvA2 _ _ _ with L' = N.
   apply proj_expr_unique to EvA2 PrB _ _ _ _ _.
     %mem N -> mem Names
      intros M. NSBA: apply names_same_symmetric to NSAB.
      apply names_same_names to NSBA NamesB EvA1 M. search.
     %mem Names -> mem N
      intros M. apply names_same_names to NSAB EvA1 NamesB M. search.
   EvB': apply proj_evalExpr_forward to PrB NamesB _ _ _ EvB.
   %get same output for A
   EvA': apply proj_evalExpr_forward to EvA2 EvA1 _ _ _ EvA.
   apply evalExpr_unique to _ _ _ EvA' EvA3.
   %use IH to get same output for projections
   apply proj_expr_is to PrB _ _.
   PE_Pr: apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev2 EvA3 EvB'. search.
 %args_secure_output
  %EA-Nil
   case EvB. search.
  %EA-Cons
   case IsA. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_A to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply append_unique to EvA3 EvB2. search.
  %unknown K
   case Lev.
 %recFields_secure_output
  %ERF-Nil
   case EvB. search.
  %ERF-Cons
   case IsRF. Lev: case Lev. EvB: case EvB.
   apply IH_E to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply evalExpr_isCtx to _ _ _ EvA1.
   apply evalExpr_isCtx to _ _ _ EvB.
   apply level_eval_names_same to _ _ _ _ _ _ EvA1 Lev.
   apply level_eval_names_same to _ _ _ _ _ _ EvB Lev.
   apply expr_secure to _ _ _ _ _ _ _ _ _ _ _ Lev EvA1 EvB.
   apply IH_RF to _ _ _ _ _ _ _ _ _ _ _ Lev1 EvA2 EvB1.
   apply append_unique to EvA3 EvB2. search.
  %unknown K
   case Lev.




/********************************************************************
 Programs do not leak private information
 ********************************************************************/
%--------------------------------------------
% Everything gathered has is relations
%--------------------------------------------
Extensible_Theorem
  paramSec_is : forall P Name L,
    IsP : is_param P ->
    PS : paramSec P Name L ->
    is_string Name /\ is_slev L
  on PS. [Show Proof]

%PS-Param
 case IsP. search.
%PS-SecParam
 case IsP. search.
%PS-Default
 apply proj_param_is to PS1 _. apply IH to _ PS2. search.

Theorem paramSecs_is : forall Ps PSecs,
  is_list is_param Ps -> paramSecs Ps PSecs ->
  is_list (is_pair is_string is_slev) PSecs. [Show Proof]

induction on 2. intros IsPs PS. PS: case PS.
  %PSs-Nil
   search.
  %PSs-Cons
   case IsPs. apply paramSec_is to _ PS. apply IH to _ PS1. search.

Theorem values_is_sec : forall L V,
  is_list (is_pair is_string is_slev) L -> values L V ->
  is_list is_slev V. [Show Proof]

induction on 2. intros IsL V. V: case V.
  %V-Nil
   search.
  %V-Cons
   Is: case IsL. case Is. apply IH to _ V. search.

Extensible_Theorem
  getFunSec_is : forall F Name RetLev PSecs,
    IsF : is_fun F ->
    GFS : getFunSec F Name RetLev PSecs ->
    is_string Name /\ is_slev RetLev /\ is_list is_slev PSecs
  on GFS. [Show Proof]

%GFS-Fun
 case IsF. apply paramSecs_is to _ GFS1.
 apply values_is_sec to _ GFS2. search.
%GFS-SecFun
 case IsF. apply paramSecs_is to _ GFS1.
 apply values_is_sec to _ GFS2. search.
%GFS-Default
 apply proj_fun_is to GFS1 _. apply IH to _ GFS2. search.

Theorem gatherFunSecCtx_is : forall Fs SF,
  is_list is_fun Fs -> gatherFunSecCtx Fs SF ->
  is_list (is_pair is_string (is_pair is_slev (is_list is_slev))) SF. [Show Proof]

induction on 2. intros IsFs GFSC. GFSC: case GFSC.
  %GFSC-Nil
   search.
  %GFSC-Cons
   case IsFs. apply getFunSec_is to _ GFSC. apply IH to _ GFSC1.
   search.

Extensible_Theorem
  program_secure_is : forall P S,
    IsP : is_program P ->
    Sec : programSecure P S ->
    is_list is_slev S
  on Sec. [Show Proof]

%SP-Program
 case IsP. apply getFunSec_is to _ Sec2. search.
%SP-Default
 apply proj_program_is to Sec1 _. apply IH to _ Sec2. search.


%--------------------------------------------
% Everything gathered is unique
%--------------------------------------------
Extensible_Theorem
  paramSec_unique : forall P NameA LA NameB LB,
    IsP : is_param P ->
    PSA : paramSec P NameA LA ->
    PSB : paramSec P NameB LB ->
    NameA = NameB /\ LA = LB
  on PSA. [Show Proof]

%PS-Param
 case PSB. search.
%PS-SecParam
 case PSB. search.
%PS-Default
 PSB: case PSB. apply proj_param_unique to PSB PSA1 _.
 apply proj_param_is to PSA1 _. apply IH to _ PSA2 PSB1. search.

Theorem paramSecs_unique : forall Ps PSecsA PSecsB,
  is_list is_param Ps -> paramSecs Ps PSecsA -> paramSecs Ps PSecsB ->
  PSecsA = PSecsB. [Show Proof]

induction on 2. intros IsPs PSA PSB. PSA: case PSA.
  %PSs-Nil
   case PSB. search.
  %PSs-Cons
   case IsPs. PSB: case PSB. apply paramSec_unique to _ PSA PSB.
   apply IH to _ PSA1 PSB1. search.

Extensible_Theorem
  getFunSec_unique : forall F NA LA PSA NB LB PSB,
    IsF : is_fun F ->
    GFSA : getFunSec F NA LA PSA ->
    GFSB : getFunSec F NB LB PSB ->
    NA = NB /\ LA = LB /\ PSA = PSB
  on GFSA. [Show Proof]

%GFS-Fun
 GFSB: case GFSB. case IsF. apply paramSecs_unique to _ GFSA1 GFSB.
 apply values_unique to GFSB1 GFSA2. search.
%GFS-SecFun
 GFSB: case GFSB. case IsF. apply paramSecs_unique to _ GFSA1 GFSB.
 apply values_unique to GFSB1 GFSA2. search.
%GFS-Default
 GFSB: case GFSB. apply proj_fun_unique to GFSB GFSA1 _.
 apply proj_fun_is to GFSA1 _. apply IH to _ GFSA2 GFSB1. search.

Theorem gatherFunSecCtx_unique : forall Fs SFA SFB,
  is_list is_fun Fs -> gatherFunSecCtx Fs SFA ->
  gatherFunSecCtx Fs SFB -> SFA = SFB. [Show Proof]

induction on 2. intros IsFs GA GB. GA: case GA.
  %GFSC-Nil
   case GB. search.
  %GFSC-Cons
   GB: case GB. case IsFs. apply getFunSec_unique to _ GA GB.
   apply IH to _ GA1 GB1. search.

Extensible_Theorem
  program_secure_unique : forall P A B,
    IsP : is_program P ->
    SecA : programSecure P A ->
    SecB : programSecure P B ->
    A = B
  on SecA. [Show Proof]

%SP-Program
 SecB: case SecB. case IsP. apply getFunSec_unique to _ SecA2 SecB1.
 search.
%SP-Default
 SecB: case SecB. apply proj_program_unique to SecB SecA1 _.
 apply proj_program_is to SecA1 _. apply IH to _ SecA2 SecB1. search.


%--------------------------------------------
% Gathered security and eval info are related
%--------------------------------------------
Extensible_Theorem
  paramName_paramSec : forall P N NS L,
    IsP : is_param P ->
    PN : paramName P N ->
    PS : paramSec P NS L ->
    N = NS
  on PS. [Show Proof]

%PS-Param
 case PN. search.
%PS-SecParam
 case PN. search.
%PS-Default
 PN': apply proj_paramName_forward to PS1 _ PN.
 apply proj_param_is to PS1 _. apply IH to _ PN' PS2. search.

Theorem paramNames_paramSecs : forall Ps PNs PSecs,
  is_list is_param Ps -> paramNames Ps PNs -> paramSecs Ps PSecs ->
  domain PSecs PNs. [Show Proof]

induction on 3. intros IsPs PNs PSecs. PSecs: case PSecs.
  %PSs-Nil
   case PNs. search.
  %PSs-Cons
   case IsPs. PNs: case PNs. apply paramName_paramSec to _ PNs PSecs.
   apply IH to _ PNs1 PSecs1. search.

Theorem domain_values_zip[A, B] : forall (L : list (pair A B)) D V,
  domain L D -> values L V -> zip D V L. [Show Proof]

induction on 1. intros D V. D: case D.
  %Dmn-Nil
   case V. search.
  %Dmn-Cons
   V: case V. apply IH to D V. search.

Extensible_Theorem
  getFun_sec :
    forall F FName RetVar RVVal PNames Body SName RetLev PSecs SF,
      IsF : is_fun F ->
      GFEI : getFunEvalInfo F FName RetVar RVVal PNames Body ->
      GFS : getFunSec F SName RetLev PSecs ->
      FS : funSecure SF F ->
      exists ZP SG, FName = SName /\
                    zip PNames PSecs ZP /\
                    secure SF [(RetVar, RetLev)::ZP] RetLev Body SG
  on GFS. [Show Proof]

%GFS-Fun
 case IsF. GFEI: case GFEI. FS: case FS.
 Dmn: apply paramNames_paramSecs to _ GFEI FS.
 Z: apply domain_values_zip to Dmn FS3.
 apply paramSecs_unique to _ FS GFS1. apply values_unique to FS3 GFS2.
 search.
%GFS-SecFun
 case IsF. GFEI: case GFEI. FS: case FS.
 Dmn: apply paramNames_paramSecs to _ GFEI FS.
 Z: apply domain_values_zip to Dmn FS3.
 apply paramSecs_unique to _ FS GFS1. apply values_unique to FS3 GFS2.
 search.
%GFS-Default
 GFEI': apply proj_getFunEvalInfo_forward to GFS1 _ GFEI.
 apply proj_fun_is to GFS1 _. FS: case FS.
 apply proj_fun_unique to FS GFS1 _. apply IH to _ GFEI' GFS2 FS1.
 search.

%can't do secFunCtxs directly due to need to use SF_Full,
%   but this lets us build it
Theorem gatherCtxs_secFunCtxs :
  forall Fs SF FE SF_Full FName RetLev PSecs RetVar RVVal PNames Body,
    is_list is_fun Fs -> gatherFunSecCtx Fs SF ->
    getFunEvalCtx Fs FE -> funsSecure SF_Full Fs ->
    lookup SF FName (RetLev, PSecs) ->
    lookup FE FName (RetVar, RVVal, PNames, Body) ->
    exists ZP SG, zip PNames PSecs ZP /\
       secure SF_Full [(RetVar, RetLev)::ZP] RetLev Body SG. [Show Proof]

induction on 5. intros IsFs GFSC GFEC FS LS LE. LS: case LS.
  %Lkp-Here
   GFSC: case GFSC. GFEC: case GFEC. FS: case FS. case IsFs.
   apply getFun_sec to _ GFEC GFSC FS. LE: case LE.
     %Lkp-Here
      search.
     %Lkp-Later
      apply LE to _.
  %Lkp-Later
   GFSC: case GFSC. GFEC: case GFEC. FS: case FS. case IsFs.
   apply getFun_sec to _ GFEC GFSC FS. LE: case LE.
     %Lkp-Here
      apply LS to _.
     %Lkp-Later
      apply IH to _ GFSC1 GFEC1 FS1 LS1 LE1. search.


%--------------------------------------------
% Secure programs do not leak in output
%--------------------------------------------
Extensible_Theorem
  program_secure : forall P A_S A_A A_B O_A O_B,
    IsP : is_program P ->
    IsA_A : is_list is_value A_A ->
    IsA_B : is_list is_value A_B ->
    Sec : programSecure P A_S ->
    %different sets of arguments to main have the same public args,
    %   but may differ in private args
    Rel : level_arg_vals A_S A_A A_B ->
    EvA : evalProgram A_A P O_A ->
    EvB : evalProgram A_B P O_B ->
    O_A = O_B
  on Sec. [Show Proof]

%SP-Program
 case IsP. EvA: case EvA. EvB: case EvB.
 apply getFunEvalCtx_unique to _ EvB EvA.
 apply getFunEvalInfo_unique to _ EvB1 EvA1.
 apply gatherFunSecCtx_is to _ Sec1. apply getFunSec_is to _ Sec2.
 MainS: apply getFun_sec to _ EvA1 Sec2 Sec4.
 assert secFunCtxs ((Name, (RetLev, A_S))::SF)
          ((Name, (RetVar, RetVal, PNames, Body))::FCtx).
   unfold. intros LS LE. LS: case LS.
     %Lkp-Here
      LE: case LE.
        %Lkp-Here
         search.
        %Lkp-Later
         apply LE to _.
     %Lkp-Later
      LE: case LE.
        %Lkp-Here
         apply LS to _.
        %Lkp-Later
         apply gatherCtxs_secFunCtxs to _ Sec1 EvA Sec3 LS1 LE1.
         search.
 ZA: assert zip (RetVar::PNames) (RetVal::A_A)
                ((RetVar, RetVal)::InitEnv).
 ZB: assert zip (RetVar::PNames) (RetVal::A_B)
                ((RetVar, RetVal)::InitEnv1).
 ZM: assert zip (RetVar::PNames) (RetLev::A_S)
                ((RetVar, RetLev)::ZP).
 assert level_arg_vals (RetLev::A_S) (RetVal::A_A) (RetVal::A_B).
   Or: apply is_slev_public_or_not to _ with L = RetLev. case Or.
   search. search.
 PE: apply zip_level_arg_vals to _ ZA ZB ZM.
 apply zip_names_same to ZA ZM. apply zip_names_same to ZB ZM.
 apply getFunEvalInfo_is to _ EvA1. apply getFunSec_is to _ Sec2.
 apply zip_is to _ _ ZA. apply zip_is to _ _ ZB.
 apply zip_is_sec to _ _ ZM. apply getFunEvalCtx_is to _ EvA.
 apply secure_output to _ _ _ _ _ _ _ _ _ _ _ MainS1 EvA3 EvB3.
 search.
%SP-Default
 EvA': apply proj_evalProgram_forward to Sec1 _ _ EvA.
 EvB': apply proj_evalProgram_forward to Sec1 _ _ EvB.
 apply proj_program_is to Sec1 _. apply IH to _ _ _ Sec2 _ EvA' EvB'.
 search.


/*
  We frame program security as having the same output if the public
  arguments to main are the same.  The concept of non-public arguments
  to main sounds a bit strange; isn't the user, the person from whom
  we are hiding private information, giving all the arguments?  We can
  think of private arguments as standing in for the contents of files
  and such, so a private argument might be an encryption key for the
  program read from the file.  Therefore it does make sense to have
  non-public arguments to main.
*/

/*
  The security extension as written isn't very useful.  Suppose we
  want to write a password checker, a good use for information flow
  security, using it.  We take the true password and a user's attempt
  as arguments to main, compare them, and find we cannot output
  whether they matched because the true password is private, and thus
  the result of comparing them is also private and cannot be printed.

  A "real" version of this extension, intended to be used for writing
  real programs, would need a declassify construct to lower
  information to a public level.  Such a construct is unsound for
  security, which is why we don't include it here where we are
  concerned with proving soundness, not writing actual programs.
  However, it allows a programmer to decide explicitly what private
  information may escape and in what circumstances, so it is
  effectively good enough.  For example, telling the user the
  passwords matched or didn't leaks a little bit of information to the
  user about the true password, but the programmer decides this is
  still secure enough and necessary for the job the program is doing.
*/