< Module library:security.
< Prove_Constraint library:host:proj_e_unique.
Proof completed.
< Prove_Constraint library:host:proj_e_is.
Proof completed.
< Prove_Constraint library:host:proj_s_unique.
Variables: S2 E Ty N Sl
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
Hyp1 : |{s}- secdecl N Ty Sl E ~~> S2
============================
decl N Ty E = S2
< case Hyp1.
Variables: E Ty N Sl
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
============================
decl N Ty E = decl N Ty E
< search.
Proof completed.
< Prove_Constraint library:host:proj_s_is.
Variables: E Ty N Sl
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
Hyp1 : is_s (secdecl N Ty Sl E)
============================
is_s (decl N Ty E)
< case Hyp1.
Variables: E Ty N Sl
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
H1 : is_string N
H2 : is_ty Ty
H3 : is_sl Sl
H4 : is_e E
============================
is_s (decl N Ty E)
< search.
Proof completed.
< Prove_Constraint library:host:proj_ty_unique.
Proof completed.
< Prove_Constraint library:host:proj_ty_is.
Proof completed.
< Add_Proj_Rel library:host:is_e.
Proof completed.
< Prove_Ext_Ind library:host:is_e.
Warning: No definition of Ext Size for all relations in Ext Ind; defaulting to proving Ext Ind without Ext Size
Proof completed.
< Prove library:host:is_e_var_or_not.
Proof completed.
< Prove library:host:is_e_intlit_or_not.
Proof completed.
< Prove library:host:is_e_trueE_or_not.
Proof completed.
< Prove library:host:is_e_falseE_or_not.
Proof completed.
< Prove library:host:is_e_add_or_not.
Proof completed.
< Prove library:host:is_e_eqC_or_not.
Proof completed.
< Prove library:host:is_e_gt_or_not.
Proof completed.
< Prove library:host:is_e_not_or_not.
Proof completed.
< Prove library:host:is_e_eq_or_not.
Proof completed.
< Prove library:host:vars_unique.
Proof completed.
< Prove_Constraint library:host:proj_e_vars_exist.
Proof completed.
< Prove_Constraint library:host:proj_e_vars.
Proof completed.
< Prove library:host:vars_is.
Proof completed.
< Prove library:host:vars_exist.
Proof completed.
< Prove library:host:value_empty_typable.
Proof completed.
< Prove library:host:eval_e_is.
Proof completed.
< Prove library:host:type_preservation_e.
Proof completed.
< Prove library:host:var_types_maintained.
Subgoal 7:
Variables: G X Ty Ty1 N E Sl
IH : forall G S G' X Ty, ty_s G S G' * -> lookup G X Ty -> lookup G' X Ty
Ty : ty_s G (secdecl N Ty1 Sl E) ((N, Ty1)::G) @
Lkp : lookup G X Ty
Ty1 : ty_e G E Ty1
Ty2 : no_lookup G N
============================
lookup ((N, Ty1)::G) X Ty
< assert N = X -> false.
Subgoal 7.1:
Variables: G X Ty Ty1 N E Sl
IH : forall G S G' X Ty, ty_s G S G' * -> lookup G X Ty -> lookup G' X Ty
Ty : ty_s G (secdecl N Ty1 Sl E) ((N, Ty1)::G) @
Lkp : lookup G X Ty
Ty1 : ty_e G E Ty1
Ty2 : no_lookup G N
============================
N = X -> false
< intros E.
Subgoal 7.1:
Variables: G X Ty Ty1 N E Sl
IH : forall G S G' X Ty, ty_s G S G' * -> lookup G X Ty -> lookup G' X Ty
Ty : ty_s G (secdecl N Ty1 Sl E) ((N, Ty1)::G) @
Lkp : lookup G X Ty
Ty1 : ty_e G E Ty1
Ty2 : no_lookup G N
E : N = X
============================
false
< case E.
Subgoal 7.1:
Variables: G X Ty Ty1 E Sl
IH : forall G S G' X Ty, ty_s G S G' * -> lookup G X Ty -> lookup G' X Ty
Ty : ty_s G (secdecl X Ty1 Sl E) ((X, Ty1)::G) @
Lkp : lookup G X Ty
Ty1 : ty_e G E Ty1
Ty2 : no_lookup G X
============================
false
< apply no_lookup to Ty2 Lkp.
Subgoal 7:
Variables: G X Ty Ty1 N E Sl
IH : forall G S G' X Ty, ty_s G S G' * -> lookup G X Ty -> lookup G' X Ty
Ty : ty_s G (secdecl N Ty1 Sl E) ((N, Ty1)::G) @
Lkp : lookup G X Ty
Ty1 : ty_e G E Ty1
Ty2 : no_lookup G N
H1 : N = X -> false
============================
lookup ((N, Ty1)::G) X Ty
< search.
Proof completed.
< Prove library:host:type_preservation_s.
Subgoal 9:
Variables: TG EG TG' X Ty V V1 N E Sl Ty1
IH : forall TG EG S TG' EG' X Ty V,
ty_s TG S TG' -> eval_s EG S EG' * -> (forall X1 Ty1 V1,
lookup TG X1 Ty1 -> lookup EG X1 V1 -> ty_e [] V1 Ty1) -> lookup TG' X Ty ->
lookup EG' X V -> ty_e [] V Ty
Ty : ty_s TG (secdecl N Ty1 Sl E) TG'
Ev : eval_s EG (secdecl N Ty1 Sl E) ((N, V1)::EG) @
Rel : forall X Ty V, lookup TG X Ty -> lookup EG X V -> ty_e [] V Ty
LkpTy : lookup TG' X Ty
LkpV : lookup ((N, V1)::EG) X V
Ev1 : eval_e EG E V1
============================
ty_e [] V Ty
< Ty: case Ty.
Subgoal 9:
Variables: TG EG X Ty V V1 N E Sl Ty1
IH : forall TG EG S TG' EG' X Ty V,
ty_s TG S TG' -> eval_s EG S EG' * -> (forall X1 Ty1 V1,
lookup TG X1 Ty1 -> lookup EG X1 V1 -> ty_e [] V1 Ty1) -> lookup TG' X Ty ->
lookup EG' X V -> ty_e [] V Ty
Ev : eval_s EG (secdecl N Ty1 Sl E) ((N, V1)::EG) @
Rel : forall X Ty V, lookup TG X Ty -> lookup EG X V -> ty_e [] V Ty
LkpTy : lookup ((N, Ty1)::TG) X Ty
LkpV : lookup ((N, V1)::EG) X V
Ev1 : eval_e EG E V1
Ty : ty_e TG E Ty1
Ty1 : no_lookup TG N
============================
ty_e [] V Ty
< apply type_preservation_e to Ty Ev1 Rel.
Subgoal 9:
Variables: TG EG X Ty V V1 N E Sl Ty1
IH : forall TG EG S TG' EG' X Ty V,
ty_s TG S TG' -> eval_s EG S EG' * -> (forall X1 Ty1 V1,
lookup TG X1 Ty1 -> lookup EG X1 V1 -> ty_e [] V1 Ty1) -> lookup TG' X Ty ->
lookup EG' X V -> ty_e [] V Ty
Ev : eval_s EG (secdecl N Ty1 Sl E) ((N, V1)::EG) @
Rel : forall X Ty V, lookup TG X Ty -> lookup EG X V -> ty_e [] V Ty
LkpTy : lookup ((N, Ty1)::TG) X Ty
LkpV : lookup ((N, V1)::EG) X V
Ev1 : eval_e EG E V1
Ty : ty_e TG E Ty1
Ty1 : no_lookup TG N
H1 : ty_e [] V1 Ty1
============================
ty_e [] V Ty
< LT: case LkpTy.
Subgoal 9.1:
Variables: TG EG X Ty V V1 E Sl
IH : forall TG EG S TG' EG' X Ty V,
ty_s TG S TG' -> eval_s EG S EG' * -> (forall X1 Ty1 V1,
lookup TG X1 Ty1 -> lookup EG X1 V1 -> ty_e [] V1 Ty1) -> lookup TG' X Ty ->
lookup EG' X V -> ty_e [] V Ty
Ev : eval_s EG (secdecl X Ty Sl E) ((X, V1)::EG) @
Rel : forall X Ty V, lookup TG X Ty -> lookup EG X V -> ty_e [] V Ty
LkpV : lookup ((X, V1)::EG) X V
Ev1 : eval_e EG E V1
Ty : ty_e TG E Ty
Ty1 : no_lookup TG X
H1 : ty_e [] V1 Ty
============================
ty_e [] V Ty
< LV: case LkpV.
Subgoal 9.1.1:
Variables: TG EG X Ty V E Sl
IH : forall TG EG S TG' EG' X Ty V,
ty_s TG S TG' -> eval_s EG S EG' * -> (forall X1 Ty1 V1,
lookup TG X1 Ty1 -> lookup EG X1 V1 -> ty_e [] V1 Ty1) -> lookup TG' X Ty ->
lookup EG' X V -> ty_e [] V Ty
Ev : eval_s EG (secdecl X Ty Sl E) ((X, V)::EG) @
Rel : forall X Ty V, lookup TG X Ty -> lookup EG X V -> ty_e [] V Ty
Ev1 : eval_e EG E V
Ty : ty_e TG E Ty
Ty1 : no_lookup TG X
H1 : ty_e [] V Ty
============================
ty_e [] V Ty
< search.
Subgoal 9.1.2:
Variables: TG EG X Ty V V1 E Sl
IH : forall TG EG S TG' EG' X Ty V,
ty_s TG S TG' -> eval_s EG S EG' * -> (forall X1 Ty1 V1,
lookup TG X1 Ty1 -> lookup EG X1 V1 -> ty_e [] V1 Ty1) -> lookup TG' X Ty ->
lookup EG' X V -> ty_e [] V Ty
Ev : eval_s EG (secdecl X Ty Sl E) ((X, V1)::EG) @
Rel : forall X Ty V, lookup TG X Ty -> lookup EG X V -> ty_e [] V Ty
Ev1 : eval_e EG E V1
Ty : ty_e TG E Ty
Ty1 : no_lookup TG X
H1 : ty_e [] V1 Ty
LV : X = X -> false
LV1 : lookup EG X V
============================
ty_e [] V Ty
< apply LV to _.
Subgoal 9.2:
Variables: TG EG X Ty V V1 N E Sl Ty1
IH : forall TG EG S TG' EG' X Ty V,
ty_s TG S TG' -> eval_s EG S EG' * -> (forall X1 Ty1 V1,
lookup TG X1 Ty1 -> lookup EG X1 V1 -> ty_e [] V1 Ty1) -> lookup TG' X Ty ->
lookup EG' X V -> ty_e [] V Ty
Ev : eval_s EG (secdecl N Ty1 Sl E) ((N, V1)::EG) @
Rel : forall X Ty V, lookup TG X Ty -> lookup EG X V -> ty_e [] V Ty
LkpV : lookup ((N, V1)::EG) X V
Ev1 : eval_e EG E V1
Ty : ty_e TG E Ty1
Ty1 : no_lookup TG N
H1 : ty_e [] V1 Ty1
LT : N = X -> false
LT1 : lookup TG X Ty
============================
ty_e [] V Ty
< LV: case LkpV.
Subgoal 9.2.1:
Variables: TG EG X Ty V E Sl Ty1
IH : forall TG EG S TG' EG' X Ty V,
ty_s TG S TG' -> eval_s EG S EG' * -> (forall X1 Ty1 V1,
lookup TG X1 Ty1 -> lookup EG X1 V1 -> ty_e [] V1 Ty1) -> lookup TG' X Ty ->
lookup EG' X V -> ty_e [] V Ty
Ev : eval_s EG (secdecl X Ty1 Sl E) ((X, V)::EG) @
Rel : forall X Ty V, lookup TG X Ty -> lookup EG X V -> ty_e [] V Ty
Ev1 : eval_e EG E V
Ty : ty_e TG E Ty1
Ty1 : no_lookup TG X
H1 : ty_e [] V Ty1
LT : X = X -> false
LT1 : lookup TG X Ty
============================
ty_e [] V Ty
< apply LT to _.
Subgoal 9.2.2:
Variables: TG EG X Ty V V1 N E Sl Ty1
IH : forall TG EG S TG' EG' X Ty V,
ty_s TG S TG' -> eval_s EG S EG' * -> (forall X1 Ty1 V1,
lookup TG X1 Ty1 -> lookup EG X1 V1 -> ty_e [] V1 Ty1) -> lookup TG' X Ty ->
lookup EG' X V -> ty_e [] V Ty
Ev : eval_s EG (secdecl N Ty1 Sl E) ((N, V1)::EG) @
Rel : forall X Ty V, lookup TG X Ty -> lookup EG X V -> ty_e [] V Ty
Ev1 : eval_e EG E V1
Ty : ty_e TG E Ty1
Ty1 : no_lookup TG N
H1 : ty_e [] V1 Ty1
LT : N = X -> false
LT1 : lookup TG X Ty
LV : N = X -> false
LV1 : lookup EG X V
============================
ty_e [] V Ty
< backchain Rel.
Proof completed.
< Prove_Constraint library:host:proj_eval_e.
Proof completed.
< Prove library:host:eval_e_unique.
Proof completed.
< Prove_Constraint library:host:proj_s_eval.
Variables: G G2 E Ty N Sl
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
Hyp1 : eval_s G (secdecl N Ty Sl E) G2
============================
exists G', eval_s G (decl N Ty E) G'
< case Hyp1.
Variables: G E Ty N Sl V
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
H1 : eval_e G E V
============================
exists G', eval_s G (decl N Ty E) G'
< search.
Proof completed.
< Add_Ext_Size library:host:eval_s.
Proof completed.
< Add_Proj_Rel library:host:eval_s.
Proof completed.
< Prove_Ext_Ind library:host:eval_s.
Subgoal 9:
Variables: G V N1 E Sl Ty
IH : forall N G S G1, <eval_s {ES}> G S G1 N -> acc N * -> <eval_s {P}> G S G1
IH1 : forall N G S G1,
<eval_s {ES}> G S G1 N ** -> acc N @ -> <eval_s {P}> G S G1
R : <eval_s {ES}> G (secdecl N1 Ty Sl E) ((N1, V)::G) 1 @@
Acc : acc 1 @
R1 : eval_e G E V
============================
<eval_s {P}> G (secdecl N1 Ty Sl E) ((N1, V)::G)
< search.
Proof completed.
< Prove_Constraint library:host:proj_s_eval_results.
Variables: G G1 G2 X V E Ty N Sl
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
Hyp1 : eval_s G (secdecl N Ty Sl E) G1
Hyp2 : eval_s G (decl N Ty E) G2
Hyp3 : lookup G1 X V
============================
lookup G2 X V
< VS: case Hyp1.
Variables: G G2 X V E Ty N Sl V1
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
Hyp2 : eval_s G (decl N Ty E) G2
Hyp3 : lookup ((N, V1)::G) X V
VS : eval_e G E V1
============================
lookup G2 X V
< VD: case Hyp2.
Variables: G X V E Ty N Sl V1 V2
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
Hyp3 : lookup ((N, V1)::G) X V
VS : eval_e G E V1
VD : eval_e G E V2
============================
lookup ((N, V2)::G) X V
< apply eval_e_unique to VS VD.
Variables: G X V E Ty N Sl V2
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
Hyp3 : lookup ((N, V2)::G) X V
VS : eval_e G E V2
VD : eval_e G E V2
============================
lookup ((N, V2)::G) X V
< search.
Proof completed.
< Prove_Constraint library:host:proj_s_eval_results_back.
Variables: G G1 G2 X V E Ty N Sl
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
Hyp1 : eval_s G (secdecl N Ty Sl E) G1
Hyp2 : eval_s G (decl N Ty E) G2
Hyp3 : lookup G2 X V
============================
lookup G1 X V
< VS: case Hyp1.
Variables: G G2 X V E Ty N Sl V1
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
Hyp2 : eval_s G (decl N Ty E) G2
Hyp3 : lookup G2 X V
VS : eval_e G E V1
============================
lookup ((N, V1)::G) X V
< VD: case Hyp2.
Variables: G X V E Ty N Sl V1 V2
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
Hyp3 : lookup ((N, V2)::G) X V
VS : eval_e G E V1
VD : eval_e G E V2
============================
lookup ((N, V1)::G) X V
< apply eval_e_unique to VS VD.
Variables: G X V E Ty N Sl V2
Hyp : |{s}- secdecl N Ty Sl E ~~> decl N Ty E
Hyp3 : lookup ((N, V2)::G) X V
VS : eval_e G E V2
VD : eval_e G E V2
============================
lookup ((N, V2)::G) X V
< search.
Proof completed.
< Prove library:host:eval_e_value.
Proof completed.
< Prove library:host:eval_s_value.
Subgoal 9:
Variables: G Y YV V N E Sl Ty
IH : forall G S G' Y YV,
eval_s G S G' * -> (forall X XV, mem (X, XV) G -> value XV) -> mem (Y, YV) G' ->
value YV
Ev : eval_s G (secdecl N Ty Sl E) ((N, V)::G) @
AllVal : forall X XV, mem (X, XV) G -> value XV
Mem : mem (Y, YV) ((N, V)::G)
Ev1 : eval_e G E V
============================
value YV
< apply eval_e_value to Ev1 _.
Subgoal 9:
Variables: G Y YV V N E Sl Ty
IH : forall G S G' Y YV,
eval_s G S G' * -> (forall X XV, mem (X, XV) G -> value XV) -> mem (Y, YV) G' ->
value YV
Ev : eval_s G (secdecl N Ty Sl E) ((N, V)::G) @
AllVal : forall X XV, mem (X, XV) G -> value XV
Mem : mem (Y, YV) ((N, V)::G)
Ev1 : eval_e G E V
H1 : value V
============================
value YV
< case Mem.
Subgoal 9.1:
Variables: G V N E Sl Ty
IH : forall G S G' Y YV,
eval_s G S G' * -> (forall X XV, mem (X, XV) G -> value XV) -> mem (Y, YV) G' ->
value YV
Ev : eval_s G (secdecl N Ty Sl E) ((N, V)::G) @
AllVal : forall X XV, mem (X, XV) G -> value XV
Ev1 : eval_e G E V
H1 : value V
============================
value V
< search.
Subgoal 9.2:
Variables: G Y YV V N E Sl Ty
IH : forall G S G' Y YV,
eval_s G S G' * -> (forall X XV, mem (X, XV) G -> value XV) -> mem (Y, YV) G' ->
value YV
Ev : eval_s G (secdecl N Ty Sl E) ((N, V)::G) @
AllVal : forall X XV, mem (X, XV) G -> value XV
Ev1 : eval_e G E V
H1 : value V
H2 : mem (Y, YV) G
============================
value YV
< backchain AllVal.
Proof completed.
< Prove library:host:vars_eval_same_result.
Proof completed.
< Extensible_Theorem
sl_form : forall SL,
Is : is_sl SL ->
SL = public \/
SL = private
on Is.
Subgoal 1:
IH : forall SL, is_sl SL * -> SL = public \/ SL = private
Is : is_sl public @
============================
public = public \/ public = private
< search.
Subgoal 2:
IH : forall SL, is_sl SL * -> SL = public \/ SL = private
Is : is_sl private @
============================
private = public \/ private = private
< search.
Proof completed.
< Theorem join_unique :
forall A B S1 S2, join A B S1 -> join A B S2 -> S1 = S2.
============================
forall A B S1 S2, join A B S1 -> join A B S2 -> S1 = S2
< intros J1 J2.
Variables: A B S1 S2
J1 : join A B S1
J2 : join A B S2
============================
S1 = S2
< case J1.
Subgoal 1:
Variables: S2
J2 : join public public S2
============================
public = S2
< case J2.
Subgoal 1:
============================
public = public
< search.
Subgoal 2:
Variables: B S2
J2 : join private B S2
============================
private = S2
< case J2.
Subgoal 2.1:
Variables: B
============================
private = private
< search.
Subgoal 2.2:
============================
private = private
< search.
Subgoal 3:
Variables: A S2
J2 : join A private S2
============================
private = S2
< case J2.
Subgoal 3.1:
============================
private = private
< search.
Subgoal 3.2:
Variables: A
============================
private = private
< search.
Proof completed.
< Theorem join_public :
forall A B, join A B public -> A = public /\ B = public.
============================
forall A B, join A B public -> A = public /\ B = public
< intros J.
Variables: A B
J : join A B public
============================
A = public /\ B = public
< case J.
============================
public = public /\ public = public
< search.
Proof completed.
< Extensible_Theorem
level_public_vars : forall SG E V X,
Lev : level SG E public ->
Vars : vars E V ->
Mem : mem X V ->
lookup SG X public
on Lev.
Subgoal 1:
Variables: SG V X I
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (intlit I) public @
Vars : vars (intlit I) V
Mem : mem X V
============================
lookup SG X public
< case Vars.
Subgoal 1:
Variables: SG X I
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (intlit I) public @
Mem : mem X []
============================
lookup SG X public
< case Mem.
Subgoal 2:
Variables: SG V X
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG trueE public @
Vars : vars trueE V
Mem : mem X V
============================
lookup SG X public
< case Vars.
Subgoal 2:
Variables: SG X
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG trueE public @
Mem : mem X []
============================
lookup SG X public
< case Mem.
Subgoal 3:
Variables: SG V X
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG falseE public @
Vars : vars falseE V
Mem : mem X V
============================
lookup SG X public
< case Vars.
Subgoal 3:
Variables: SG X
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG falseE public @
Mem : mem X []
============================
lookup SG X public
< case Mem.
Subgoal 4:
Variables: SG V X N
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (var N) public @
Vars : vars (var N) V
Mem : mem X V
Lev1 : lookup SG N public
============================
lookup SG X public
< case Vars.
Subgoal 4:
Variables: SG X N
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (var N) public @
Mem : mem X [N]
Lev1 : lookup SG N public
============================
lookup SG X public
< M: case Mem.
Subgoal 4.1:
Variables: SG N
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (var N) public @
Lev1 : lookup SG N public
============================
lookup SG N public
< search.
Subgoal 4.2:
Variables: SG X N
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (var N) public @
Lev1 : lookup SG N public
M : mem X []
============================
lookup SG X public
< case M.
Subgoal 5:
Variables: SG V X L1 L2 E2 E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (add E1 E2) public @
Vars : vars (add E1 E2) V
Mem : mem X V
Lev1 : level SG E1 L1 *
Lev2 : level SG E2 L2 *
Lev3 : join L1 L2 public
============================
lookup SG X public
< V: case Vars.
Subgoal 5:
Variables: SG V X L1 L2 E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (add E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 L1 *
Lev2 : level SG E2 L2 *
Lev3 : join L1 L2 public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
============================
lookup SG X public
< apply join_public to Lev3.
Subgoal 5:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (add E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
============================
lookup SG X public
< Or: apply mem_append to Mem V2.
Subgoal 5:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (add E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
Or : mem X Vr1 \/ mem X Vr2
============================
lookup SG X public
< M: case Or.
Subgoal 5.1:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (add E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr1
============================
lookup SG X public
< apply IH to Lev1 V M.
Subgoal 5.1:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (add E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr1
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 5.2:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (add E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr2
============================
lookup SG X public
< apply IH to Lev2 V1 M.
Subgoal 5.2:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (add E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr2
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 6:
Variables: SG V X L1 L2 E2 E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Vars : vars (eq E1 E2) V
Mem : mem X V
Lev1 : level SG E1 L1 *
Lev2 : level SG E2 L2 *
Lev3 : join L1 L2 public
============================
lookup SG X public
< V: case Vars.
Subgoal 6:
Variables: SG V X L1 L2 E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 L1 *
Lev2 : level SG E2 L2 *
Lev3 : join L1 L2 public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
============================
lookup SG X public
< apply join_public to Lev3.
Subgoal 6:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
============================
lookup SG X public
< Or: apply mem_append to Mem V2.
Subgoal 6:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
Or : mem X Vr1 \/ mem X Vr2
============================
lookup SG X public
< M: case Or.
Subgoal 6.1:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr1
============================
lookup SG X public
< apply IH to Lev1 V M.
Subgoal 6.1:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr1
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 6.2:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr2
============================
lookup SG X public
< apply IH to Lev2 V1 M.
Subgoal 6.2:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr2
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 7:
Variables: SG V X L1 L2 E2 E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (gt E1 E2) public @
Vars : vars (gt E1 E2) V
Mem : mem X V
Lev1 : level SG E1 L1 *
Lev2 : level SG E2 L2 *
Lev3 : join L1 L2 public
============================
lookup SG X public
< V: case Vars.
Subgoal 7:
Variables: SG V X L1 L2 E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (gt E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 L1 *
Lev2 : level SG E2 L2 *
Lev3 : join L1 L2 public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
============================
lookup SG X public
< apply join_public to Lev3.
Subgoal 7:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (gt E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
============================
lookup SG X public
< Or: apply mem_append to Mem V2.
Subgoal 7:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (gt E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
Or : mem X Vr1 \/ mem X Vr2
============================
lookup SG X public
< M: case Or.
Subgoal 7.1:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (gt E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr1
============================
lookup SG X public
< apply IH to Lev1 V M.
Subgoal 7.1:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (gt E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr1
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 7.2:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (gt E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr2
============================
lookup SG X public
< apply IH to Lev2 V1 M.
Subgoal 7.2:
Variables: SG V X E2 E1 Vr1 Vr2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (gt E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
V : vars E1 Vr1
V1 : vars E2 Vr2
V2 : Vr1 ++ Vr2 = V
M : mem X Vr2
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 8:
Variables: SG V X E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (not E1) public @
Vars : vars (not E1) V
Mem : mem X V
Lev1 : level SG E1 public *
============================
lookup SG X public
< V: case Vars.
Subgoal 8:
Variables: SG V X E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (not E1) public @
Mem : mem X V
Lev1 : level SG E1 public *
V : vars E1 V
============================
lookup SG X public
< apply IH to Lev1 V Mem.
Subgoal 8:
Variables: SG V X E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG (not E1) public @
Mem : mem X V
Lev1 : level SG E1 public *
V : vars E1 V
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 9:
Variables: SG V X E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG <unknown I e> public @
Vars : vars <unknown I e> V
Mem : mem X V
Lev1 : |{e}- <unknown I e> ~~> E1
Lev2 : level SG E1 public *
============================
lookup SG X public
< V: apply proj_e_vars_exist to Lev1 Vars.
Subgoal 9:
Variables: SG V X E1 V'
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG <unknown I e> public @
Vars : vars <unknown I e> V
Mem : mem X V
Lev1 : |{e}- <unknown I e> ~~> E1
Lev2 : level SG E1 public *
V : vars E1 V'
============================
lookup SG X public
< M: apply proj_e_vars to Lev1 Vars V Mem.
Subgoal 9:
Variables: SG V X E1 V'
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG <unknown I e> public @
Vars : vars <unknown I e> V
Mem : mem X V
Lev1 : |{e}- <unknown I e> ~~> E1
Lev2 : level SG E1 public *
V : vars E1 V'
M : mem X V'
============================
lookup SG X public
< apply IH to Lev2 V M.
Subgoal 9:
Variables: SG V X E1 V'
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
Lev : level SG <unknown I e> public @
Vars : vars <unknown I e> V
Mem : mem X V
Lev1 : |{e}- <unknown I e> ~~> E1
Lev2 : level SG E1 public *
V : vars E1 V'
M : mem X V'
H1 : lookup SG X public
============================
lookup SG X public
< search.
Proof completed.
< Define public_equiv :
(list (pair (string) sl)) ->
(list (pair (string) e)) ->
(list (pair (string) e)) ->
prop by
public_equiv S G1 G2 :=
(forall X V, lookup S X public -> lookup G1 X V -> lookup G2 X V) /\
(forall X V, lookup S X public -> lookup G2 X V -> lookup G1 X V).
< Theorem public_equiv_trans :
forall SG GA GB GC,
public_equiv SG GA GB -> public_equiv SG GB GC -> public_equiv SG GA GC.
============================
forall SG GA GB GC,
public_equiv SG GA GB -> public_equiv SG GB GC -> public_equiv SG GA GC
< intros PEAB PEBC.
Variables: SG GA GB GC
PEAB : public_equiv SG GA GB
PEBC : public_equiv SG GB GC
============================
public_equiv SG GA GC
< PEAB: case PEAB.
Variables: SG GA GB GC
PEBC : public_equiv SG GB GC
PEAB : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
public_equiv SG GA GC
< PEBC: case PEBC.
Variables: SG GA GB GC
PEAB : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC1 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
============================
public_equiv SG GA GC
< unfold .
Subgoal 1:
Variables: SG GA GB GC
PEAB : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC1 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
============================
forall X V, lookup SG X public -> lookup GA X V -> lookup GC X V
< intros LkpSec LkpA.
Subgoal 1:
Variables: SG GA GB GC X V
PEAB : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC1 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
============================
lookup GC X V
< LkpB: apply PEAB to LkpSec LkpA.
Subgoal 1:
Variables: SG GA GB GC X V
PEAB : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC1 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
LkpB : lookup GB X V
============================
lookup GC X V
< apply PEBC to LkpSec LkpB.
Subgoal 1:
Variables: SG GA GB GC X V
PEAB : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC1 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
LkpB : lookup GB X V
H1 : lookup GC X V
============================
lookup GC X V
< search.
Subgoal 2:
Variables: SG GA GB GC
PEAB : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC1 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
============================
forall X V, lookup SG X public -> lookup GC X V -> lookup GA X V
< intros LkpSec LkpC.
Subgoal 2:
Variables: SG GA GB GC X V
PEAB : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC1 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpC : lookup GC X V
============================
lookup GA X V
< LkpB: apply PEBC1 to LkpSec LkpC.
Subgoal 2:
Variables: SG GA GB GC X V
PEAB : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC1 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpC : lookup GC X V
LkpB : lookup GB X V
============================
lookup GA X V
< apply PEAB1 to LkpSec LkpB.
Subgoal 2:
Variables: SG GA GB GC X V
PEAB : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC1 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpC : lookup GC X V
LkpB : lookup GB X V
H1 : lookup GA X V
============================
lookup GA X V
< search.
Proof completed.
< Theorem public_equiv_symm :
forall SG GA GB, public_equiv SG GA GB -> public_equiv SG GB GA.
============================
forall SG GA GB, public_equiv SG GA GB -> public_equiv SG GB GA
< intros Rel.
Variables: SG GA GB
Rel : public_equiv SG GA GB
============================
public_equiv SG GB GA
< Rel: case Rel.
Variables: SG GA GB
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
public_equiv SG GB GA
< unfold .
Subgoal 1:
Variables: SG GA GB
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
< intros LkpSec LkpB.
Subgoal 1:
Variables: SG GA GB X V
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V
============================
lookup GA X V
< apply Rel1 to LkpSec LkpB.
Subgoal 1:
Variables: SG GA GB X V
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V
H1 : lookup GA X V
============================
lookup GA X V
< search.
Subgoal 2:
Variables: SG GA GB
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
< intros LkpSec LkpA.
Subgoal 2:
Variables: SG GA GB X V
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
============================
lookup GB X V
< apply Rel to LkpSec LkpA.
Subgoal 2:
Variables: SG GA GB X V
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
H1 : lookup GB X V
============================
lookup GB X V
< search.
Proof completed.
< Theorem public_equiv_refl :
forall SG G, public_equiv SG G G.
============================
forall SG G, public_equiv SG G G
< intros.
Variables: SG G
============================
public_equiv SG G G
< unfold .
Subgoal 1:
Variables: SG G
============================
forall X V, lookup SG X public -> lookup G X V -> lookup G X V
< intros.
Subgoal 1:
Variables: SG G X V
H1 : lookup SG X public
H2 : lookup G X V
============================
lookup G X V
< search.
Subgoal 2:
Variables: SG G
============================
forall X V, lookup SG X public -> lookup G X V -> lookup G X V
< intros.
Subgoal 2:
Variables: SG G X V
H1 : lookup SG X public
H2 : lookup G X V
============================
lookup G X V
< search.
Proof completed.
< Theorem level_secure :
forall SG G1 G2 E V1 V2,
is_e E -> level SG E public -> public_equiv SG G1 G2 -> eval_e G1 E V1 ->
eval_e G2 E V2 -> V1 = V2.
============================
forall SG G1 G2 E V1 V2,
is_e E -> level SG E public -> public_equiv SG G1 G2 -> eval_e G1 E V1 -> eval_e G2 E V2 ->
V1 = V2
< intros IsE Lev Equiv Ev1 Ev2.
Variables: SG G1 G2 E V1 V2
IsE : is_e E
Lev : level SG E public
Equiv : public_equiv SG G1 G2
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
============================
V1 = V2
< Vars: apply vars_exist to IsE.
Variables: SG G1 G2 E V1 V2 V
IsE : is_e E
Lev : level SG E public
Equiv : public_equiv SG G1 G2
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
============================
V1 = V2
< Equiv: case Equiv.
Variables: SG G1 G2 E V1 V2 V
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv1 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
============================
V1 = V2
< apply vars_eval_same_result to _ Vars Ev1 Ev2.
Subgoal 1:
Variables: SG G1 G2 E V1 V2 V
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv1 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
============================
forall X U1 U2, mem X V -> lookup G1 X U1 -> lookup G2 X U2 -> U1 = U2
< intros Mem Lkp1 Lkp2.
Subgoal 1:
Variables: SG G1 G2 E V1 V2 V X U1 U2
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv1 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
Mem : mem X V
Lkp1 : lookup G1 X U1
Lkp2 : lookup G2 X U2
============================
U1 = U2
< LkpS: apply level_public_vars to Lev Vars Mem.
Subgoal 1:
Variables: SG G1 G2 E V1 V2 V X U1 U2
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv1 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
Mem : mem X V
Lkp1 : lookup G1 X U1
Lkp2 : lookup G2 X U2
LkpS : lookup SG X public
============================
U1 = U2
< L: apply Equiv to LkpS Lkp1.
Subgoal 1:
Variables: SG G1 G2 E V1 V2 V X U1 U2
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv1 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
Mem : mem X V
Lkp1 : lookup G1 X U1
Lkp2 : lookup G2 X U2
LkpS : lookup SG X public
L : lookup G2 X U1
============================
U1 = U2
< apply lookup_unique to L Lkp2.
Subgoal 1:
Variables: SG G1 G2 E V1 V2 V X U2
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv1 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
Mem : mem X V
Lkp1 : lookup G1 X U2
Lkp2 : lookup G2 X U2
LkpS : lookup SG X public
L : lookup G2 X U2
============================
U2 = U2
< search.
Variables: SG G1 G2 E V2 V
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V2
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv1 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
============================
V2 = V2
< search.
Proof completed.
< Extensible_Theorem
level_unique : forall SG E S1 S2,
LevA : level SG E S1 ->
LevB : level SG E S2 ->
S1 = S2
on LevA.
Subgoal 1:
Variables: SG S2 I
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (intlit I) public @
LevB : level SG (intlit I) S2
============================
public = S2
< case LevB.
Subgoal 1:
Variables: SG I
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (intlit I) public @
============================
public = public
< search.
Subgoal 2:
Variables: SG S2
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG trueE public @
LevB : level SG trueE S2
============================
public = S2
< case LevB.
Subgoal 2:
Variables: SG
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG trueE public @
============================
public = public
< search.
Subgoal 3:
Variables: SG S2
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG falseE public @
LevB : level SG falseE S2
============================
public = S2
< case LevB.
Subgoal 3:
Variables: SG
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG falseE public @
============================
public = public
< search.
Subgoal 4:
Variables: SG S1 S2 N
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (var N) S1 @
LevB : level SG (var N) S2
LevA1 : lookup SG N S1
============================
S1 = S2
< L: case LevB.
Subgoal 4:
Variables: SG S1 S2 N
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (var N) S1 @
LevA1 : lookup SG N S1
L : lookup SG N S2
============================
S1 = S2
< apply lookup_unique to LevA1 L.
Subgoal 4:
Variables: SG S2 N
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (var N) S2 @
LevA1 : lookup SG N S2
L : lookup SG N S2
============================
S2 = S2
< search.
Subgoal 5:
Variables: SG S1 S2 L1 L2 E2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (add E1 E2) S1 @
LevB : level SG (add E1 E2) S2
LevA1 : level SG E1 L1 *
LevA2 : level SG E2 L2 *
LevA3 : join L1 L2 S1
============================
S1 = S2
< L: case LevB.
Subgoal 5:
Variables: SG S1 S2 L1 L2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (add E1 E2) S1 @
LevA1 : level SG E1 L1 *
LevA2 : level SG E2 L2 *
LevA3 : join L1 L2 S1
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S1 = S2
< apply IH to LevA1 L.
Subgoal 5:
Variables: SG S1 S2 L2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (add E1 E2) S1 @
LevA1 : level SG E1 L3 *
LevA2 : level SG E2 L2 *
LevA3 : join L3 L2 S1
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S1 = S2
< apply IH to LevA2 L1.
Subgoal 5:
Variables: SG S1 S2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (add E1 E2) S1 @
LevA1 : level SG E1 L3 *
LevA2 : level SG E2 L4 *
LevA3 : join L3 L4 S1
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S1 = S2
< apply join_unique to LevA3 L2.
Subgoal 5:
Variables: SG S2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (add E1 E2) S2 @
LevA1 : level SG E1 L3 *
LevA2 : level SG E2 L4 *
LevA3 : join L3 L4 S2
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S2 = S2
< search.
Subgoal 6:
Variables: SG S1 S2 L1 L2 E2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (eq E1 E2) S1 @
LevB : level SG (eq E1 E2) S2
LevA1 : level SG E1 L1 *
LevA2 : level SG E2 L2 *
LevA3 : join L1 L2 S1
============================
S1 = S2
< L: case LevB.
Subgoal 6:
Variables: SG S1 S2 L1 L2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (eq E1 E2) S1 @
LevA1 : level SG E1 L1 *
LevA2 : level SG E2 L2 *
LevA3 : join L1 L2 S1
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S1 = S2
< apply IH to LevA1 L.
Subgoal 6:
Variables: SG S1 S2 L2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (eq E1 E2) S1 @
LevA1 : level SG E1 L3 *
LevA2 : level SG E2 L2 *
LevA3 : join L3 L2 S1
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S1 = S2
< apply IH to LevA2 L1.
Subgoal 6:
Variables: SG S1 S2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (eq E1 E2) S1 @
LevA1 : level SG E1 L3 *
LevA2 : level SG E2 L4 *
LevA3 : join L3 L4 S1
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S1 = S2
< apply join_unique to LevA3 L2.
Subgoal 6:
Variables: SG S2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (eq E1 E2) S2 @
LevA1 : level SG E1 L3 *
LevA2 : level SG E2 L4 *
LevA3 : join L3 L4 S2
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S2 = S2
< search.
Subgoal 7:
Variables: SG S1 S2 L1 L2 E2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (gt E1 E2) S1 @
LevB : level SG (gt E1 E2) S2
LevA1 : level SG E1 L1 *
LevA2 : level SG E2 L2 *
LevA3 : join L1 L2 S1
============================
S1 = S2
< L: case LevB.
Subgoal 7:
Variables: SG S1 S2 L1 L2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (gt E1 E2) S1 @
LevA1 : level SG E1 L1 *
LevA2 : level SG E2 L2 *
LevA3 : join L1 L2 S1
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S1 = S2
< apply IH to LevA1 L.
Subgoal 7:
Variables: SG S1 S2 L2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (gt E1 E2) S1 @
LevA1 : level SG E1 L3 *
LevA2 : level SG E2 L2 *
LevA3 : join L3 L2 S1
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S1 = S2
< apply IH to LevA2 L1.
Subgoal 7:
Variables: SG S1 S2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (gt E1 E2) S1 @
LevA1 : level SG E1 L3 *
LevA2 : level SG E2 L4 *
LevA3 : join L3 L4 S1
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S1 = S2
< apply join_unique to LevA3 L2.
Subgoal 7:
Variables: SG S2 E2 E1 L3 L4
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (gt E1 E2) S2 @
LevA1 : level SG E1 L3 *
LevA2 : level SG E2 L4 *
LevA3 : join L3 L4 S2
L : level SG E1 L3
L1 : level SG E2 L4
L2 : join L3 L4 S2
============================
S2 = S2
< search.
Subgoal 8:
Variables: SG S1 S2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (not E1) S1 @
LevB : level SG (not E1) S2
LevA1 : level SG E1 S1 *
============================
S1 = S2
< L: case LevB.
Subgoal 8:
Variables: SG S1 S2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (not E1) S1 @
LevA1 : level SG E1 S1 *
L : level SG E1 S2
============================
S1 = S2
< apply IH to LevA1 L.
Subgoal 8:
Variables: SG S2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG (not E1) S2 @
LevA1 : level SG E1 S2 *
L : level SG E1 S2
============================
S2 = S2
< search.
Subgoal 9:
Variables: SG S1 S2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG <unknown I e> S1 @
LevB : level SG <unknown I e> S2
LevA1 : |{e}- <unknown I e> ~~> E1
LevA2 : level SG E1 S1 *
============================
S1 = S2
< L: case LevB.
Subgoal 9:
Variables: SG S1 S2 E1 E2
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG <unknown I e> S1 @
LevA1 : |{e}- <unknown I e> ~~> E1
LevA2 : level SG E1 S1 *
L : |{e}- <unknown I e> ~~> E2
L1 : level SG E2 S2
============================
S1 = S2
< apply proj_e_unique to LevA1 L.
Subgoal 9:
Variables: SG S1 S2 E2
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG <unknown I e> S1 @
LevA1 : |{e}- <unknown I e> ~~> E2
LevA2 : level SG E2 S1 *
L : |{e}- <unknown I e> ~~> E2
L1 : level SG E2 S2
============================
S1 = S2
< apply IH to LevA2 L1.
Subgoal 9:
Variables: SG S2 E2
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
LevA : level SG <unknown I e> S2 @
LevA1 : |{e}- <unknown I e> ~~> E2
LevA2 : level SG E2 S2 *
L : |{e}- <unknown I e> ~~> E2
L1 : level SG E2 S2
============================
S2 = S2
< search.
Proof completed.
< Theorem level_not_public :
forall SG G1 G2 E V1 V2,
is_e E -> public_equiv SG G1 G2 -> level SG E public -> eval_e G1 E V1 ->
eval_e G2 E V2 -> (V1 = V2 -> false) -> false.
============================
forall SG G1 G2 E V1 V2,
is_e E -> public_equiv SG G1 G2 -> level SG E public -> eval_e G1 E V1 -> eval_e G2 E V2 ->
(V1 = V2 -> false) -> false
< intros Is Equiv Lev Ev1 Ev2 NEq.
Variables: SG G1 G2 E V1 V2
Is : is_e E
Equiv : public_equiv SG G1 G2
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
NEq : V1 = V2 -> false
============================
false
< apply level_secure to Is Lev Equiv Ev1 Ev2.
Variables: SG G1 G2 E V2
Is : is_e E
Equiv : public_equiv SG G1 G2
Lev : level SG E public
Ev1 : eval_e G1 E V2
Ev2 : eval_e G2 E V2
NEq : V2 = V2 -> false
============================
false
< backchain NEq.
Proof completed.
< Extensible_Theorem
stmt_public_branch : forall SG SL SG2 S X,
Sec : secure SG SL S SG2 ->
LkpSec : lookup SG X public ->
lookup SG2 X public
on Sec.
Subgoal 1:
Variables: SL SG2 X
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG2 SL skipS SG2 @
LkpSec : lookup SG2 X public
============================
lookup SG2 X public
< search.
Subgoal 2:
Variables: SG SL SG2 X SG1 S2 S1
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG SL (seq S1 S2) SG2 @
LkpSec : lookup SG X public
Sec1 : secure SG SL S1 SG1 *
Sec2 : secure SG1 SL S2 SG2 *
============================
lookup SG2 X public
< L: apply IH to Sec1 LkpSec.
Subgoal 2:
Variables: SG SL SG2 X SG1 S2 S1
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG SL (seq S1 S2) SG2 @
LkpSec : lookup SG X public
Sec1 : secure SG SL S1 SG1 *
Sec2 : secure SG1 SL S2 SG2 *
L : lookup SG1 X public
============================
lookup SG2 X public
< apply IH to Sec2 L.
Subgoal 2:
Variables: SG SL SG2 X SG1 S2 S1
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG SL (seq S1 S2) SG2 @
LkpSec : lookup SG X public
Sec1 : secure SG SL S1 SG1 *
Sec2 : secure SG1 SL S2 SG2 *
L : lookup SG1 X public
H1 : lookup SG2 X public
============================
lookup SG2 X public
< search.
Subgoal 3:
Variables: SG X N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG public (decl N Ty E) ((N, public)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E public
Sec2 : no_lookup SG N
============================
lookup ((N, public)::SG) X public
< assert N = X -> false.
Subgoal 3.1:
Variables: SG X N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG public (decl N Ty E) ((N, public)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E public
Sec2 : no_lookup SG N
============================
N = X -> false
< intros E.
Subgoal 3.1:
Variables: SG X N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG public (decl N Ty E) ((N, public)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E public
Sec2 : no_lookup SG N
E : N = X
============================
false
< case E.
Subgoal 3.1:
Variables: SG X E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG public (decl X Ty E) ((X, public)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E public
Sec2 : no_lookup SG X
============================
false
< apply no_lookup to Sec2 LkpSec.
Subgoal 3:
Variables: SG X N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG public (decl N Ty E) ((N, public)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E public
Sec2 : no_lookup SG N
H1 : N = X -> false
============================
lookup ((N, public)::SG) X public
< search.
Subgoal 4:
Variables: SL SG2 X L E N
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG2 SL (assign N E) SG2 @
LkpSec : lookup SG2 X public
Sec1 : level SG2 E L
Sec2 : lookup SG2 N private
============================
lookup SG2 X public
< search.
Subgoal 5:
Variables: SG2 X E N
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG2 public (assign N E) SG2 @
LkpSec : lookup SG2 X public
Sec1 : level SG2 E public
Sec2 : lookup SG2 N public
============================
lookup SG2 X public
< search.
Subgoal 6:
Variables: SL SG2 X L Sl1 SG1 SG3 S2 S1 E
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG2 SL (ifte E S1 S2) SG2 @
LkpSec : lookup SG2 X public
Sec1 : level SG2 E L
Sec2 : join L SL Sl1
Sec3 : secure SG2 Sl1 S1 SG1 *
Sec4 : secure SG2 Sl1 S2 SG3 *
============================
lookup SG2 X public
< search.
Subgoal 7:
Variables: SL SG2 X L Sl1 SG1 S1 E
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG2 SL (while E S1) SG2 @
LkpSec : lookup SG2 X public
Sec1 : level SG2 E L
Sec2 : join L SL Sl1
Sec3 : secure SG2 Sl1 S1 SG1 *
============================
lookup SG2 X public
< search.
Subgoal 8:
Variables: SG SL X L N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG SL (secdecl N Ty private E) ((N, private)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E L
Sec2 : no_lookup SG N
============================
lookup ((N, private)::SG) X public
< assert N = X -> false.
Subgoal 8.1:
Variables: SG SL X L N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG SL (secdecl N Ty private E) ((N, private)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E L
Sec2 : no_lookup SG N
============================
N = X -> false
< intros E.
Subgoal 8.1:
Variables: SG SL X L N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG SL (secdecl N Ty private E) ((N, private)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E L
Sec2 : no_lookup SG N
E : N = X
============================
false
< case E.
Subgoal 8.1:
Variables: SG SL X L E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG SL (secdecl X Ty private E) ((X, private)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E L
Sec2 : no_lookup SG X
============================
false
< apply no_lookup to Sec2 LkpSec.
Subgoal 8:
Variables: SG SL X L N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG SL (secdecl N Ty private E) ((N, private)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E L
Sec2 : no_lookup SG N
H1 : N = X -> false
============================
lookup ((N, private)::SG) X public
< search.
Subgoal 9:
Variables: SG X N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG public (secdecl N Ty public E) ((N, public)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E public
Sec2 : no_lookup SG N
============================
lookup ((N, public)::SG) X public
< assert N = X -> false.
Subgoal 9.1:
Variables: SG X N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG public (secdecl N Ty public E) ((N, public)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E public
Sec2 : no_lookup SG N
============================
N = X -> false
< intros E.
Subgoal 9.1:
Variables: SG X N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG public (secdecl N Ty public E) ((N, public)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E public
Sec2 : no_lookup SG N
E : N = X
============================
false
< case E.
Subgoal 9.1:
Variables: SG X E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG public (secdecl X Ty public E) ((X, public)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E public
Sec2 : no_lookup SG X
============================
false
< apply no_lookup to Sec2 LkpSec.
Subgoal 9:
Variables: SG X N E Ty
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG public (secdecl N Ty public E) ((N, public)::SG) @
LkpSec : lookup SG X public
Sec1 : level SG E public
Sec2 : no_lookup SG N
H1 : N = X -> false
============================
lookup ((N, public)::SG) X public
< search.
Subgoal 10:
Variables: SG SL SG2 X S1
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG SL <unknown I s> SG2 @
LkpSec : lookup SG X public
Sec1 : |{s}- <unknown I s> ~~> S1
Sec2 : secure SG SL S1 SG2 *
============================
lookup SG2 X public
< apply IH to Sec2 LkpSec.
Subgoal 10:
Variables: SG SL SG2 X S1
IH : forall SG SL SG2 S X,
secure SG SL S SG2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure SG SL <unknown I s> SG2 @
LkpSec : lookup SG X public
Sec1 : |{s}- <unknown I s> ~~> S1
Sec2 : secure SG SL S1 SG2 *
H1 : lookup SG2 X public
============================
lookup SG2 X public
< search.
Proof completed.
< Theorem public_equiv_swap :
forall SG SG' GA GB,
(forall X, lookup SG X public -> lookup SG' X public) -> public_equiv SG' GA GB ->
public_equiv SG GA GB.
============================
forall SG SG' GA GB,
(forall X, lookup SG X public -> lookup SG' X public) -> public_equiv SG' GA GB ->
public_equiv SG GA GB
< intros LkpEquiv Eq.
Variables: SG SG' GA GB
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : public_equiv SG' GA GB
============================
public_equiv SG GA GB
< Eq: case Eq.
Variables: SG SG' GA GB
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq1 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
============================
public_equiv SG GA GB
< unfold .
Subgoal 1:
Variables: SG SG' GA GB
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq1 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
============================
forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
< intros LkpSec LkpA.
Subgoal 1:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq1 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
============================
lookup GB X V
< LkpSG': apply LkpEquiv to LkpSec.
Subgoal 1:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq1 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
LkpSG' : lookup SG' X public
============================
lookup GB X V
< apply Eq to LkpSG' LkpA.
Subgoal 1:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq1 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
LkpSG' : lookup SG' X public
H1 : lookup GB X V
============================
lookup GB X V
< search.
Subgoal 2:
Variables: SG SG' GA GB
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq1 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
============================
forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
< intros LkpSec LkpB.
Subgoal 2:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq1 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V
============================
lookup GA X V
< LkpSG': apply LkpEquiv to LkpSec.
Subgoal 2:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq1 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V
LkpSG' : lookup SG' X public
============================
lookup GA X V
< apply Eq1 to LkpSG' LkpB.
Subgoal 2:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq1 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V
LkpSG' : lookup SG' X public
H1 : lookup GA X V
============================
lookup GA X V
< search.
Proof completed.
< Extensible_Theorem
stmt_not_public_no_public_change : forall S SG SL SG1 G G1,
Sec : secure SG SL S SG1 ->
NEq : (SL = public -> false) ->
Ev : eval_s G S G1 ->
public_equiv SG G G1
on Ev.
Subgoal 1:
Variables: SG SL SG1 G1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL skipS SG1
NEq : SL = public -> false
Ev : eval_s G1 skipS G1 @
============================
public_equiv SG G1 G1
< case Sec.
Subgoal 1:
Variables: SL SG1 G1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G1 skipS G1 @
============================
public_equiv SG1 G1 G1
< backchain public_equiv_refl.
Subgoal 2:
Variables: SG SL SG1 G V N E Ty
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (decl N Ty E) SG1
NEq : SL = public -> false
Ev : eval_s G (decl N Ty E) ((N, V)::G) @
Ev1 : eval_e G E V
============================
public_equiv SG G ((N, V)::G)
< Sec: case Sec.
Subgoal 2:
Variables: SG G V N E Ty
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : public = public -> false
Ev : eval_s G (decl N Ty E) ((N, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG N
============================
public_equiv SG G ((N, V)::G)
< apply NEq to _.
Subgoal 3:
Variables: SG SL SG1 G VOld NewG V N E
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (assign N E) SG1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
============================
public_equiv SG G ((N, V)::NewG)
< Sec: case Sec.
Subgoal 3.1:
Variables: SL SG1 G VOld NewG V N E L
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
============================
public_equiv SG1 G ((N, V)::NewG)
< unfold .
Subgoal 3.1.1:
Variables: SL SG1 G VOld NewG V N E L
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
============================
forall X V1, lookup SG1 X public -> lookup G X V1 -> lookup ((N, V)::NewG) X V1
< intros LS LA.
Subgoal 3.1.1:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
LA : lookup G X V1
============================
lookup ((N, V)::NewG) X V1
< N: assert N = X -> false.
Subgoal 3.1.1.1:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
LA : lookup G X V1
============================
N = X -> false
< intros E.
Subgoal 3.1.1.1:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
LA : lookup G X V1
E : N = X
============================
false
< case E.
Subgoal 3.1.1.1:
Variables: SL SG1 G VOld NewG V E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign X E) ((X, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (X, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 X private
LS : lookup SG1 X public
LA : lookup G X V1
============================
false
< apply lookup_unique to Sec1 LS.
Subgoal 3.1.1:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
LA : lookup G X V1
N : N = X -> false
============================
lookup ((N, V)::NewG) X V1
< assert X = N -> false.
Subgoal 3.1.1.2:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
LA : lookup G X V1
N : N = X -> false
============================
X = N -> false
< intros E.
Subgoal 3.1.1.2:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
LA : lookup G X V1
N : N = X -> false
E : X = N
============================
false
< case E.
Subgoal 3.1.1.2:
Variables: SL SG1 G VOld NewG V N E L V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 N public
LA : lookup G N V1
N : N = N -> false
============================
false
< backchain N.
Subgoal 3.1.1:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
LA : lookup G X V1
N : N = X -> false
H1 : X = N -> false
============================
lookup ((N, V)::NewG) X V1
< apply select_lookup to LA Ev2 _.
Subgoal 3.1.1:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
LA : lookup G X V1
N : N = X -> false
H1 : X = N -> false
H2 : lookup NewG X V1
============================
lookup ((N, V)::NewG) X V1
< search.
Subgoal 3.1.2:
Variables: SL SG1 G VOld NewG V N E L
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
============================
forall X V1, lookup SG1 X public -> lookup ((N, V)::NewG) X V1 -> lookup G X V1
< intros LS LB.
Subgoal 3.1.2:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
LB : lookup ((N, V)::NewG) X V1
============================
lookup G X V1
< L: case LB.
Subgoal 3.1.2.1:
Variables: SL SG1 G VOld NewG E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign X E) ((X, V1)::NewG) @
Ev1 : eval_e G E V1
Ev2 : select (X, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 X private
LS : lookup SG1 X public
============================
lookup G X V1
< apply lookup_unique to Sec1 LS.
Subgoal 3.1.2.2:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
L : N = X -> false
L1 : lookup NewG X V1
============================
lookup G X V1
< assert X = N -> false.
Subgoal 3.1.2.2.1:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
L : N = X -> false
L1 : lookup NewG X V1
============================
X = N -> false
< intros E.
Subgoal 3.1.2.2.1:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
L : N = X -> false
L1 : lookup NewG X V1
E : X = N
============================
false
< case E.
Subgoal 3.1.2.2.1:
Variables: SL SG1 G VOld NewG V N E L V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 N public
L : N = N -> false
L1 : lookup NewG N V1
============================
false
< backchain L.
Subgoal 3.1.2.2:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
L : N = X -> false
L1 : lookup NewG X V1
H1 : X = N -> false
============================
lookup G X V1
< apply lookup_after_select_before to L1 Ev2 _.
Subgoal 3.1.2.2:
Variables: SL SG1 G VOld NewG V N E L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LS : lookup SG1 X public
L : N = X -> false
L1 : lookup NewG X V1
H1 : X = N -> false
H2 : lookup G X V1
============================
lookup G X V1
< search.
Subgoal 3.2:
Variables: SG1 G VOld NewG V N E
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : public = public -> false
Ev : eval_s G (assign N E) ((N, V)::NewG) @
Ev1 : eval_e G E V
Ev2 : select (N, VOld) NewG G
Sec : level SG1 E public
Sec1 : lookup SG1 N public
============================
public_equiv SG1 G ((N, V)::NewG)
< apply NEq to _.
Subgoal 4:
Variables: SG SL SG1 G G1 G2 S2 S1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (seq S1 S2) SG1
NEq : SL = public -> false
Ev : eval_s G (seq S1 S2) G1 @
Ev1 : eval_s G S1 G2 *
Ev2 : eval_s G2 S2 G1 *
============================
public_equiv SG G G1
< Sec: case Sec.
Subgoal 4:
Variables: SG SL SG1 G G1 G2 S2 S1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (seq S1 S2) G1 @
Ev1 : eval_s G S1 G2 *
Ev2 : eval_s G2 S2 G1 *
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
============================
public_equiv SG G G1
< PE1: apply IH to Sec _ Ev1.
Subgoal 4:
Variables: SG SL SG1 G G1 G2 S2 S1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (seq S1 S2) G1 @
Ev1 : eval_s G S1 G2 *
Ev2 : eval_s G2 S2 G1 *
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
PE1 : public_equiv SG G G2
============================
public_equiv SG G G1
< PE2: apply IH to Sec1 _ Ev2.
Subgoal 4:
Variables: SG SL SG1 G G1 G2 S2 S1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (seq S1 S2) G1 @
Ev1 : eval_s G S1 G2 *
Ev2 : eval_s G2 S2 G1 *
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
PE1 : public_equiv SG G G2
PE2 : public_equiv SG2 G2 G1
============================
public_equiv SG G G1
< E: assert forall X,
lookup SG X public -> lookup SG2 X public.
Subgoal 4.1:
Variables: SG SL SG1 G G1 G2 S2 S1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (seq S1 S2) G1 @
Ev1 : eval_s G S1 G2 *
Ev2 : eval_s G2 S2 G1 *
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
PE1 : public_equiv SG G G2
PE2 : public_equiv SG2 G2 G1
============================
forall X, lookup SG X public -> lookup SG2 X public
< intros L.
Subgoal 4.1:
Variables: SG SL SG1 G G1 G2 S2 S1 SG2 X
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (seq S1 S2) G1 @
Ev1 : eval_s G S1 G2 *
Ev2 : eval_s G2 S2 G1 *
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
PE1 : public_equiv SG G G2
PE2 : public_equiv SG2 G2 G1
L : lookup SG X public
============================
lookup SG2 X public
< L': apply stmt_public_branch to Sec L.
Subgoal 4.1:
Variables: SG SL SG1 G G1 G2 S2 S1 SG2 X
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (seq S1 S2) G1 @
Ev1 : eval_s G S1 G2 *
Ev2 : eval_s G2 S2 G1 *
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
PE1 : public_equiv SG G G2
PE2 : public_equiv SG2 G2 G1
L : lookup SG X public
L' : lookup SG2 X public
============================
lookup SG2 X public
< search.
Subgoal 4:
Variables: SG SL SG1 G G1 G2 S2 S1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (seq S1 S2) G1 @
Ev1 : eval_s G S1 G2 *
Ev2 : eval_s G2 S2 G1 *
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
PE1 : public_equiv SG G G2
PE2 : public_equiv SG2 G2 G1
E : forall X, lookup SG X public -> lookup SG2 X public
============================
public_equiv SG G G1
< PE': apply public_equiv_swap to E PE2.
Subgoal 4:
Variables: SG SL SG1 G G1 G2 S2 S1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (seq S1 S2) G1 @
Ev1 : eval_s G S1 G2 *
Ev2 : eval_s G2 S2 G1 *
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
PE1 : public_equiv SG G G2
PE2 : public_equiv SG2 G2 G1
E : forall X, lookup SG X public -> lookup SG2 X public
PE' : public_equiv SG G2 G1
============================
public_equiv SG G G1
< apply public_equiv_trans to PE1 PE'.
Subgoal 4:
Variables: SG SL SG1 G G1 G2 S2 S1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (seq S1 S2) G1 @
Ev1 : eval_s G S1 G2 *
Ev2 : eval_s G2 S2 G1 *
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
PE1 : public_equiv SG G G2
PE2 : public_equiv SG2 G2 G1
E : forall X, lookup SG X public -> lookup SG2 X public
PE' : public_equiv SG G2 G1
H1 : public_equiv SG G G1
============================
public_equiv SG G G1
< search.
Subgoal 5:
Variables: SG SL SG1 G G1 S2 S1 E
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (ifte E S1 S2) SG1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G1 *
============================
public_equiv SG G G1
< Sec: case Sec.
Subgoal 5:
Variables: SL SG1 G G1 S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G1 *
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
============================
public_equiv SG1 G G1
< assert Sl1 = public -> false.
Subgoal 5.1:
Variables: SL SG1 G G1 S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G1 *
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
============================
Sl1 = public -> false
< intros E.
Subgoal 5.1:
Variables: SL SG1 G G1 S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G1 *
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
E : Sl1 = public
============================
false
< case E.
Subgoal 5.1:
Variables: SL SG1 G G1 S2 S1 E L SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G1 *
Sec : level SG1 E L
Sec1 : join L SL public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
============================
false
< backchain NEq.
Subgoal 5.1:
Variables: SL SG1 G G1 S2 S1 E L SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G1 *
Sec : level SG1 E L
Sec1 : join L SL public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
============================
SL = public
< apply join_public to Sec1.
Subgoal 5.1:
Variables: SG1 G G1 S2 S1 E SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : public = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G1 *
Sec : level SG1 E public
Sec1 : join public public public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
============================
public = public
< search.
Subgoal 5:
Variables: SL SG1 G G1 S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G1 *
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
H1 : Sl1 = public -> false
============================
public_equiv SG1 G G1
< apply IH to Sec2 _ Ev2.
Subgoal 5:
Variables: SL SG1 G G1 S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G1 *
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
H1 : Sl1 = public -> false
H2 : public_equiv SG1 G G1
============================
public_equiv SG1 G G1
< search.
Subgoal 6:
Variables: SG SL SG1 G G1 S2 S1 E
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (ifte E S1 S2) SG1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E falseE
Ev2 : eval_s G S2 G1 *
============================
public_equiv SG G G1
< Sec: case Sec.
Subgoal 6:
Variables: SL SG1 G G1 S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E falseE
Ev2 : eval_s G S2 G1 *
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
============================
public_equiv SG1 G G1
< assert Sl1 = public -> false.
Subgoal 6.1:
Variables: SL SG1 G G1 S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E falseE
Ev2 : eval_s G S2 G1 *
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
============================
Sl1 = public -> false
< intros E.
Subgoal 6.1:
Variables: SL SG1 G G1 S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E falseE
Ev2 : eval_s G S2 G1 *
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
E : Sl1 = public
============================
false
< case E.
Subgoal 6.1:
Variables: SL SG1 G G1 S2 S1 E L SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E falseE
Ev2 : eval_s G S2 G1 *
Sec : level SG1 E L
Sec1 : join L SL public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
============================
false
< backchain NEq.
Subgoal 6.1:
Variables: SL SG1 G G1 S2 S1 E L SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E falseE
Ev2 : eval_s G S2 G1 *
Sec : level SG1 E L
Sec1 : join L SL public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
============================
SL = public
< apply join_public to Sec1.
Subgoal 6.1:
Variables: SG1 G G1 S2 S1 E SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : public = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E falseE
Ev2 : eval_s G S2 G1 *
Sec : level SG1 E public
Sec1 : join public public public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
============================
public = public
< search.
Subgoal 6:
Variables: SL SG1 G G1 S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E falseE
Ev2 : eval_s G S2 G1 *
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
H1 : Sl1 = public -> false
============================
public_equiv SG1 G G1
< apply IH to Sec3 _ Ev2.
Subgoal 6:
Variables: SL SG1 G G1 S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (ifte E S1 S2) G1 @
Ev1 : eval_e G E falseE
Ev2 : eval_s G S2 G1 *
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
H1 : Sl1 = public -> false
H2 : public_equiv SG1 G G1
============================
public_equiv SG1 G G1
< search.
Subgoal 7:
Variables: SG SL SG1 G G1 G2 S1 E
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G (while E S1) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G2 *
Ev3 : eval_s G2 (while E S1) G1 *
============================
public_equiv SG G G1
< Sec: case Sec (keep).
Subgoal 7:
Variables: SL SG1 G G1 G2 S1 E L Sl1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG1 SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G (while E S1) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G2 *
Ev3 : eval_s G2 (while E S1) G1 *
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
============================
public_equiv SG1 G G1
< assert Sl1 = public -> false.
Subgoal 7.1:
Variables: SL SG1 G G1 G2 S1 E L Sl1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG1 SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G (while E S1) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G2 *
Ev3 : eval_s G2 (while E S1) G1 *
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
============================
Sl1 = public -> false
< intros E.
Subgoal 7.1:
Variables: SL SG1 G G1 G2 S1 E L Sl1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG1 SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G (while E S1) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G2 *
Ev3 : eval_s G2 (while E S1) G1 *
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
E : Sl1 = public
============================
false
< case E.
Subgoal 7.1:
Variables: SL SG1 G G1 G2 S1 E L SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG1 SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G (while E S1) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G2 *
Ev3 : eval_s G2 (while E S1) G1 *
Sec1 : level SG1 E L
Sec2 : join L SL public
Sec3 : secure SG1 public S1 SG2
============================
false
< backchain NEq.
Subgoal 7.1:
Variables: SL SG1 G G1 G2 S1 E L SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG1 SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G (while E S1) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G2 *
Ev3 : eval_s G2 (while E S1) G1 *
Sec1 : level SG1 E L
Sec2 : join L SL public
Sec3 : secure SG1 public S1 SG2
============================
SL = public
< apply join_public to Sec2.
Subgoal 7.1:
Variables: SG1 G G1 G2 S1 E SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG1 public (while E S1) SG1
NEq : public = public -> false
Ev : eval_s G (while E S1) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G2 *
Ev3 : eval_s G2 (while E S1) G1 *
Sec1 : level SG1 E public
Sec2 : join public public public
Sec3 : secure SG1 public S1 SG2
============================
public = public
< search.
Subgoal 7:
Variables: SL SG1 G G1 G2 S1 E L Sl1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG1 SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G (while E S1) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G2 *
Ev3 : eval_s G2 (while E S1) G1 *
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
H1 : Sl1 = public -> false
============================
public_equiv SG1 G G1
< EqGG2: apply IH to Sec3 _ Ev2.
Subgoal 7:
Variables: SL SG1 G G1 G2 S1 E L Sl1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG1 SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G (while E S1) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G2 *
Ev3 : eval_s G2 (while E S1) G1 *
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
H1 : Sl1 = public -> false
EqGG2 : public_equiv SG1 G G2
============================
public_equiv SG1 G G1
< EqG2G1: apply IH to _ _ Ev3.
Subgoal 7:
Variables: SL SG1 G G1 G2 S1 E L Sl1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG1 SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G (while E S1) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G2 *
Ev3 : eval_s G2 (while E S1) G1 *
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
H1 : Sl1 = public -> false
EqGG2 : public_equiv SG1 G G2
EqG2G1 : public_equiv SG1 G2 G1
============================
public_equiv SG1 G G1
< apply public_equiv_trans to EqGG2 EqG2G1.
Subgoal 7:
Variables: SL SG1 G G1 G2 S1 E L Sl1 SG2
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG1 SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G (while E S1) G1 @
Ev1 : eval_e G E trueE
Ev2 : eval_s G S1 G2 *
Ev3 : eval_s G2 (while E S1) G1 *
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
H1 : Sl1 = public -> false
EqGG2 : public_equiv SG1 G G2
EqG2G1 : public_equiv SG1 G2 G1
H2 : public_equiv SG1 G G1
============================
public_equiv SG1 G G1
< search.
Subgoal 8:
Variables: SG SL SG1 G1 S1 E
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G1 (while E S1) G1 @
Ev1 : eval_e G1 E falseE
============================
public_equiv SG G1 G1
< unfold .
Subgoal 8.1:
Variables: SG SL SG1 G1 S1 E
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G1 (while E S1) G1 @
Ev1 : eval_e G1 E falseE
============================
forall X V, lookup SG X public -> lookup G1 X V -> lookup G1 X V
< intros LkpSec LkpG1.
Subgoal 8.1:
Variables: SG SL SG1 G1 S1 E X V
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G1 (while E S1) G1 @
Ev1 : eval_e G1 E falseE
LkpSec : lookup SG X public
LkpG1 : lookup G1 X V
============================
lookup G1 X V
< search.
Subgoal 8.2:
Variables: SG SL SG1 G1 S1 E
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G1 (while E S1) G1 @
Ev1 : eval_e G1 E falseE
============================
forall X V, lookup SG X public -> lookup G1 X V -> lookup G1 X V
< intros LkpSec LkpG1.
Subgoal 8.2:
Variables: SG SL SG1 G1 S1 E X V
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (while E S1) SG1
NEq : SL = public -> false
Ev : eval_s G1 (while E S1) G1 @
Ev1 : eval_e G1 E falseE
LkpSec : lookup SG X public
LkpG1 : lookup G1 X V
============================
lookup G1 X V
< search.
Subgoal 9:
Variables: SG SL SG1 G V N E Sl Ty
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL (secdecl N Ty Sl E) SG1
NEq : SL = public -> false
Ev : eval_s G (secdecl N Ty Sl E) ((N, V)::G) @
Ev1 : eval_e G E V
============================
public_equiv SG G ((N, V)::G)
< Sec: case Sec.
Subgoal 9.1:
Variables: SG SL G V N E Ty L
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (secdecl N Ty private E) ((N, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E L
Sec1 : no_lookup SG N
============================
public_equiv SG G ((N, V)::G)
< unfold .
Subgoal 9.1.1:
Variables: SG SL G V N E Ty L
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (secdecl N Ty private E) ((N, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E L
Sec1 : no_lookup SG N
============================
forall X V1, lookup SG X public -> lookup G X V1 -> lookup ((N, V)::G) X V1
< intros LkpSec LkpG.
Subgoal 9.1.1:
Variables: SG SL G V N E Ty L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (secdecl N Ty private E) ((N, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : lookup SG X public
LkpG : lookup G X V1
============================
lookup ((N, V)::G) X V1
< assert N = X -> false.
Subgoal 9.1.1.1:
Variables: SG SL G V N E Ty L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (secdecl N Ty private E) ((N, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : lookup SG X public
LkpG : lookup G X V1
============================
N = X -> false
< intros E.
Subgoal 9.1.1.1:
Variables: SG SL G V N E Ty L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (secdecl N Ty private E) ((N, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : lookup SG X public
LkpG : lookup G X V1
E : N = X
============================
false
< case E.
Subgoal 9.1.1.1:
Variables: SG SL G V E Ty L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (secdecl X Ty private E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E L
Sec1 : no_lookup SG X
LkpSec : lookup SG X public
LkpG : lookup G X V1
============================
false
< apply no_lookup to Sec1 LkpSec.
Subgoal 9.1.1:
Variables: SG SL G V N E Ty L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (secdecl N Ty private E) ((N, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : lookup SG X public
LkpG : lookup G X V1
H1 : N = X -> false
============================
lookup ((N, V)::G) X V1
< search.
Subgoal 9.1.2:
Variables: SG SL G V N E Ty L
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (secdecl N Ty private E) ((N, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E L
Sec1 : no_lookup SG N
============================
forall X V1, lookup SG X public -> lookup ((N, V)::G) X V1 -> lookup G X V1
< intros LkpSec LkpG+.
Subgoal 9.1.2:
Variables: SG SL G V N E Ty L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (secdecl N Ty private E) ((N, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : lookup SG X public
LkpG+ : lookup ((N, V)::G) X V1
============================
lookup G X V1
< Lkp: case LkpG+.
Subgoal 9.1.2.1:
Variables: SG SL G E Ty L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (secdecl X Ty private E) ((X, V1)::G) @
Ev1 : eval_e G E V1
Sec : level SG E L
Sec1 : no_lookup SG X
LkpSec : lookup SG X public
============================
lookup G X V1
< apply no_lookup to Sec1 LkpSec.
Subgoal 9.1.2.2:
Variables: SG SL G V N E Ty L X V1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G (secdecl N Ty private E) ((N, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup G X V1
============================
lookup G X V1
< search.
Subgoal 9.2:
Variables: SG G V N E Ty
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : public = public -> false
Ev : eval_s G (secdecl N Ty public E) ((N, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG N
============================
public_equiv SG G ((N, V)::G)
< apply NEq to _.
Subgoal 10:
Variables: SG SL SG1 G G1 T
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
Sec : secure SG SL <unknown K eval_s> SG1
NEq : SL = public -> false
Ev : eval_s G <unknown K eval_s> G1 @
Ev1 : |{s}- <unknown K eval_s> ~~> T
Ev2 : eval_s G T G1 *
============================
public_equiv SG G G1
< Sec: case Sec.
Subgoal 10:
Variables: SG SL SG1 G G1 T S1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G <unknown K eval_s> G1 @
Ev1 : |{s}- <unknown K eval_s> ~~> T
Ev2 : eval_s G T G1 *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
============================
public_equiv SG G G1
< apply proj_s_unique to Ev1 Sec.
Subgoal 10:
Variables: SG SL SG1 G G1 S1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G <unknown K eval_s> G1 @
Ev1 : |{s}- <unknown K eval_s> ~~> S1
Ev2 : eval_s G S1 G1 *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
============================
public_equiv SG G G1
< apply IH to _ _ Ev2.
Subgoal 10:
Variables: SG SL SG1 G G1 S1
IH : forall S SG SL SG1 G G1,
secure SG SL S SG1 -> (SL = public -> false) -> eval_s G S G1 * -> public_equiv SG G G1
NEq : SL = public -> false
Ev : eval_s G <unknown K eval_s> G1 @
Ev1 : |{s}- <unknown K eval_s> ~~> S1
Ev2 : eval_s G S1 G1 *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
H1 : public_equiv SG G G1
============================
public_equiv SG G G1
< search.
Proof completed.
< Theorem while_no_public_change :
forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 -> public_equiv SG G G2.
============================
forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 -> public_equiv SG G G2
< induction on 4.
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
============================
forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 @ -> public_equiv SG G G2
< intros Sec Lev NEq Ev.
Variables: SG SL SG' Cond Body S G G2
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Sec : secure SG SL (while Cond Body) SG'
Lev : level SG Cond S
NEq : S = public -> false
Ev : eval_s G (while Cond Body) G2 @
============================
public_equiv SG G G2
< Ev: case Ev.
Subgoal 1:
Variables: SG SL SG' Cond Body S G G2 G1
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Sec : secure SG SL (while Cond Body) SG'
Lev : level SG Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueE
Ev1 : eval_s G Body G1 *
Ev2 : eval_s G1 (while Cond Body) G2 *
============================
public_equiv SG G G2
< EqG1G2: apply IH to Sec Lev NEq Ev2.
Subgoal 1:
Variables: SG SL SG' Cond Body S G G2 G1
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Sec : secure SG SL (while Cond Body) SG'
Lev : level SG Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueE
Ev1 : eval_s G Body G1 *
Ev2 : eval_s G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG G1 G2
============================
public_equiv SG G G2
< Sec: case Sec.
Subgoal 1:
Variables: SL SG' Cond Body S G G2 G1 L Sl1 SG2
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueE
Ev1 : eval_s G Body G1 *
Ev2 : eval_s G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond L
Sec1 : join L SL Sl1
Sec2 : secure SG' Sl1 Body SG2
============================
public_equiv SG' G G2
< EqGG1: apply stmt_not_public_no_public_change to Sec2 _ Ev1.
Subgoal 1.1:
Variables: SL SG' Cond Body S G G2 G1 L Sl1 SG2
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueE
Ev1 : eval_s G Body G1 *
Ev2 : eval_s G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond L
Sec1 : join L SL Sl1
Sec2 : secure SG' Sl1 Body SG2
============================
Sl1 = public -> false
< intros Eq.
Subgoal 1.1:
Variables: SL SG' Cond Body S G G2 G1 L Sl1 SG2
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueE
Ev1 : eval_s G Body G1 *
Ev2 : eval_s G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond L
Sec1 : join L SL Sl1
Sec2 : secure SG' Sl1 Body SG2
Eq : Sl1 = public
============================
false
< case Eq.
Subgoal 1.1:
Variables: SL SG' Cond Body S G G2 G1 L SG2
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueE
Ev1 : eval_s G Body G1 *
Ev2 : eval_s G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond L
Sec1 : join L SL public
Sec2 : secure SG' public Body SG2
============================
false
< apply join_public to Sec1.
Subgoal 1.1:
Variables: SG' Cond Body S G G2 G1 SG2
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueE
Ev1 : eval_s G Body G1 *
Ev2 : eval_s G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond public
Sec1 : join public public public
Sec2 : secure SG' public Body SG2
============================
false
< apply level_unique to Lev Sec.
Subgoal 1.1:
Variables: SG' Cond Body G G2 G1 SG2
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond public
NEq : public = public -> false
Ev : eval_e G Cond trueE
Ev1 : eval_s G Body G1 *
Ev2 : eval_s G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond public
Sec1 : join public public public
Sec2 : secure SG' public Body SG2
============================
false
< backchain NEq.
Subgoal 1:
Variables: SL SG' Cond Body S G G2 G1 L Sl1 SG2
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueE
Ev1 : eval_s G Body G1 *
Ev2 : eval_s G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond L
Sec1 : join L SL Sl1
Sec2 : secure SG' Sl1 Body SG2
EqGG1 : public_equiv SG' G G1
============================
public_equiv SG' G G2
< apply public_equiv_trans to EqGG1 EqG1G2.
Subgoal 1:
Variables: SL SG' Cond Body S G G2 G1 L Sl1 SG2
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueE
Ev1 : eval_s G Body G1 *
Ev2 : eval_s G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond L
Sec1 : join L SL Sl1
Sec2 : secure SG' Sl1 Body SG2
EqGG1 : public_equiv SG' G G1
H1 : public_equiv SG' G G2
============================
public_equiv SG' G G2
< search.
Subgoal 2:
Variables: SG SL SG' Cond Body S G2
IH : forall SG SL SG' Cond Body S G G2,
secure SG SL (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_s G (while Cond Body) G2 * -> public_equiv SG G G2
Sec : secure SG SL (while Cond Body) SG'
Lev : level SG Cond S
NEq : S = public -> false
Ev : eval_e G2 Cond falseE
============================
public_equiv SG G2 G2
< backchain public_equiv_refl.
Proof completed.
< Extensible_Theorem
stmt_secure : forall S SG SL SG1 GA GA' GB GB',
Is : is_s S ->
Sec : secure SG SL S SG1 ->
Rel : public_equiv SG GA GB ->
EvA : eval_s GA S GA' ->
EvB : eval_s GB S GB' ->
public_equiv SG1 GA' GB'
on EvA.
Subgoal 1:
Variables: SG SL SG1 GA' GB GB'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s skipS
Sec : secure SG SL skipS SG1
Rel : public_equiv SG GA' GB
EvA : eval_s GA' skipS GA' @
EvB : eval_s GB skipS GB'
============================
public_equiv SG1 GA' GB'
< case EvB.
Subgoal 1:
Variables: SG SL SG1 GA' GB'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s skipS
Sec : secure SG SL skipS SG1
Rel : public_equiv SG GA' GB'
EvA : eval_s GA' skipS GA' @
============================
public_equiv SG1 GA' GB'
< case Sec.
Subgoal 1:
Variables: SL SG1 GA' GB'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s skipS
Rel : public_equiv SG1 GA' GB'
EvA : eval_s GA' skipS GA' @
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 2:
Variables: SG SL SG1 GA GB GB' V N E Ty
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (decl N Ty E)
Sec : secure SG SL (decl N Ty E) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V)::GA) @
EvB : eval_s GB (decl N Ty E) GB'
EvA1 : eval_e GA E V
============================
public_equiv SG1 ((N, V)::GA) GB'
< EvB: case EvB.
Subgoal 2:
Variables: SG SL SG1 GA GB V N E Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (decl N Ty E)
Sec : secure SG SL (decl N Ty E) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
============================
public_equiv SG1 ((N, V)::GA) ((N, V1)::GB)
< Sec: case Sec.
Subgoal 2:
Variables: SG GA GB V N E Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (decl N Ty E)
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
============================
public_equiv ((N, public)::SG) ((N, V)::GA) ((N, V1)::GB)
< Is: case Is.
Subgoal 2:
Variables: SG GA GB V N E Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
============================
public_equiv ((N, public)::SG) ((N, V)::GA) ((N, V1)::GB)
< apply level_secure to _ _ Rel EvA1 EvB.
Subgoal 2:
Variables: SG GA GB N E Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
============================
public_equiv ((N, public)::SG) ((N, V1)::GA) ((N, V1)::GB)
< unfold .
Subgoal 2.1:
Variables: SG GA GB N E Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
============================
forall X V,
lookup ((N, public)::SG) X public -> lookup ((N, V1)::GA) X V -> lookup ((N, V1)::GB) X V
< intros LkpSec LkpA.
Subgoal 2.1:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((N, public)::SG) X public
LkpA : lookup ((N, V1)::GA) X V2
============================
lookup ((N, V1)::GB) X V2
< LkpSec: case LkpSec.
Subgoal 2.1.1:
Variables: SG GA GB E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpA : lookup ((X, V1)::GA) X V2
============================
lookup ((X, V1)::GB) X V2
< LkpA: case LkpA.
Subgoal 2.1.1.1:
Variables: SG GA GB E Ty X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl X Ty E) ((X, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
============================
lookup ((X, V2)::GB) X V2
< search.
Subgoal 2.1.1.2:
Variables: SG GA GB E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpA : X = X -> false
LkpA1 : lookup GA X V2
============================
lookup ((X, V1)::GB) X V2
< apply LkpA to _.
Subgoal 2.1.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
LkpA : lookup ((N, V1)::GA) X V2
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((N, V1)::GB) X V2
< LkpA: case LkpA.
Subgoal 2.1.2.1:
Variables: SG GA GB E Ty X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl X Ty E) ((X, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : X = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((X, V2)::GB) X V2
< apply LkpSec to _.
Subgoal 2.1.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
LkpA : N = X -> false
LkpA1 : lookup GA X V2
============================
lookup ((N, V1)::GB) X V2
< Rel: case Rel.
Subgoal 2.1.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
LkpA : N = X -> false
LkpA1 : lookup GA X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((N, V1)::GB) X V2
< apply Rel to LkpSec1 LkpA1.
Subgoal 2.1.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
LkpA : N = X -> false
LkpA1 : lookup GA X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GB X V2
============================
lookup ((N, V1)::GB) X V2
< search.
Subgoal 2.2:
Variables: SG GA GB N E Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
============================
forall X V,
lookup ((N, public)::SG) X public -> lookup ((N, V1)::GB) X V -> lookup ((N, V1)::GA) X V
< intros LkpSec LkpB.
Subgoal 2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((N, public)::SG) X public
LkpB : lookup ((N, V1)::GB) X V2
============================
lookup ((N, V1)::GA) X V2
< LkpSec: case LkpSec.
Subgoal 2.2.1:
Variables: SG GA GB E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpB : lookup ((X, V1)::GB) X V2
============================
lookup ((X, V1)::GA) X V2
< LkpB: case LkpB.
Subgoal 2.2.1.1:
Variables: SG GA GB E Ty X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl X Ty E) ((X, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
============================
lookup ((X, V2)::GA) X V2
< search.
Subgoal 2.2.1.2:
Variables: SG GA GB E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpB : X = X -> false
LkpB1 : lookup GB X V2
============================
lookup ((X, V1)::GA) X V2
< apply LkpB to _.
Subgoal 2.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
LkpB : lookup ((N, V1)::GB) X V2
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((N, V1)::GA) X V2
< LkpB: case LkpB.
Subgoal 2.2.2.1:
Variables: SG GA GB E Ty X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl X Ty E) ((X, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : X = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((X, V2)::GA) X V2
< apply LkpSec to _.
Subgoal 2.2.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
LkpB : N = X -> false
LkpB1 : lookup GB X V2
============================
lookup ((N, V1)::GA) X V2
< Rel: case Rel.
Subgoal 2.2.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
LkpB : N = X -> false
LkpB1 : lookup GB X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((N, V1)::GA) X V2
< apply Rel1 to LkpSec1 LkpB1.
Subgoal 2.2.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (decl N Ty E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG N
Is : is_string N
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
LkpB : N = X -> false
LkpB1 : lookup GB X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GA X V2
============================
lookup ((N, V1)::GA) X V2
< search.
Subgoal 3:
Variables: SG SL SG1 GA GB GB' VOld NewG V N E
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (assign N E)
Sec : secure SG SL (assign N E) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvB : eval_s GB (assign N E) GB'
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
============================
public_equiv SG1 ((N, V)::NewG) GB'
< EvB: case EvB.
Subgoal 3:
Variables: SG SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (assign N E)
Sec : secure SG SL (assign N E) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
============================
public_equiv SG1 ((N, V)::NewG) ((N, V1)::NewG1)
< Is: case Is.
Subgoal 3:
Variables: SG SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Sec : secure SG SL (assign N E) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
============================
public_equiv SG1 ((N, V)::NewG) ((N, V1)::NewG1)
< Sec: case Sec.
Subgoal 3.1:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
============================
public_equiv SG1 ((N, V)::NewG) ((N, V1)::NewG1)
< unfold .
Subgoal 3.1.1:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
============================
forall X V2,
lookup SG1 X public -> lookup ((N, V)::NewG) X V2 -> lookup ((N, V1)::NewG1) X V2
< intros LkpSec LkpA.
Subgoal 3.1.1:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpA : lookup ((N, V)::NewG) X V2
============================
lookup ((N, V1)::NewG1) X V2
< LkpA: case LkpA.
Subgoal 3.1.1.1:
Variables: SL SG1 GA GB VOld NewG E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign X E) ((X, V2)::NewG) @
EvA1 : eval_e GA E V2
EvA2 : select (X, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (X, VOld1) NewG1 GB
Is : is_string X
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X public
============================
lookup ((X, V1)::NewG1) X V2
< apply lookup_unique to Sec1 LkpSec.
Subgoal 3.1.1.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
============================
lookup ((N, V1)::NewG1) X V2
< assert X = N -> false.
Subgoal 3.1.1.2.1:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
============================
X = N -> false
< intros E.
Subgoal 3.1.1.2.1:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
E : X = N
============================
false
< case E.
Subgoal 3.1.1.2.1:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 N public
LkpA : N = N -> false
LkpA1 : lookup NewG N V2
============================
false
< backchain LkpA.
Subgoal 3.1.1.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
H1 : X = N -> false
============================
lookup ((N, V1)::NewG1) X V2
< L: apply lookup_after_select_before to LkpA1 EvA2 _.
Subgoal 3.1.1.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
H1 : X = N -> false
L : lookup GA X V2
============================
lookup ((N, V1)::NewG1) X V2
< R: case Rel.
Subgoal 3.1.1.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
H1 : X = N -> false
L : lookup GA X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
lookup ((N, V1)::NewG1) X V2
< LB: apply R to _ L.
Subgoal 3.1.1.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
H1 : X = N -> false
L : lookup GA X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LB : lookup GB X V2
============================
lookup ((N, V1)::NewG1) X V2
< apply select_lookup to LB EvB1 _.
Subgoal 3.1.1.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
H1 : X = N -> false
L : lookup GA X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LB : lookup GB X V2
H2 : lookup NewG1 X V2
============================
lookup ((N, V1)::NewG1) X V2
< search.
Subgoal 3.1.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
============================
forall X V2,
lookup SG1 X public -> lookup ((N, V1)::NewG1) X V2 -> lookup ((N, V)::NewG) X V2
< intros LkpSec LkpB.
Subgoal 3.1.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpB : lookup ((N, V1)::NewG1) X V2
============================
lookup ((N, V)::NewG) X V2
< LkpB: case LkpB.
Subgoal 3.1.2.1:
Variables: SL SG1 GA GB VOld NewG V E VOld1 NewG1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign X E) ((X, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (X, VOld) NewG GA
EvB : eval_e GB E V2
EvB1 : select (X, VOld1) NewG1 GB
Is : is_string X
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X public
============================
lookup ((X, V)::NewG) X V2
< apply lookup_unique to Sec1 LkpSec.
Subgoal 3.1.2.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
============================
lookup ((N, V)::NewG) X V2
< assert X = N -> false.
Subgoal 3.1.2.2.1:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
============================
X = N -> false
< intros E.
Subgoal 3.1.2.2.1:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
E : X = N
============================
false
< case E.
Subgoal 3.1.2.2.1:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 N public
LkpB : N = N -> false
LkpB1 : lookup NewG1 N V2
============================
false
< backchain LkpB.
Subgoal 3.1.2.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
H1 : X = N -> false
============================
lookup ((N, V)::NewG) X V2
< L: apply lookup_after_select_before to LkpB1 EvB1 _.
Subgoal 3.1.2.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
H1 : X = N -> false
L : lookup GB X V2
============================
lookup ((N, V)::NewG) X V2
< R: case Rel.
Subgoal 3.1.2.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
H1 : X = N -> false
L : lookup GB X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
lookup ((N, V)::NewG) X V2
< LA: apply R1 to _ L.
Subgoal 3.1.2.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
H1 : X = N -> false
L : lookup GB X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LA : lookup GA X V2
============================
lookup ((N, V)::NewG) X V2
< apply select_lookup to LA EvA2 _.
Subgoal 3.1.2.2:
Variables: SL SG1 GA GB VOld NewG V N E VOld1 NewG1 V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E L
Sec1 : lookup SG1 N private
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
H1 : X = N -> false
L : lookup GB X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LA : lookup GA X V2
H2 : lookup NewG X V2
============================
lookup ((N, V)::NewG) X V2
< search.
Subgoal 3.2:
Variables: SG1 GA GB VOld NewG V N E VOld1 NewG1 V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V)::NewG) @
EvA1 : eval_e GA E V
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
============================
public_equiv SG1 ((N, V)::NewG) ((N, V1)::NewG1)
< apply level_secure to _ Sec Rel EvA1 EvB.
Subgoal 3.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
============================
public_equiv SG1 ((N, V1)::NewG) ((N, V1)::NewG1)
< unfold .
Subgoal 3.2.1:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
============================
forall X V,
lookup SG1 X public -> lookup ((N, V1)::NewG) X V -> lookup ((N, V1)::NewG1) X V
< intros LkpSec LkpA.
Subgoal 3.2.1:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpA : lookup ((N, V1)::NewG) X V2
============================
lookup ((N, V1)::NewG1) X V2
< LkpA: case LkpA.
Subgoal 3.2.1.1:
Variables: SG1 GA GB VOld NewG E VOld1 NewG1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign X E) ((X, V2)::NewG) @
EvA1 : eval_e GA E V2
EvA2 : select (X, VOld) NewG GA
EvB : eval_e GB E V2
EvB1 : select (X, VOld1) NewG1 GB
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X public
============================
lookup ((X, V2)::NewG1) X V2
< search.
Subgoal 3.2.1.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
============================
lookup ((N, V1)::NewG1) X V2
< assert X = N -> false.
Subgoal 3.2.1.2.1:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
============================
X = N -> false
< intros E.
Subgoal 3.2.1.2.1:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
E : X = N
============================
false
< case E.
Subgoal 3.2.1.2.1:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 N public
LkpA : N = N -> false
LkpA1 : lookup NewG N V2
============================
false
< backchain LkpA.
Subgoal 3.2.1.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
H1 : X = N -> false
============================
lookup ((N, V1)::NewG1) X V2
< LGA: apply lookup_after_select_before to LkpA1 EvA2 _.
Subgoal 3.2.1.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
H1 : X = N -> false
LGA : lookup GA X V2
============================
lookup ((N, V1)::NewG1) X V2
< R: case Rel.
Subgoal 3.2.1.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
H1 : X = N -> false
LGA : lookup GA X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
lookup ((N, V1)::NewG1) X V2
< LGB: apply R to LkpSec LGA.
Subgoal 3.2.1.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
H1 : X = N -> false
LGA : lookup GA X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LGB : lookup GB X V2
============================
lookup ((N, V1)::NewG1) X V2
< apply select_lookup to LGB EvB1 _.
Subgoal 3.2.1.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpA : N = X -> false
LkpA1 : lookup NewG X V2
H1 : X = N -> false
LGA : lookup GA X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LGB : lookup GB X V2
H2 : lookup NewG1 X V2
============================
lookup ((N, V1)::NewG1) X V2
< search.
Subgoal 3.2.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
============================
forall X V,
lookup SG1 X public -> lookup ((N, V1)::NewG1) X V -> lookup ((N, V1)::NewG) X V
< intros LkpSec LkpB.
Subgoal 3.2.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpB : lookup ((N, V1)::NewG1) X V2
============================
lookup ((N, V1)::NewG) X V2
< LkpB: case LkpB.
Subgoal 3.2.2.1:
Variables: SG1 GA GB VOld NewG E VOld1 NewG1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign X E) ((X, V2)::NewG) @
EvA1 : eval_e GA E V2
EvA2 : select (X, VOld) NewG GA
EvB : eval_e GB E V2
EvB1 : select (X, VOld1) NewG1 GB
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X public
============================
lookup ((X, V2)::NewG) X V2
< search.
Subgoal 3.2.2.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
============================
lookup ((N, V1)::NewG) X V2
< assert X = N -> false.
Subgoal 3.2.2.2.1:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
============================
X = N -> false
< intros E.
Subgoal 3.2.2.2.1:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
E : X = N
============================
false
< case E.
Subgoal 3.2.2.2.1:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 N public
LkpB : N = N -> false
LkpB1 : lookup NewG1 N V2
============================
false
< backchain LkpB.
Subgoal 3.2.2.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
H1 : X = N -> false
============================
lookup ((N, V1)::NewG) X V2
< LGB: apply lookup_after_select_before to LkpB1 EvB1 _.
Subgoal 3.2.2.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
H1 : X = N -> false
LGB : lookup GB X V2
============================
lookup ((N, V1)::NewG) X V2
< R: case Rel.
Subgoal 3.2.2.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
H1 : X = N -> false
LGB : lookup GB X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
lookup ((N, V1)::NewG) X V2
< LGA: apply R1 to LkpSec LGB.
Subgoal 3.2.2.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
H1 : X = N -> false
LGB : lookup GB X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LGA : lookup GA X V2
============================
lookup ((N, V1)::NewG) X V2
< apply select_lookup to LGA EvA2 _.
Subgoal 3.2.2.2:
Variables: SG1 GA GB VOld NewG N E VOld1 NewG1 V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (assign N E) ((N, V1)::NewG) @
EvA1 : eval_e GA E V1
EvA2 : select (N, VOld) NewG GA
EvB : eval_e GB E V1
EvB1 : select (N, VOld1) NewG1 GB
Is : is_string N
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 N public
LkpSec : lookup SG1 X public
LkpB : N = X -> false
LkpB1 : lookup NewG1 X V2
H1 : X = N -> false
LGB : lookup GB X V2
R : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
R1 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LGA : lookup GA X V2
H2 : lookup NewG X V2
============================
lookup ((N, V1)::NewG) X V2
< search.
Subgoal 4:
Variables: SG SL SG1 GA GA' GB GB' G1 S2 S1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (seq S1 S2)
Sec : secure SG SL (seq S1 S2) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (seq S1 S2) GA' @
EvB : eval_s GB (seq S1 S2) GB'
EvA1 : eval_s GA S1 G1 *
EvA2 : eval_s G1 S2 GA' *
============================
public_equiv SG1 GA' GB'
< EvB: case EvB.
Subgoal 4:
Variables: SG SL SG1 GA GA' GB GB' G1 S2 S1 G2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (seq S1 S2)
Sec : secure SG SL (seq S1 S2) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (seq S1 S2) GA' @
EvA1 : eval_s GA S1 G1 *
EvA2 : eval_s G1 S2 GA' *
EvB : eval_s GB S1 G2
EvB1 : eval_s G2 S2 GB'
============================
public_equiv SG1 GA' GB'
< Sec: case Sec.
Subgoal 4:
Variables: SG SL SG1 GA GA' GB GB' G1 S2 S1 G2 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (seq S1 S2)
Rel : public_equiv SG GA GB
EvA : eval_s GA (seq S1 S2) GA' @
EvA1 : eval_s GA S1 G1 *
EvA2 : eval_s G1 S2 GA' *
EvB : eval_s GB S1 G2
EvB1 : eval_s G2 S2 GB'
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
============================
public_equiv SG1 GA' GB'
< Is: case Is.
Subgoal 4:
Variables: SG SL SG1 GA GA' GB GB' G1 S2 S1 G2 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (seq S1 S2) GA' @
EvA1 : eval_s GA S1 G1 *
EvA2 : eval_s G1 S2 GA' *
EvB : eval_s GB S1 G2
EvB1 : eval_s G2 S2 GB'
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
Is : is_s S1
Is1 : is_s S2
============================
public_equiv SG1 GA' GB'
< apply IH to _ _ _ EvA1 EvB.
Subgoal 4:
Variables: SG SL SG1 GA GA' GB GB' G1 S2 S1 G2 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (seq S1 S2) GA' @
EvA1 : eval_s GA S1 G1 *
EvA2 : eval_s G1 S2 GA' *
EvB : eval_s GB S1 G2
EvB1 : eval_s G2 S2 GB'
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
Is : is_s S1
Is1 : is_s S2
H1 : public_equiv SG2 G1 G2
============================
public_equiv SG1 GA' GB'
< apply IH to _ _ _ EvA2 EvB1.
Subgoal 4:
Variables: SG SL SG1 GA GA' GB GB' G1 S2 S1 G2 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (seq S1 S2) GA' @
EvA1 : eval_s GA S1 G1 *
EvA2 : eval_s G1 S2 GA' *
EvB : eval_s GB S1 G2
EvB1 : eval_s G2 S2 GB'
Sec : secure SG SL S1 SG2
Sec1 : secure SG2 SL S2 SG1
Is : is_s S1
Is1 : is_s S2
H1 : public_equiv SG2 G1 G2
H2 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 5:
Variables: SG SL SG1 GA GA' GB GB' S2 S1 E
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (ifte E S1 S2)
Sec : secure SG SL (ifte E S1 S2) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvB : eval_s GB (ifte E S1 S2) GB'
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
============================
public_equiv SG1 GA' GB'
< Is: case Is.
Subgoal 5:
Variables: SG SL SG1 GA GA' GB GB' S2 S1 E
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Sec : secure SG SL (ifte E S1 S2) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvB : eval_s GB (ifte E S1 S2) GB'
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
============================
public_equiv SG1 GA' GB'
< Sec: case Sec.
Subgoal 5:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvB : eval_s GB (ifte E S1 S2) GB'
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
============================
public_equiv SG1 GA' GB'
< EvB: case EvB.
Subgoal 5.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
============================
public_equiv SG1 GA' GB'
< EqGA'GB': apply IH to _ _ _ EvA2 EvB1.
Subgoal 5.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
EqGA'GB' : public_equiv SG2 GA' GB'
============================
public_equiv SG1 GA' GB'
< LkpEq: assert forall X,
lookup SG1 X public -> lookup SG2 X public.
Subgoal 5.1.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
EqGA'GB' : public_equiv SG2 GA' GB'
============================
forall X, lookup SG1 X public -> lookup SG2 X public
< intros Lkp.
Subgoal 5.1.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3 X
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
EqGA'GB' : public_equiv SG2 GA' GB'
Lkp : lookup SG1 X public
============================
lookup SG2 X public
< apply stmt_public_branch to Sec2 Lkp.
Subgoal 5.1.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3 X
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
EqGA'GB' : public_equiv SG2 GA' GB'
Lkp : lookup SG1 X public
H1 : lookup SG2 X public
============================
lookup SG2 X public
< search.
Subgoal 5.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
EqGA'GB' : public_equiv SG2 GA' GB'
LkpEq : forall X, lookup SG1 X public -> lookup SG2 X public
============================
public_equiv SG1 GA' GB'
< apply public_equiv_swap to LkpEq EqGA'GB'.
Subgoal 5.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
EqGA'GB' : public_equiv SG2 GA' GB'
LkpEq : forall X, lookup SG1 X public -> lookup SG2 X public
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 5.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
============================
public_equiv SG1 GA' GB'
< NEq: assert L = public -> false.
Subgoal 5.2.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
============================
L = public -> false
< intros E.
Subgoal 5.2.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
E : L = public
============================
false
< case E.
Subgoal 5.2.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E public
Sec1 : join public SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
============================
false
< apply level_not_public to Is _ Sec EvA1 EvB _.
Subgoal 5.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
============================
public_equiv SG1 GA' GB'
< EqGAGA': apply stmt_not_public_no_public_change to Sec2 _ EvA2.
Subgoal 5.2.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
============================
Sl1 = public -> false
< intros E.
Subgoal 5.2.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
E : Sl1 = public
============================
false
< case E.
Subgoal 5.2.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
============================
false
< apply join_public to Sec1.
Subgoal 5.2.2:
Variables: SG1 GA GA' GB GB' S2 S1 E SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E public
Sec1 : join public public public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : public = public -> false
============================
false
< backchain NEq.
Subgoal 5.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
public_equiv SG1 GA' GB'
< EqGBGB': apply stmt_not_public_no_public_change to Sec3 _ EvB1.
Subgoal 5.2.3:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
Sl1 = public -> false
< intros E.
Subgoal 5.2.3:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
E : Sl1 = public
============================
false
< case E.
Subgoal 5.2.3:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
false
< apply join_public to Sec1.
Subgoal 5.2.3:
Variables: SG1 GA GA' GB GB' S2 S1 E SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E public
Sec1 : join public public public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : public = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
false
< backchain NEq.
Subgoal 5.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
============================
public_equiv SG1 GA' GB'
< EqGAGB': apply public_equiv_trans to Rel EqGBGB'.
Subgoal 5.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
============================
public_equiv SG1 GA' GB'
< EqGA'GA: apply public_equiv_symm to EqGAGA'.
Subgoal 5.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
============================
public_equiv SG1 GA' GB'
< EqGA'GB: apply public_equiv_trans to EqGA'GA Rel.
Subgoal 5.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
EqGA'GB : public_equiv SG1 GA' GB
============================
public_equiv SG1 GA' GB'
< apply public_equiv_trans to EqGA'GB EqGBGB'.
Subgoal 5.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
EqGA'GB : public_equiv SG1 GA' GB
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 6:
Variables: SG SL SG1 GA GA' GB GB' S2 S1 E
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (ifte E S1 S2)
Sec : secure SG SL (ifte E S1 S2) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvB : eval_s GB (ifte E S1 S2) GB'
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
============================
public_equiv SG1 GA' GB'
< Is: case Is.
Subgoal 6:
Variables: SG SL SG1 GA GA' GB GB' S2 S1 E
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Sec : secure SG SL (ifte E S1 S2) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvB : eval_s GB (ifte E S1 S2) GB'
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
============================
public_equiv SG1 GA' GB'
< Sec: case Sec.
Subgoal 6:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvB : eval_s GB (ifte E S1 S2) GB'
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
============================
public_equiv SG1 GA' GB'
< EvB: case EvB.
Subgoal 6.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
============================
public_equiv SG1 GA' GB'
< NEq: assert L = public -> false.
Subgoal 6.1.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
============================
L = public -> false
< intros E.
Subgoal 6.1.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
E : L = public
============================
false
< case E.
Subgoal 6.1.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E public
Sec1 : join public SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
============================
false
< apply level_not_public to Is _ _ EvA1 EvB _.
Subgoal 6.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
============================
public_equiv SG1 GA' GB'
< EqGAGA': apply stmt_not_public_no_public_change to Sec3 _ EvA2.
Subgoal 6.1.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
============================
Sl1 = public -> false
< intros E.
Subgoal 6.1.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
E : Sl1 = public
============================
false
< case E.
Subgoal 6.1.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
============================
false
< apply join_public to Sec1.
Subgoal 6.1.2:
Variables: SG1 GA GA' GB GB' S2 S1 E SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E public
Sec1 : join public public public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : public = public -> false
============================
false
< backchain NEq.
Subgoal 6.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
public_equiv SG1 GA' GB'
< EqGBGB': apply stmt_not_public_no_public_change to Sec2 _ EvB1.
Subgoal 6.1.3:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
Sl1 = public -> false
< intros E.
Subgoal 6.1.3:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
E : Sl1 = public
============================
false
< case E.
Subgoal 6.1.3:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
false
< apply join_public to Sec1.
Subgoal 6.1.3:
Variables: SG1 GA GA' GB GB' S2 S1 E SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E public
Sec1 : join public public public
Sec2 : secure SG1 public S1 SG2
Sec3 : secure SG1 public S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : public = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
false
< backchain NEq.
Subgoal 6.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
============================
public_equiv SG1 GA' GB'
< EqGAGB': apply public_equiv_trans to Rel EqGBGB'.
Subgoal 6.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
============================
public_equiv SG1 GA' GB'
< EqGA'GA: apply public_equiv_symm to EqGAGA'.
Subgoal 6.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
============================
public_equiv SG1 GA' GB'
< EqGA'GB: apply public_equiv_trans to EqGA'GA Rel.
Subgoal 6.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
EqGA'GB : public_equiv SG1 GA' GB
============================
public_equiv SG1 GA' GB'
< apply public_equiv_trans to EqGA'GB EqGBGB'.
Subgoal 6.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 GB'
NEq : L = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
EqGA'GB : public_equiv SG1 GA' GB
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 6.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
============================
public_equiv SG1 GA' GB'
< EqGA'GB': apply IH to _ _ _ EvA2 EvB1.
Subgoal 6.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
EqGA'GB' : public_equiv SG3 GA' GB'
============================
public_equiv SG1 GA' GB'
< LkpEq: assert forall X,
lookup SG1 X public -> lookup SG3 X public.
Subgoal 6.2.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
EqGA'GB' : public_equiv SG3 GA' GB'
============================
forall X, lookup SG1 X public -> lookup SG3 X public
< intros Lkp.
Subgoal 6.2.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3 X
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
EqGA'GB' : public_equiv SG3 GA' GB'
Lkp : lookup SG1 X public
============================
lookup SG3 X public
< apply stmt_public_branch to Sec3 Lkp.
Subgoal 6.2.1:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3 X
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
EqGA'GB' : public_equiv SG3 GA' GB'
Lkp : lookup SG1 X public
H1 : lookup SG3 X public
============================
lookup SG3 X public
< search.
Subgoal 6.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
EqGA'GB' : public_equiv SG3 GA' GB'
LkpEq : forall X, lookup SG1 X public -> lookup SG3 X public
============================
public_equiv SG1 GA' GB'
< apply public_equiv_swap to LkpEq EqGA'GB'.
Subgoal 6.2:
Variables: SL SG1 GA GA' GB GB' S2 S1 E L Sl1 SG2 SG3
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (ifte E S1 S2) GA' @
EvA1 : eval_e GA E falseE
EvA2 : eval_s GA S2 GA' *
Is : is_e E
Is1 : is_s S1
Is2 : is_s S2
Sec : level SG1 E L
Sec1 : join L SL Sl1
Sec2 : secure SG1 Sl1 S1 SG2
Sec3 : secure SG1 Sl1 S2 SG3
EvB : eval_e GB E falseE
EvB1 : eval_s GB S2 GB'
EqGA'GB' : public_equiv SG3 GA' GB'
LkpEq : forall X, lookup SG1 X public -> lookup SG3 X public
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 7:
Variables: SG SL SG1 GA GA' GB GB' G1 S1 E
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG SL (while E S1) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (while E S1) GA' @
EvB : eval_s GB (while E S1) GB'
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
============================
public_equiv SG1 GA' GB'
< Is: case Is (keep).
Subgoal 7:
Variables: SG SL SG1 GA GA' GB GB' G1 S1 E
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG SL (while E S1) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (while E S1) GA' @
EvB : eval_s GB (while E S1) GB'
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
============================
public_equiv SG1 GA' GB'
< Sec: case Sec (keep).
Subgoal 7:
Variables: SL SG1 GA GA' GB GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (while E S1) GA' @
EvB : eval_s GB (while E S1) GB'
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
============================
public_equiv SG1 GA' GB'
< EvB: case EvB.
Subgoal 7.1:
Variables: SL SG1 GA GA' GB GB' G1 S1 E L Sl1 SG2 G2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G2
EvB2 : eval_s G2 (while E S1) GB'
============================
public_equiv SG1 GA' GB'
< EqG1G3: apply IH to _ _ _ EvA2 EvB1.
Subgoal 7.1:
Variables: SL SG1 GA GA' GB GB' G1 S1 E L Sl1 SG2 G2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G2
EvB2 : eval_s G2 (while E S1) GB'
EqG1G3 : public_equiv SG2 G1 G2
============================
public_equiv SG1 GA' GB'
< LEq: assert forall X,
lookup SG1 X public -> lookup SG2 X public.
Subgoal 7.1.1:
Variables: SL SG1 GA GA' GB GB' G1 S1 E L Sl1 SG2 G2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G2
EvB2 : eval_s G2 (while E S1) GB'
EqG1G3 : public_equiv SG2 G1 G2
============================
forall X, lookup SG1 X public -> lookup SG2 X public
< intros Lkp.
Subgoal 7.1.1:
Variables: SL SG1 GA GA' GB GB' G1 S1 E L Sl1 SG2 G2 X
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G2
EvB2 : eval_s G2 (while E S1) GB'
EqG1G3 : public_equiv SG2 G1 G2
Lkp : lookup SG1 X public
============================
lookup SG2 X public
< apply stmt_public_branch to Sec3 Lkp.
Subgoal 7.1.1:
Variables: SL SG1 GA GA' GB GB' G1 S1 E L Sl1 SG2 G2 X
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G2
EvB2 : eval_s G2 (while E S1) GB'
EqG1G3 : public_equiv SG2 G1 G2
Lkp : lookup SG1 X public
H1 : lookup SG2 X public
============================
lookup SG2 X public
< search.
Subgoal 7.1:
Variables: SL SG1 GA GA' GB GB' G1 S1 E L Sl1 SG2 G2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G2
EvB2 : eval_s G2 (while E S1) GB'
EqG1G3 : public_equiv SG2 G1 G2
LEq : forall X, lookup SG1 X public -> lookup SG2 X public
============================
public_equiv SG1 GA' GB'
< apply public_equiv_swap to LEq EqG1G3.
Subgoal 7.1:
Variables: SL SG1 GA GA' GB GB' G1 S1 E L Sl1 SG2 G2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G2
EvB2 : eval_s G2 (while E S1) GB'
EqG1G3 : public_equiv SG2 G1 G2
LEq : forall X, lookup SG1 X public -> lookup SG2 X public
H1 : public_equiv SG1 G1 G2
============================
public_equiv SG1 GA' GB'
< EqG1GA': apply IH to Is Sec _ EvA3 EvB2.
Subgoal 7.1:
Variables: SL SG1 GA GA' GB GB' G1 S1 E L Sl1 SG2 G2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G2
EvB2 : eval_s G2 (while E S1) GB'
EqG1G3 : public_equiv SG2 G1 G2
LEq : forall X, lookup SG1 X public -> lookup SG2 X public
H1 : public_equiv SG1 G1 G2
EqG1GA' : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 7.2:
Variables: SL SG1 GA GA' GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
============================
public_equiv SG1 GA' GB'
< SNEq: assert L = public -> false.
Subgoal 7.2.1:
Variables: SL SG1 GA GA' GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
============================
L = public -> false
< intros E.
Subgoal 7.2.1:
Variables: SL SG1 GA GA' GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
E : L = public
============================
false
< case E.
Subgoal 7.2.1:
Variables: SL SG1 GA GA' GB' G1 S1 E Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E public
Sec2 : join public SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
============================
false
< apply level_not_public to Is1 _ _ EvA1 EvB _.
Subgoal 7.2:
Variables: SL SG1 GA GA' GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
SNEq : L = public -> false
============================
public_equiv SG1 GA' GB'
< EqGAG1: apply stmt_not_public_no_public_change to Sec3 _ EvA2.
Subgoal 7.2.2:
Variables: SL SG1 GA GA' GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
SNEq : L = public -> false
============================
Sl1 = public -> false
< intros E.
Subgoal 7.2.2:
Variables: SL SG1 GA GA' GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
SNEq : L = public -> false
E : Sl1 = public
============================
false
< case E.
Subgoal 7.2.2:
Variables: SL SG1 GA GA' GB' G1 S1 E L SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL public
Sec3 : secure SG1 public S1 SG2
EvB : eval_e GB' E falseE
SNEq : L = public -> false
============================
false
< apply join_public to Sec2.
Subgoal 7.2.2:
Variables: SG1 GA GA' GB' G1 S1 E SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 public (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E public
Sec2 : join public public public
Sec3 : secure SG1 public S1 SG2
EvB : eval_e GB' E falseE
SNEq : public = public -> false
============================
false
< backchain SNEq.
Subgoal 7.2:
Variables: SL SG1 GA GA' GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
SNEq : L = public -> false
EqGAG1 : public_equiv SG1 GA G1
============================
public_equiv SG1 GA' GB'
< EqG1GA': apply while_no_public_change to Sec Sec1 _ EvA3.
Subgoal 7.2:
Variables: SL SG1 GA GA' GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
SNEq : L = public -> false
EqGAG1 : public_equiv SG1 GA G1
EqG1GA' : public_equiv SG1 G1 GA'
============================
public_equiv SG1 GA' GB'
< EqGAGA': apply public_equiv_trans to EqGAG1 EqG1GA'.
Subgoal 7.2:
Variables: SL SG1 GA GA' GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
SNEq : L = public -> false
EqGAG1 : public_equiv SG1 GA G1
EqG1GA' : public_equiv SG1 G1 GA'
EqGAGA' : public_equiv SG1 GA GA'
============================
public_equiv SG1 GA' GB'
< EqGA'GA: apply public_equiv_symm to EqGAGA'.
Subgoal 7.2:
Variables: SL SG1 GA GA' GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
SNEq : L = public -> false
EqGAG1 : public_equiv SG1 GA G1
EqG1GA' : public_equiv SG1 G1 GA'
EqGAGA' : public_equiv SG1 GA GA'
EqGA'GA : public_equiv SG1 GA' GA
============================
public_equiv SG1 GA' GB'
< apply public_equiv_trans to EqGA'GA Rel.
Subgoal 7.2:
Variables: SL SG1 GA GA' GB' G1 S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_s GA (while E S1) GA' @
EvA1 : eval_e GA E trueE
EvA2 : eval_s GA S1 G1 *
EvA3 : eval_s G1 (while E S1) GA' *
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
SNEq : L = public -> false
EqGAG1 : public_equiv SG1 GA G1
EqG1GA' : public_equiv SG1 G1 GA'
EqGAGA' : public_equiv SG1 GA GA'
EqGA'GA : public_equiv SG1 GA' GA
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 8:
Variables: SG SL SG1 GA' GB GB' S1 E
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG SL (while E S1) SG1
Rel : public_equiv SG GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvB : eval_s GB (while E S1) GB'
EvA1 : eval_e GA' E falseE
============================
public_equiv SG1 GA' GB'
< Is: case Is (keep).
Subgoal 8:
Variables: SG SL SG1 GA' GB GB' S1 E
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG SL (while E S1) SG1
Rel : public_equiv SG GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvB : eval_s GB (while E S1) GB'
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
============================
public_equiv SG1 GA' GB'
< Sec: case Sec (keep).
Subgoal 8:
Variables: SL SG1 GA' GB GB' S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvB : eval_s GB (while E S1) GB'
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
============================
public_equiv SG1 GA' GB'
< EvB: case EvB.
Subgoal 8.1:
Variables: SL SG1 GA' GB GB' S1 E L Sl1 SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
============================
public_equiv SG1 GA' GB'
< SNEq: assert L = public -> false.
Subgoal 8.1.1:
Variables: SL SG1 GA' GB GB' S1 E L Sl1 SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
============================
L = public -> false
< intros E.
Subgoal 8.1.1:
Variables: SL SG1 GA' GB GB' S1 E L Sl1 SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
E : L = public
============================
false
< case E.
Subgoal 8.1.1:
Variables: SL SG1 GA' GB GB' S1 E Sl1 SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E public
Sec2 : join public SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
============================
false
< apply level_not_public to Is1 _ _ EvA1 EvB _.
Subgoal 8.1:
Variables: SL SG1 GA' GB GB' S1 E L Sl1 SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
SNEq : L = public -> false
============================
public_equiv SG1 GA' GB'
< EqGBG2: apply stmt_not_public_no_public_change to Sec3 _ EvB1.
Subgoal 8.1.2:
Variables: SL SG1 GA' GB GB' S1 E L Sl1 SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
SNEq : L = public -> false
============================
Sl1 = public -> false
< intros E.
Subgoal 8.1.2:
Variables: SL SG1 GA' GB GB' S1 E L Sl1 SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
SNEq : L = public -> false
E : Sl1 = public
============================
false
< case E.
Subgoal 8.1.2:
Variables: SL SG1 GA' GB GB' S1 E L SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL public
Sec3 : secure SG1 public S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
SNEq : L = public -> false
============================
false
< apply join_public to Sec2.
Subgoal 8.1.2:
Variables: SG1 GA' GB GB' S1 E SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 public (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E public
Sec2 : join public public public
Sec3 : secure SG1 public S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
SNEq : public = public -> false
============================
false
< backchain SNEq.
Subgoal 8.1:
Variables: SL SG1 GA' GB GB' S1 E L Sl1 SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
SNEq : L = public -> false
EqGBG2 : public_equiv SG1 GB G1
============================
public_equiv SG1 GA' GB'
< EqGA'G2: apply public_equiv_trans to Rel EqGBG2.
Subgoal 8.1:
Variables: SL SG1 GA' GB GB' S1 E L Sl1 SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
SNEq : L = public -> false
EqGBG2 : public_equiv SG1 GB G1
EqGA'G2 : public_equiv SG1 GA' G1
============================
public_equiv SG1 GA' GB'
< EqG2GB': apply while_no_public_change to Sec Sec1 _ EvB2.
Subgoal 8.1:
Variables: SL SG1 GA' GB GB' S1 E L Sl1 SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
SNEq : L = public -> false
EqGBG2 : public_equiv SG1 GB G1
EqGA'G2 : public_equiv SG1 GA' G1
EqG2GB' : public_equiv SG1 G1 GB'
============================
public_equiv SG1 GA' GB'
< apply public_equiv_trans to EqGA'G2 EqG2GB'.
Subgoal 8.1:
Variables: SL SG1 GA' GB GB' S1 E L Sl1 SG2 G1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB E trueE
EvB1 : eval_s GB S1 G1
EvB2 : eval_s G1 (while E S1) GB'
SNEq : L = public -> false
EqGBG2 : public_equiv SG1 GB G1
EqGA'G2 : public_equiv SG1 GA' G1
EqG2GB' : public_equiv SG1 G1 GB'
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 8.2:
Variables: SL SG1 GA' GB' S1 E L Sl1 SG2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (while E S1)
Sec : secure SG1 SL (while E S1) SG1
Rel : public_equiv SG1 GA' GB'
EvA : eval_s GA' (while E S1) GA' @
EvA1 : eval_e GA' E falseE
Is1 : is_e E
Is2 : is_s S1
Sec1 : level SG1 E L
Sec2 : join L SL Sl1
Sec3 : secure SG1 Sl1 S1 SG2
EvB : eval_e GB' E falseE
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 9:
Variables: SG SL SG1 GA GB GB' V N E Sl Ty
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (secdecl N Ty Sl E)
Sec : secure SG SL (secdecl N Ty Sl E) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty Sl E) ((N, V)::GA) @
EvB : eval_s GB (secdecl N Ty Sl E) GB'
EvA1 : eval_e GA E V
============================
public_equiv SG1 ((N, V)::GA) GB'
< EvB: case EvB.
Subgoal 9:
Variables: SG SL SG1 GA GB V N E Sl Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s (secdecl N Ty Sl E)
Sec : secure SG SL (secdecl N Ty Sl E) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty Sl E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
============================
public_equiv SG1 ((N, V)::GA) ((N, V1)::GB)
< Is: case Is.
Subgoal 9:
Variables: SG SL SG1 GA GB V N E Sl Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Sec : secure SG SL (secdecl N Ty Sl E) SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty Sl E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl Sl
Is3 : is_e E
============================
public_equiv SG1 ((N, V)::GA) ((N, V1)::GB)
< Sec: case Sec.
Subgoal 9.1:
Variables: SG SL GA GB V N E Ty V1 L
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
============================
public_equiv ((N, private)::SG) ((N, V)::GA) ((N, V1)::GB)
< unfold .
Subgoal 9.1.1:
Variables: SG SL GA GB V N E Ty V1 L
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
============================
forall X V2,
lookup ((N, private)::SG) X public -> lookup ((N, V)::GA) X V2 -> lookup ((N, V1)::GB) X V2
< intros LkpSec Lkp.
Subgoal 9.1.1:
Variables: SG SL GA GB V N E Ty V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : lookup ((N, private)::SG) X public
Lkp : lookup ((N, V)::GA) X V2
============================
lookup ((N, V1)::GB) X V2
< LkpSec: case LkpSec.
Subgoal 9.1.1:
Variables: SG SL GA GB V N E Ty V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
Lkp : lookup ((N, V)::GA) X V2
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((N, V1)::GB) X V2
< Lkp: case Lkp.
Subgoal 9.1.1.1:
Variables: SG SL GA GB E Ty V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl X Ty private E) ((X, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG X
LkpSec : X = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((X, V1)::GB) X V2
< apply LkpSec to _.
Subgoal 9.1.1.2:
Variables: SG SL GA GB V N E Ty V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GA X V2
============================
lookup ((N, V1)::GB) X V2
< Rel: case Rel.
Subgoal 9.1.1.2:
Variables: SG SL GA GB V N E Ty V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GA X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((N, V1)::GB) X V2
< apply Rel to LkpSec1 Lkp1.
Subgoal 9.1.1.2:
Variables: SG SL GA GB V N E Ty V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GA X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GB X V2
============================
lookup ((N, V1)::GB) X V2
< search.
Subgoal 9.1.2:
Variables: SG SL GA GB V N E Ty V1 L
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
============================
forall X V2,
lookup ((N, private)::SG) X public -> lookup ((N, V1)::GB) X V2 -> lookup ((N, V)::GA) X V2
< intros LkpSec Lkp.
Subgoal 9.1.2:
Variables: SG SL GA GB V N E Ty V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : lookup ((N, private)::SG) X public
Lkp : lookup ((N, V1)::GB) X V2
============================
lookup ((N, V)::GA) X V2
< LkpSec: case LkpSec.
Subgoal 9.1.2:
Variables: SG SL GA GB V N E Ty V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
Lkp : lookup ((N, V1)::GB) X V2
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((N, V)::GA) X V2
< Lkp: case Lkp.
Subgoal 9.1.2.1:
Variables: SG SL GA GB V E Ty L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl X Ty private E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V2
Is : is_string X
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG X
LkpSec : X = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((X, V)::GA) X V2
< apply LkpSec to _.
Subgoal 9.1.2.2:
Variables: SG SL GA GB V N E Ty V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GB X V2
============================
lookup ((N, V)::GA) X V2
< Rel: case Rel.
Subgoal 9.1.2.2:
Variables: SG SL GA GB V N E Ty V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GB X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((N, V)::GA) X V2
< apply Rel1 to LkpSec1 Lkp1.
Subgoal 9.1.2.2:
Variables: SG SL GA GB V N E Ty V1 L X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (secdecl N Ty private E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl private
Is3 : is_e E
Sec : level SG E L
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GB X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GA X V2
============================
lookup ((N, V)::GA) X V2
< search.
Subgoal 9.2:
Variables: SG GA GB V N E Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty public E) ((N, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
============================
public_equiv ((N, public)::SG) ((N, V)::GA) ((N, V1)::GB)
< apply level_secure to _ Sec Rel EvA1 EvB.
Subgoal 9.2:
Variables: SG GA GB N E Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
============================
public_equiv ((N, public)::SG) ((N, V1)::GA) ((N, V1)::GB)
< unfold .
Subgoal 9.2.1:
Variables: SG GA GB N E Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
============================
forall X V,
lookup ((N, public)::SG) X public -> lookup ((N, V1)::GA) X V -> lookup ((N, V1)::GB) X V
< intros LkpSec Lkp.
Subgoal 9.2.1:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
LkpSec : lookup ((N, public)::SG) X public
Lkp : lookup ((N, V1)::GA) X V2
============================
lookup ((N, V1)::GB) X V2
< LkpSec: case LkpSec.
Subgoal 9.2.1.1:
Variables: SG GA GB E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl X Ty public E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
Lkp : lookup ((X, V1)::GA) X V2
============================
lookup ((X, V1)::GB) X V2
< Lkp: case Lkp.
Subgoal 9.2.1.1.1:
Variables: SG GA GB E Ty X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl X Ty public E) ((X, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
============================
lookup ((X, V2)::GB) X V2
< search.
Subgoal 9.2.1.1.2:
Variables: SG GA GB E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl X Ty public E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
Lkp : X = X -> false
Lkp1 : lookup GA X V2
============================
lookup ((X, V1)::GB) X V2
< apply Lkp to _.
Subgoal 9.2.1.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
Lkp : lookup ((N, V1)::GA) X V2
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((N, V1)::GB) X V2
< Lkp: case Lkp.
Subgoal 9.2.1.2.1:
Variables: SG GA GB E Ty X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl X Ty public E) ((X, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : X = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((X, V2)::GB) X V2
< apply LkpSec to _.
Subgoal 9.2.1.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GA X V2
============================
lookup ((N, V1)::GB) X V2
< Rel: case Rel.
Subgoal 9.2.1.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GA X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((N, V1)::GB) X V2
< apply Rel to LkpSec1 Lkp1.
Subgoal 9.2.1.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GA X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GB X V2
============================
lookup ((N, V1)::GB) X V2
< search.
Subgoal 9.2.2:
Variables: SG GA GB N E Ty V1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
============================
forall X V,
lookup ((N, public)::SG) X public -> lookup ((N, V1)::GB) X V -> lookup ((N, V1)::GA) X V
< intros LkpSec Lkp.
Subgoal 9.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
LkpSec : lookup ((N, public)::SG) X public
Lkp : lookup ((N, V1)::GB) X V2
============================
lookup ((N, V1)::GA) X V2
< LkpSec: case LkpSec.
Subgoal 9.2.2.1:
Variables: SG GA GB E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl X Ty public E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
Lkp : lookup ((X, V1)::GB) X V2
============================
lookup ((X, V1)::GA) X V2
< Lkp: case Lkp.
Subgoal 9.2.2.1.1:
Variables: SG GA GB E Ty X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl X Ty public E) ((X, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
============================
lookup ((X, V2)::GA) X V2
< search.
Subgoal 9.2.2.1.2:
Variables: SG GA GB E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl X Ty public E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
Lkp : X = X -> false
Lkp1 : lookup GB X V2
============================
lookup ((X, V1)::GA) X V2
< apply Lkp to _.
Subgoal 9.2.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
Lkp : lookup ((N, V1)::GB) X V2
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((N, V1)::GA) X V2
< Lkp: case Lkp.
Subgoal 9.2.2.2.1:
Variables: SG GA GB E Ty X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl X Ty public E) ((X, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : X = X -> false
LkpSec1 : lookup SG X public
============================
lookup ((X, V2)::GA) X V2
< apply LkpSec to _.
Subgoal 9.2.2.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GB X V2
============================
lookup ((N, V1)::GA) X V2
< Rel: case Rel.
Subgoal 9.2.2.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GB X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((N, V1)::GA) X V2
< apply Rel1 to LkpSec1 Lkp1.
Subgoal 9.2.2.2.2:
Variables: SG GA GB N E Ty V1 X V2
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
EvA : eval_s GA (secdecl N Ty public E) ((N, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string N
Is1 : is_ty Ty
Is2 : is_sl public
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG N
LkpSec : N = X -> false
LkpSec1 : lookup SG X public
Lkp : N = X -> false
Lkp1 : lookup GB X V2
Rel : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GA X V2
============================
lookup ((N, V1)::GA) X V2
< search.
Subgoal 10:
Variables: SG SL SG1 GA GA' GB GB' T
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Sec : secure SG SL <unknown K eval_s> SG1
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> T
EvA2 : eval_s GA T GA' *
============================
public_equiv SG1 GA' GB'
< Sec: case Sec.
Subgoal 10:
Variables: SG SL SG1 GA GA' GB GB' T S1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> T
EvA2 : eval_s GA T GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
============================
public_equiv SG1 GA' GB'
< apply proj_s_unique to EvA1 Sec.
Subgoal 10:
Variables: SG SL SG1 GA GA' GB GB' S1
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
============================
public_equiv SG1 GA' GB'
< EvBProj: apply proj_s_eval to EvA1 EvB.
Subgoal 10:
Variables: SG SL SG1 GA GA' GB GB' S1 G'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
============================
public_equiv SG1 GA' GB'
< IsCT: apply proj_s_is to Sec Is.
Subgoal 10:
Variables: SG SL SG1 GA GA' GB GB' S1 G'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
============================
public_equiv SG1 GA' GB'
< Equiv: apply IH to _ Sec1 Rel EvA2 EvBProj.
Subgoal 10:
Variables: SG SL SG1 GA GA' GB GB' S1 G'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
============================
public_equiv SG1 GA' GB'
< LkpGB'G': assert forall X V,
lookup GB' X V -> lookup G' X V.
Subgoal 10.1:
Variables: SG SL SG1 GA GA' GB GB' S1 G'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
============================
forall X V, lookup GB' X V -> lookup G' X V
< intros L.
Subgoal 10.1:
Variables: SG SL SG1 GA GA' GB GB' S1 G' X V
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
L : lookup GB' X V
============================
lookup G' X V
< apply proj_s_eval_results to EvA1 EvB EvBProj L.
Subgoal 10.1:
Variables: SG SL SG1 GA GA' GB GB' S1 G' X V
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
L : lookup GB' X V
H1 : lookup G' X V
============================
lookup G' X V
< search.
Subgoal 10:
Variables: SG SL SG1 GA GA' GB GB' S1 G'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
============================
public_equiv SG1 GA' GB'
< EqG'GB': assert public_equiv SG1 G' GB'.
Subgoal 10.2:
Variables: SG SL SG1 GA GA' GB GB' S1 G'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
============================
public_equiv SG1 G' GB'
< unfold .
Subgoal 10.2.1:
Variables: SG SL SG1 GA GA' GB GB' S1 G'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
============================
forall X V, lookup SG1 X public -> lookup G' X V -> lookup GB' X V
< intros LkpSec LkpG'.
Subgoal 10.2.1:
Variables: SG SL SG1 GA GA' GB GB' S1 G' X V
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
LkpSec : lookup SG1 X public
LkpG' : lookup G' X V
============================
lookup GB' X V
< apply proj_s_eval_results_back to Sec EvB EvBProj LkpG'.
Subgoal 10.2.1:
Variables: SG SL SG1 GA GA' GB GB' S1 G' X V
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
LkpSec : lookup SG1 X public
LkpG' : lookup G' X V
H1 : lookup GB' X V
============================
lookup GB' X V
< search.
Subgoal 10.2.2:
Variables: SG SL SG1 GA GA' GB GB' S1 G'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
============================
forall X V, lookup SG1 X public -> lookup GB' X V -> lookup G' X V
< intros LkpSec LkpGB'.
Subgoal 10.2.2:
Variables: SG SL SG1 GA GA' GB GB' S1 G' X V
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
LkpSec : lookup SG1 X public
LkpGB' : lookup GB' X V
============================
lookup G' X V
< backchain LkpGB'G'.
Subgoal 10:
Variables: SG SL SG1 GA GA' GB GB' S1 G'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
EqG'GB' : public_equiv SG1 G' GB'
============================
public_equiv SG1 GA' GB'
< apply public_equiv_trans to Equiv EqG'GB'.
Subgoal 10:
Variables: SG SL SG1 GA GA' GB GB' S1 G'
IH : forall S SG SL SG1 GA GA' GB GB',
is_s S -> secure SG SL S SG1 -> public_equiv SG GA GB -> eval_s GA S GA' * ->
eval_s GB S GB' -> public_equiv SG1 GA' GB'
Is : is_s <unknown K eval_s>
Rel : public_equiv SG GA GB
EvA : eval_s GA <unknown K eval_s> GA' @
EvB : eval_s GB <unknown K eval_s> GB'
EvA1 : |{s}- <unknown K eval_s> ~~> S1
EvA2 : eval_s GA S1 GA' *
Sec : |{s}- <unknown K eval_s> ~~> S1
Sec1 : secure SG SL S1 SG1
EvBProj : eval_s GB S1 G'
IsCT : is_s S1
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
EqG'GB' : public_equiv SG1 G' GB'
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Proof completed.
