< Module simple_imp:security.
< Prove_Constraint simple_imp:host:proj_e_unique.
Proof completed.
< Prove_Constraint simple_imp:host:proj_e_is.
Proof completed.
< Prove_Constraint simple_imp:host:proj_rf_unique.
Proof completed.
< Prove_Constraint simple_imp:host:proj_rf_is.
Proof completed.
< Prove_Constraint simple_imp:host:proj_c_unique.
Variables: C2 E Ty X S
Hyp : |{c}- declareSec X S Ty E ~~> declare X Ty E
Hyp1 : |{c}- declareSec X S Ty E ~~> C2
============================
declare X Ty E = C2
< case Hyp1.
Variables: E Ty X S
Hyp : |{c}- declareSec X S Ty E ~~> declare X Ty E
============================
declare X Ty E = declare X Ty E
< search.
Proof completed.
< Prove_Constraint simple_imp:host:proj_c_is.
Variables: E Ty X S
Hyp : |{c}- declareSec X S Ty E ~~> declare X Ty E
Hyp1 : is_c (declareSec X S Ty E)
============================
is_c (declare X Ty E)
< case Hyp1.
Variables: E Ty X S
Hyp : |{c}- declareSec X S Ty E ~~> declare X Ty E
H1 : is_string X
H2 : is_seclevel S
H3 : is_ty Ty
H4 : is_e E
============================
is_c (declare X Ty E)
< search.
Proof completed.
< Prove_Constraint simple_imp:host:proj_recFields_unique.
Proof completed.
< Prove_Constraint simple_imp:host:proj_recFields_is.
Proof completed.
< Prove_Constraint simple_imp:host:proj_ty_unique.
Proof completed.
< Prove_Constraint simple_imp:host:proj_ty_is.
Proof completed.
< Prove_Constraint simple_imp:host:proj_value_unique.
Proof completed.
< Prove_Constraint simple_imp:host:proj_value_is.
Proof completed.
< Prove simple_imp:host:vars_join,
simple_imp:host:vars_rf_join.
Proof completed.
< Prove simple_imp:host:vars_unique,
simple_imp:host:vars_rf_unique.
Proof completed.
< Prove_Constraint simple_imp:host:proj_e_vars_exist.
Proof completed.
< Prove_Constraint simple_imp:host:proj_e_vars.
Proof completed.
< Prove_Constraint simple_imp:host:proj_rf_vars_exist.
Proof completed.
< Prove_Constraint simple_imp:host:proj_rf_vars.
Proof completed.
< Prove simple_imp:host:vars_is,
simple_imp:host:vars_rf_is.
Proof completed.
< Prove simple_imp:host:vars_exist,
simple_imp:host:vars_rf_exist.
Proof completed.
< Prove simple_imp:host:typeOf_unique,
simple_imp:host:typeRecFields_unique.
Proof completed.
< Prove simple_imp:host:typeOK_unique.
Subgoal 8:
Variables: G G2 Ty X E S
IH : forall G C G1 G2, typeOK G C G1 * -> typeOK G C G2 -> G1 = G2
Ty1 : typeOK G (declareSec X S Ty E) ((X, Ty)::G) @
Ty2 : typeOK G (declareSec X S Ty E) G2
Ty3 : no_lookup G X
Ty4 : typeOf G E Ty
============================
(X, Ty)::G = G2
< Ty2: case Ty2.
Subgoal 8:
Variables: G Ty X E S
IH : forall G C G1 G2, typeOK G C G1 * -> typeOK G C G2 -> G1 = G2
Ty1 : typeOK G (declareSec X S Ty E) ((X, Ty)::G) @
Ty3 : no_lookup G X
Ty4 : typeOf G E Ty
Ty2 : no_lookup G X
Ty5 : typeOf G E Ty
============================
(X, Ty)::G = (X, Ty)::G
< apply typeOf_unique to Ty4 Ty5.
Subgoal 8:
Variables: G Ty X E S
IH : forall G C G1 G2, typeOK G C G1 * -> typeOK G C G2 -> G1 = G2
Ty1 : typeOK G (declareSec X S Ty E) ((X, Ty)::G) @
Ty3 : no_lookup G X
Ty4 : typeOf G E Ty
Ty2 : no_lookup G X
Ty5 : typeOf G E Ty
============================
(X, Ty)::G = (X, Ty)::G
< search.
Proof completed.
< Prove_Constraint simple_imp:host:proj_eval_e.
Proof completed.
< Prove simple_imp:host:eval_e_unique,
simple_imp:host:eval_rf_unique.
Proof completed.
< Prove simple_imp:host:update_rec_fields_unique.
Proof completed.
< Prove_Constraint simple_imp:host:proj_c_eval.
Variables: G G2 E Ty X S
Hyp : |{c}- declareSec X S Ty E ~~> declare X Ty E
Hyp1 : eval_c G (declareSec X S Ty E) G2
============================
exists G', eval_c G (declare X Ty E) G'
< Ev: case Hyp1.
Variables: G E Ty X S V
Hyp : |{c}- declareSec X S Ty E ~~> declare X Ty E
Ev : eval_e G E V
============================
exists G', eval_c G (declare X Ty E) G'
< search.
Proof completed.
< Add_Ext_Size simple_imp:host:eval_c.
Proof completed.
< Add_Proj_Rel simple_imp:host:eval_c.
Proof completed.
< Prove_Ext_Ind simple_imp:host:eval_c.
Subgoal 10:
Variables: G V X E Ty S
IH : forall N G C G1, <eval_c {ES}> G C G1 N -> acc N * -> <eval_c {P}> G C G1
IH1 : forall N G C G1,
<eval_c {ES}> G C G1 N ** -> acc N @ -> <eval_c {P}> G C G1
R : <eval_c {ES}> G (declareSec X S Ty E) ((X, V)::G) 1 @@
Acc : acc 1 @
R1 : eval_e G E V
============================
<eval_c {P}> G (declareSec X S Ty E) ((X, V)::G)
< Proj: assert |{c}- declareSec X S Ty E ~~> declare X Ty E.
Subgoal 10:
Variables: G V X E Ty S
IH : forall N G C G1, <eval_c {ES}> G C G1 N -> acc N * -> <eval_c {P}> G C G1
IH1 : forall N G C G1,
<eval_c {ES}> G C G1 N ** -> acc N @ -> <eval_c {P}> G C G1
R : <eval_c {ES}> G (declareSec X S Ty E) ((X, V)::G) 1 @@
Acc : acc 1 @
R1 : eval_e G E V
Proj : |{c}- declareSec X S Ty E ~~> declare X Ty E
============================
<eval_c {P}> G (declareSec X S Ty E) ((X, V)::G)
< search.
Proof completed.
< Prove simple_imp:host:eval_c_unique.
Subgoal 10:
Variables: G G2 V X E Ty S
IH : forall G C G1 G2, eval_c G C G1 * -> eval_c G C G2 -> G1 = G2
Ev1 : eval_c G (declareSec X S Ty E) ((X, V)::G) @
Ev2 : eval_c G (declareSec X S Ty E) G2
Ev3 : eval_e G E V
============================
(X, V)::G = G2
< Ev2: case Ev2.
Subgoal 10:
Variables: G V X E Ty S V1
IH : forall G C G1 G2, eval_c G C G1 * -> eval_c G C G2 -> G1 = G2
Ev1 : eval_c G (declareSec X S Ty E) ((X, V)::G) @
Ev3 : eval_e G E V
Ev2 : eval_e G E V1
============================
(X, V)::G = (X, V1)::G
< apply eval_e_unique to Ev3 Ev2.
Subgoal 10:
Variables: G X E Ty S V1
IH : forall G C G1 G2, eval_c G C G1 * -> eval_c G C G2 -> G1 = G2
Ev1 : eval_c G (declareSec X S Ty E) ((X, V1)::G) @
Ev3 : eval_e G E V1
Ev2 : eval_e G E V1
============================
(X, V1)::G = (X, V1)::G
< search.
Proof completed.
< Prove_Constraint simple_imp:host:proj_c_eval_results.
Variables: G G1 G2 X V E Ty X1 S
Hyp : |{c}- declareSec X1 S Ty E ~~> declare X1 Ty E
Hyp1 : eval_c G (declareSec X1 S Ty E) G1
Hyp2 : eval_c G (declare X1 Ty E) G2
Hyp3 : lookup G1 X V
============================
lookup G2 X V
< Ev1: case Hyp1.
Variables: G G2 X V E Ty X1 S V1
Hyp : |{c}- declareSec X1 S Ty E ~~> declare X1 Ty E
Hyp2 : eval_c G (declare X1 Ty E) G2
Hyp3 : lookup ((X1, V1)::G) X V
Ev1 : eval_e G E V1
============================
lookup G2 X V
< Ev2: case Hyp2.
Variables: G X V E Ty X1 S V1 V2
Hyp : |{c}- declareSec X1 S Ty E ~~> declare X1 Ty E
Hyp3 : lookup ((X1, V1)::G) X V
Ev1 : eval_e G E V1
Ev2 : eval_e G E V2
============================
lookup ((X1, V2)::G) X V
< apply eval_e_unique to Ev1 Ev2.
Variables: G X V E Ty X1 S V2
Hyp : |{c}- declareSec X1 S Ty E ~~> declare X1 Ty E
Hyp3 : lookup ((X1, V2)::G) X V
Ev1 : eval_e G E V2
Ev2 : eval_e G E V2
============================
lookup ((X1, V2)::G) X V
< search.
Proof completed.
< Prove_Constraint simple_imp:host:proj_c_eval_results_back.
Variables: G G1 G2 X V E Ty X1 S
Hyp : |{c}- declareSec X1 S Ty E ~~> declare X1 Ty E
Hyp1 : eval_c G (declareSec X1 S Ty E) G1
Hyp2 : eval_c G (declare X1 Ty E) G2
Hyp3 : lookup G2 X V
============================
lookup G1 X V
< Ev1: case Hyp1.
Variables: G G2 X V E Ty X1 S V1
Hyp : |{c}- declareSec X1 S Ty E ~~> declare X1 Ty E
Hyp2 : eval_c G (declare X1 Ty E) G2
Hyp3 : lookup G2 X V
Ev1 : eval_e G E V1
============================
lookup ((X1, V1)::G) X V
< Ev2: case Hyp2.
Variables: G X V E Ty X1 S V1 V2
Hyp : |{c}- declareSec X1 S Ty E ~~> declare X1 Ty E
Hyp3 : lookup ((X1, V2)::G) X V
Ev1 : eval_e G E V1
Ev2 : eval_e G E V2
============================
lookup ((X1, V1)::G) X V
< apply eval_e_unique to Ev1 Ev2.
Variables: G X V E Ty X1 S V2
Hyp : |{c}- declareSec X1 S Ty E ~~> declare X1 Ty E
Hyp3 : lookup ((X1, V2)::G) X V
Ev1 : eval_e G E V2
Ev2 : eval_e G E V2
============================
lookup ((X1, V2)::G) X V
< search.
Proof completed.
< Prove simple_imp:host:vars_eval_same_result,
simple_imp:host:vars_equal_rf_same_result.
Proof completed.
< Extensible_Theorem
join_private_left : forall A S,
Join : join A private S ->
S = private
on Join.
Subgoal 1:
IH : forall A S, join A private S * -> S = private
Join : join private private private @
============================
private = private
< search.
Subgoal 2:
Variables: A
IH : forall A S, join A private S * -> S = private
Join : join A private private @
============================
private = private
< search.
Proof completed.
< Extensible_Theorem
join_unique : forall A B S1 S2,
J1 : join A B S1 ->
J2 : join A B S2 ->
S1 = S2
on J1.
Subgoal 1:
Variables: S2
IH : forall A B S1 S2, join A B S1 * -> join A B S2 -> S1 = S2
J1 : join public public public @
J2 : join public public S2
============================
public = S2
< case J2.
Subgoal 1:
IH : forall A B S1 S2, join A B S1 * -> join A B S2 -> S1 = S2
J1 : join public public public @
============================
public = public
< search.
Subgoal 2:
Variables: B S2
IH : forall A B S1 S2, join A B S1 * -> join A B S2 -> S1 = S2
J1 : join private B private @
J2 : join private B S2
============================
private = S2
< case J2.
Subgoal 2.1:
Variables: B
IH : forall A B S1 S2, join A B S1 * -> join A B S2 -> S1 = S2
J1 : join private B private @
============================
private = private
< search.
Subgoal 2.2:
IH : forall A B S1 S2, join A B S1 * -> join A B S2 -> S1 = S2
J1 : join private private private @
============================
private = private
< search.
Subgoal 3:
Variables: A S2
IH : forall A B S1 S2, join A B S1 * -> join A B S2 -> S1 = S2
J1 : join A private private @
J2 : join A private S2
============================
private = S2
< apply join_private_left to J2.
Subgoal 3:
Variables: A
IH : forall A B S1 S2, join A B S1 * -> join A B S2 -> S1 = S2
J1 : join A private private @
J2 : join A private private
============================
private = private
< search.
Proof completed.
< Extensible_Theorem
join_public : forall A B,
J : join A B public ->
A = public /\
B = public
on J.
IH : forall A B, join A B public * -> A = public /\ B = public
J : join public public public @
============================
public = public /\ public = public
< search.
Proof completed.
< Extensible_Theorem
level_public_vars : forall SG E V X,
Lev : level SG E public ->
Vars : vars E V ->
Mem : mem X V ->
lookup SG X public
on Lev,
level_public_vars_rf : forall SG RF V X,
Lev : rf_level SG RF public ->
Vars : vars_rf RF V ->
Mem : mem X V ->
lookup SG X public
on Lev.
Subgoal 1.1:
Variables: SG V X I
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (num I) public @
Vars : vars (num I) V
Mem : mem X V
============================
lookup SG X public
< case Vars.
Subgoal 1.1:
Variables: SG X I
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (num I) public @
Mem : mem X []
============================
lookup SG X public
< case Mem.
Subgoal 1.2:
Variables: SG V X S1 S2 E2 E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (plus E1 E2) public @
Vars : vars (plus E1 E2) V
Mem : mem X V
Lev1 : level SG E1 S1 *
Lev2 : level SG E2 S2 *
Lev3 : join S1 S2 public
============================
lookup SG X public
< Vars1: case Vars.
Subgoal 1.2:
Variables: SG V X S1 S2 E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (plus E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 S1 *
Lev2 : level SG E2 S2 *
Lev3 : join S1 S2 public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
============================
lookup SG X public
< apply join_public to Lev3.
Subgoal 1.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (plus E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
============================
lookup SG X public
< Or: apply mem_append to Mem Vars3.
Subgoal 1.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (plus E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Or : mem X D1 \/ mem X D2
============================
lookup SG X public
< Mem': case Or.
Subgoal 1.2.1:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (plus E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D1
============================
lookup SG X public
< apply IH to Lev1 Vars1 Mem'.
Subgoal 1.2.1:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (plus E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D1
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.2.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (plus E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D2
============================
lookup SG X public
< apply IH to Lev2 Vars2 Mem'.
Subgoal 1.2.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (plus E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D2
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.3:
Variables: SG V X X1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (name X1) public @
Vars : vars (name X1) V
Mem : mem X V
Lev1 : lookup SG X1 public
============================
lookup SG X public
< case Vars.
Subgoal 1.3:
Variables: SG X X1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (name X1) public @
Mem : mem X [X1]
Lev1 : lookup SG X1 public
============================
lookup SG X public
< Mem': case Mem.
Subgoal 1.3.1:
Variables: SG X1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (name X1) public @
Lev1 : lookup SG X1 public
============================
lookup SG X1 public
< search.
Subgoal 1.3.2:
Variables: SG X X1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (name X1) public @
Lev1 : lookup SG X1 public
Mem' : mem X []
============================
lookup SG X public
< case Mem'.
Subgoal 1.4:
Variables: SG V X S1 S2 E2 E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (greater E1 E2) public @
Vars : vars (greater E1 E2) V
Mem : mem X V
Lev1 : level SG E1 S1 *
Lev2 : level SG E2 S2 *
Lev3 : join S1 S2 public
============================
lookup SG X public
< Vars1: case Vars.
Subgoal 1.4:
Variables: SG V X S1 S2 E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (greater E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 S1 *
Lev2 : level SG E2 S2 *
Lev3 : join S1 S2 public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
============================
lookup SG X public
< apply join_public to Lev3.
Subgoal 1.4:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (greater E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
============================
lookup SG X public
< Or: apply mem_append to Mem Vars3.
Subgoal 1.4:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (greater E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Or : mem X D1 \/ mem X D2
============================
lookup SG X public
< Mem': case Or.
Subgoal 1.4.1:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (greater E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D1
============================
lookup SG X public
< apply IH to Lev1 Vars1 Mem'.
Subgoal 1.4.1:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (greater E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D1
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.4.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (greater E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D2
============================
lookup SG X public
< apply IH to Lev2 Vars2 Mem'.
Subgoal 1.4.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (greater E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D2
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.5:
Variables: SG V X S1 S2 E2 E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Vars : vars (eq E1 E2) V
Mem : mem X V
Lev1 : level SG E1 S1 *
Lev2 : level SG E2 S2 *
Lev3 : join S1 S2 public
============================
lookup SG X public
< Vars1: case Vars.
Subgoal 1.5:
Variables: SG V X S1 S2 E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 S1 *
Lev2 : level SG E2 S2 *
Lev3 : join S1 S2 public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
============================
lookup SG X public
< apply join_public to Lev3.
Subgoal 1.5:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
============================
lookup SG X public
< Or: apply mem_append to Mem Vars3.
Subgoal 1.5:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Or : mem X D1 \/ mem X D2
============================
lookup SG X public
< Mem': case Or.
Subgoal 1.5.1:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D1
============================
lookup SG X public
< apply IH to Lev1 Vars1 Mem'.
Subgoal 1.5.1:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D1
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.5.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D2
============================
lookup SG X public
< apply IH to Lev2 Vars2 Mem'.
Subgoal 1.5.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (eq E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D2
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.6:
Variables: SG V X S1 S2 E2 E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (and E1 E2) public @
Vars : vars (and E1 E2) V
Mem : mem X V
Lev1 : level SG E1 S1 *
Lev2 : level SG E2 S2 *
Lev3 : join S1 S2 public
============================
lookup SG X public
< Vars1: case Vars.
Subgoal 1.6:
Variables: SG V X S1 S2 E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (and E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 S1 *
Lev2 : level SG E2 S2 *
Lev3 : join S1 S2 public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
============================
lookup SG X public
< apply join_public to Lev3.
Subgoal 1.6:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (and E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
============================
lookup SG X public
< Or: apply mem_append to Mem Vars3.
Subgoal 1.6:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (and E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Or : mem X D1 \/ mem X D2
============================
lookup SG X public
< Mem': case Or.
Subgoal 1.6.1:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (and E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D1
============================
lookup SG X public
< apply IH to Lev1 Vars1 Mem'.
Subgoal 1.6.1:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (and E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D1
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.6.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (and E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D2
============================
lookup SG X public
< apply IH to Lev2 Vars2 Mem'.
Subgoal 1.6.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (and E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D2
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.7:
Variables: SG V X S1 S2 E2 E1
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (or E1 E2) public @
Vars : vars (or E1 E2) V
Mem : mem X V
Lev1 : level SG E1 S1 *
Lev2 : level SG E2 S2 *
Lev3 : join S1 S2 public
============================
lookup SG X public
< Vars1: case Vars.
Subgoal 1.7:
Variables: SG V X S1 S2 E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (or E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 S1 *
Lev2 : level SG E2 S2 *
Lev3 : join S1 S2 public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
============================
lookup SG X public
< apply join_public to Lev3.
Subgoal 1.7:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (or E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
============================
lookup SG X public
< Or: apply mem_append to Mem Vars3.
Subgoal 1.7:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (or E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Or : mem X D1 \/ mem X D2
============================
lookup SG X public
< Mem': case Or.
Subgoal 1.7.1:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (or E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D1
============================
lookup SG X public
< apply IH to Lev1 Vars1 Mem'.
Subgoal 1.7.1:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (or E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D1
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.7.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (or E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D2
============================
lookup SG X public
< apply IH to Lev2 Vars2 Mem'.
Subgoal 1.7.2:
Variables: SG V X E2 E1 D1 D2
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (or E1 E2) public @
Mem : mem X V
Lev1 : level SG E1 public *
Lev2 : level SG E2 public *
Lev3 : join public public public
Vars1 : vars E1 D1
Vars2 : vars E2 D2
Vars3 : D1 ++ D2 = V
Mem' : mem X D2
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.8:
Variables: SG V X
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG true public @
Vars : vars true V
Mem : mem X V
============================
lookup SG X public
< case Vars.
Subgoal 1.8:
Variables: SG X
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG true public @
Mem : mem X []
============================
lookup SG X public
< case Mem.
Subgoal 1.9:
Variables: SG V X
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG false public @
Vars : vars false V
Mem : mem X V
============================
lookup SG X public
< case Vars.
Subgoal 1.9:
Variables: SG X
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG false public @
Mem : mem X []
============================
lookup SG X public
< case Mem.
Subgoal 1.10:
Variables: SG V X Fields
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (recBuild Fields) public @
Vars : vars (recBuild Fields) V
Mem : mem X V
Lev1 : rf_level SG Fields public *
============================
lookup SG X public
< Vars: case Vars.
Subgoal 1.10:
Variables: SG V X Fields
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (recBuild Fields) public @
Mem : mem X V
Lev1 : rf_level SG Fields public *
Vars : vars_rf Fields V
============================
lookup SG X public
< apply IH1 to Lev1 Vars Mem.
Subgoal 1.10:
Variables: SG V X Fields
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (recBuild Fields) public @
Mem : mem X V
Lev1 : rf_level SG Fields public *
Vars : vars_rf Fields V
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.11:
Variables: SG V X Field Rec
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (recFieldAccess Rec Field) public @
Vars : vars (recFieldAccess Rec Field) V
Mem : mem X V
Lev1 : level SG Rec public *
============================
lookup SG X public
< Vars: case Vars.
Subgoal 1.11:
Variables: SG V X Field Rec
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (recFieldAccess Rec Field) public @
Mem : mem X V
Lev1 : level SG Rec public *
Vars : vars Rec V
============================
lookup SG X public
< apply IH to Lev1 Vars Mem.
Subgoal 1.11:
Variables: SG V X Field Rec
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG (recFieldAccess Rec Field) public @
Mem : mem X V
Lev1 : level SG Rec public *
Vars : vars Rec V
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 1.12:
Variables: SG V X ET
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG <unknown I e> public @
Vars : vars <unknown I e> V
Mem : mem X V
Lev1 : |{e}- <unknown I e> ~~> ET
Lev2 : level SG ET public *
============================
lookup SG X public
< V: apply proj_e_vars_exist to Lev1 Vars.
Subgoal 1.12:
Variables: SG V X ET V'
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG <unknown I e> public @
Vars : vars <unknown I e> V
Mem : mem X V
Lev1 : |{e}- <unknown I e> ~~> ET
Lev2 : level SG ET public *
V : vars ET V'
============================
lookup SG X public
< Mem: apply proj_e_vars to Lev1 Vars V Mem.
Subgoal 1.12:
Variables: SG V X ET V'
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG <unknown I e> public @
Vars : vars <unknown I e> V
Mem : mem X V
Lev1 : |{e}- <unknown I e> ~~> ET
Lev2 : level SG ET public *
V : vars ET V'
Mem1 : mem X V'
============================
lookup SG X public
< apply IH to Lev2 V Mem1.
Subgoal 1.12:
Variables: SG V X ET V'
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : level SG <unknown I e> public @
Vars : vars <unknown I e> V
Mem : mem X V
Lev1 : |{e}- <unknown I e> ~~> ET
Lev2 : level SG ET public *
V : vars ET V'
Mem1 : mem X V'
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 2.1:
Variables: SG V X
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG endRecFieldExprs public @
Vars : vars_rf endRecFieldExprs V
Mem : mem X V
============================
lookup SG X public
< case Vars.
Subgoal 2.1:
Variables: SG X
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG endRecFieldExprs public @
Mem : mem X []
============================
lookup SG X public
< case Mem.
Subgoal 2.2:
Variables: SG V X S1 S2 Rest E L
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG (addRecFieldExprs L E Rest) public @
Vars : vars_rf (addRecFieldExprs L E Rest) V
Mem : mem X V
Lev1 : level SG E S1 *
Lev2 : rf_level SG Rest S2 *
Lev3 : join S1 S2 public
============================
lookup SG X public
< Vars1: case Vars.
Subgoal 2.2:
Variables: SG V X S1 S2 Rest E L DRest DE
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG (addRecFieldExprs L E Rest) public @
Mem : mem X V
Lev1 : level SG E S1 *
Lev2 : rf_level SG Rest S2 *
Lev3 : join S1 S2 public
Vars1 : vars_rf Rest DRest
Vars2 : vars E DE
Vars3 : DE ++ DRest = V
============================
lookup SG X public
< apply join_public to Lev3.
Subgoal 2.2:
Variables: SG V X Rest E L DRest DE
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG (addRecFieldExprs L E Rest) public @
Mem : mem X V
Lev1 : level SG E public *
Lev2 : rf_level SG Rest public *
Lev3 : join public public public
Vars1 : vars_rf Rest DRest
Vars2 : vars E DE
Vars3 : DE ++ DRest = V
============================
lookup SG X public
< Or: apply mem_append to Mem Vars3.
Subgoal 2.2:
Variables: SG V X Rest E L DRest DE
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG (addRecFieldExprs L E Rest) public @
Mem : mem X V
Lev1 : level SG E public *
Lev2 : rf_level SG Rest public *
Lev3 : join public public public
Vars1 : vars_rf Rest DRest
Vars2 : vars E DE
Vars3 : DE ++ DRest = V
Or : mem X DE \/ mem X DRest
============================
lookup SG X public
< Mem': case Or.
Subgoal 2.2.1:
Variables: SG V X Rest E L DRest DE
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG (addRecFieldExprs L E Rest) public @
Mem : mem X V
Lev1 : level SG E public *
Lev2 : rf_level SG Rest public *
Lev3 : join public public public
Vars1 : vars_rf Rest DRest
Vars2 : vars E DE
Vars3 : DE ++ DRest = V
Mem' : mem X DE
============================
lookup SG X public
< apply IH to Lev1 Vars2 Mem'.
Subgoal 2.2.1:
Variables: SG V X Rest E L DRest DE
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG (addRecFieldExprs L E Rest) public @
Mem : mem X V
Lev1 : level SG E public *
Lev2 : rf_level SG Rest public *
Lev3 : join public public public
Vars1 : vars_rf Rest DRest
Vars2 : vars E DE
Vars3 : DE ++ DRest = V
Mem' : mem X DE
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 2.2.2:
Variables: SG V X Rest E L DRest DE
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG (addRecFieldExprs L E Rest) public @
Mem : mem X V
Lev1 : level SG E public *
Lev2 : rf_level SG Rest public *
Lev3 : join public public public
Vars1 : vars_rf Rest DRest
Vars2 : vars E DE
Vars3 : DE ++ DRest = V
Mem' : mem X DRest
============================
lookup SG X public
< apply IH1 to Lev2 Vars1 Mem'.
Subgoal 2.2.2:
Variables: SG V X Rest E L DRest DE
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG (addRecFieldExprs L E Rest) public @
Mem : mem X V
Lev1 : level SG E public *
Lev2 : rf_level SG Rest public *
Lev3 : join public public public
Vars1 : vars_rf Rest DRest
Vars2 : vars E DE
Vars3 : DE ++ DRest = V
Mem' : mem X DRest
H1 : lookup SG X public
============================
lookup SG X public
< search.
Subgoal 2.3:
Variables: SG V X RFT
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG <unknown I recFieldExprs> public @
Vars : vars_rf <unknown I recFieldExprs> V
Mem : mem X V
Lev1 : |{recFieldExprs}- <unknown I recFieldExprs> ~~> RFT
Lev2 : rf_level SG RFT public *
============================
lookup SG X public
< V: apply proj_rf_vars_exist to Lev1 Vars.
Subgoal 2.3:
Variables: SG V X RFT V'
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG <unknown I recFieldExprs> public @
Vars : vars_rf <unknown I recFieldExprs> V
Mem : mem X V
Lev1 : |{recFieldExprs}- <unknown I recFieldExprs> ~~> RFT
Lev2 : rf_level SG RFT public *
V : vars_rf RFT V'
============================
lookup SG X public
< Mem: apply proj_rf_vars to Lev1 Vars V Mem.
Subgoal 2.3:
Variables: SG V X RFT V'
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG <unknown I recFieldExprs> public @
Vars : vars_rf <unknown I recFieldExprs> V
Mem : mem X V
Lev1 : |{recFieldExprs}- <unknown I recFieldExprs> ~~> RFT
Lev2 : rf_level SG RFT public *
V : vars_rf RFT V'
Mem1 : mem X V'
============================
lookup SG X public
< apply IH1 to Lev2 V Mem1.
Subgoal 2.3:
Variables: SG V X RFT V'
IH : forall SG E V X,
level SG E public * -> vars E V -> mem X V -> lookup SG X public
IH1 : forall SG RF V X,
rf_level SG RF public * -> vars_rf RF V -> mem X V -> lookup SG X public
Lev : rf_level SG <unknown I recFieldExprs> public @
Vars : vars_rf <unknown I recFieldExprs> V
Mem : mem X V
Lev1 : |{recFieldExprs}- <unknown I recFieldExprs> ~~> RFT
Lev2 : rf_level SG RFT public *
V : vars_rf RFT V'
Mem1 : mem X V'
H1 : lookup SG X public
============================
lookup SG X public
< search.
Proof completed.
< Define public_equiv :
(list (pair (string) seclevel)) ->
(list (pair (string) value)) ->
(list (pair (string) value)) ->
prop by
public_equiv S G1 G2 :=
((forall X V1 V2,
lookup S X public -> lookup G1 X V1 -> lookup G2 X V2 -> V1 = V2) /\
(forall X V, lookup S X public -> lookup G1 X V -> lookup G2 X V)) /\
(forall X V, lookup S X public -> lookup G2 X V -> lookup G1 X V).
< Theorem public_equiv_trans :
forall SG GA GB GC,
public_equiv SG GA GB -> public_equiv SG GB GC -> public_equiv SG GA GC.
============================
forall SG GA GB GC,
public_equiv SG GA GB -> public_equiv SG GB GC -> public_equiv SG GA GC
< intros PEAB PEBC.
Variables: SG GA GB GC
PEAB : public_equiv SG GA GB
PEBC : public_equiv SG GB GC
============================
public_equiv SG GA GC
< PEAB: case PEAB.
Variables: SG GA GB GC
PEBC : public_equiv SG GB GC
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
public_equiv SG GA GC
< PEBC: case PEBC.
Variables: SG GA GB GC
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
============================
public_equiv SG GA GC
< unfold .
Subgoal 1:
Variables: SG GA GB GC
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
============================
forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GC X V2 -> V1 = V2
< intros LkpSec LkpA LkpC.
Subgoal 1:
Variables: SG GA GB GC X V1 V2
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpA : lookup GA X V1
LkpC : lookup GC X V2
============================
V1 = V2
< LkpB: apply PEAB1 to LkpSec LkpA.
Subgoal 1:
Variables: SG GA GB GC X V1 V2
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpA : lookup GA X V1
LkpC : lookup GC X V2
LkpB : lookup GB X V1
============================
V1 = V2
< apply PEBC to LkpSec LkpB LkpC.
Subgoal 1:
Variables: SG GA GB GC X V2
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpA : lookup GA X V2
LkpC : lookup GC X V2
LkpB : lookup GB X V2
============================
V2 = V2
< search.
Subgoal 2:
Variables: SG GA GB GC
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
============================
forall X V, lookup SG X public -> lookup GA X V -> lookup GC X V
< intros LkpSec LkpA.
Subgoal 2:
Variables: SG GA GB GC X V
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
============================
lookup GC X V
< LkpB: apply PEAB1 to LkpSec LkpA.
Subgoal 2:
Variables: SG GA GB GC X V
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
LkpB : lookup GB X V
============================
lookup GC X V
< apply PEBC1 to LkpSec LkpB.
Subgoal 2:
Variables: SG GA GB GC X V
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
LkpB : lookup GB X V
H1 : lookup GC X V
============================
lookup GC X V
< search.
Subgoal 3:
Variables: SG GA GB GC
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
============================
forall X V, lookup SG X public -> lookup GC X V -> lookup GA X V
< intros LkpSec LkpC.
Subgoal 3:
Variables: SG GA GB GC X V
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpC : lookup GC X V
============================
lookup GA X V
< LkpB: apply PEBC2 to LkpSec LkpC.
Subgoal 3:
Variables: SG GA GB GC X V
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpC : lookup GC X V
LkpB : lookup GB X V
============================
lookup GA X V
< apply PEAB2 to LkpSec LkpB.
Subgoal 3:
Variables: SG GA GB GC X V
PEAB : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
PEAB1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
PEAB2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
PEBC : forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GC X V2 -> V1 = V2
PEBC1 : forall X V, lookup SG X public -> lookup GB X V -> lookup GC X V
PEBC2 : forall X V, lookup SG X public -> lookup GC X V -> lookup GB X V
LkpSec : lookup SG X public
LkpC : lookup GC X V
LkpB : lookup GB X V
H1 : lookup GA X V
============================
lookup GA X V
< search.
Proof completed.
< Theorem public_equiv_symm :
forall SG GA GB, public_equiv SG GA GB -> public_equiv SG GB GA.
============================
forall SG GA GB, public_equiv SG GA GB -> public_equiv SG GB GA
< intros Rel.
Variables: SG GA GB
Rel : public_equiv SG GA GB
============================
public_equiv SG GB GA
< Rel: case Rel.
Variables: SG GA GB
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
public_equiv SG GB GA
< unfold .
Subgoal 1:
Variables: SG GA GB
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
forall X V1 V2,
lookup SG X public -> lookup GB X V1 -> lookup GA X V2 -> V1 = V2
< intros LkpSec LkpB LkpA.
Subgoal 1:
Variables: SG GA GB X V1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V1
LkpA : lookup GA X V2
============================
V1 = V2
< apply Rel to LkpSec LkpA LkpB.
Subgoal 1:
Variables: SG GA GB X V1
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V1
LkpA : lookup GA X V1
============================
V1 = V1
< search.
Subgoal 2:
Variables: SG GA GB
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
< intros LkpSec LkpB.
Subgoal 2:
Variables: SG GA GB X V
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V
============================
lookup GA X V
< apply Rel2 to LkpSec LkpB.
Subgoal 2:
Variables: SG GA GB X V
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V
H1 : lookup GA X V
============================
lookup GA X V
< search.
Subgoal 3:
Variables: SG GA GB
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
< intros LkpSec LkpA.
Subgoal 3:
Variables: SG GA GB X V
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
============================
lookup GB X V
< apply Rel1 to LkpSec LkpA.
Subgoal 3:
Variables: SG GA GB X V
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
H1 : lookup GB X V
============================
lookup GB X V
< search.
Proof completed.
< Theorem public_equiv_refl :
forall SG G, public_equiv SG G G.
============================
forall SG G, public_equiv SG G G
< intros.
Variables: SG G
============================
public_equiv SG G G
< unfold .
Subgoal 1:
Variables: SG G
============================
forall X V1 V2, lookup SG X public -> lookup G X V1 -> lookup G X V2 -> V1 = V2
< intros LkpSec Lkp1 Lkp2.
Subgoal 1:
Variables: SG G X V1 V2
LkpSec : lookup SG X public
Lkp1 : lookup G X V1
Lkp2 : lookup G X V2
============================
V1 = V2
< apply lookup_unique to Lkp1 Lkp2.
Subgoal 1:
Variables: SG G X V2
LkpSec : lookup SG X public
Lkp1 : lookup G X V2
Lkp2 : lookup G X V2
============================
V2 = V2
< search.
Subgoal 2:
Variables: SG G
============================
forall X V, lookup SG X public -> lookup G X V -> lookup G X V
< intros.
Subgoal 2:
Variables: SG G X V
H1 : lookup SG X public
H2 : lookup G X V
============================
lookup G X V
< search.
Subgoal 3:
Variables: SG G
============================
forall X V, lookup SG X public -> lookup G X V -> lookup G X V
< intros.
Subgoal 3:
Variables: SG G X V
H1 : lookup SG X public
H2 : lookup G X V
============================
lookup G X V
< search.
Proof completed.
< Theorem level_secure :
forall SG G1 G2 E V1 V2,
is_e E -> level SG E public -> public_equiv SG G1 G2 -> eval_e G1 E V1 ->
eval_e G2 E V2 -> V1 = V2.
============================
forall SG G1 G2 E V1 V2,
is_e E -> level SG E public -> public_equiv SG G1 G2 -> eval_e G1 E V1 -> eval_e G2 E V2 ->
V1 = V2
< intros IsE Lev Equiv Ev1 Ev2.
Variables: SG G1 G2 E V1 V2
IsE : is_e E
Lev : level SG E public
Equiv : public_equiv SG G1 G2
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
============================
V1 = V2
< Vars: apply vars_exist to IsE.
Variables: SG G1 G2 E V1 V2 V
IsE : is_e E
Lev : level SG E public
Equiv : public_equiv SG G1 G2
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
============================
V1 = V2
< Equiv: case Equiv.
Variables: SG G1 G2 E V1 V2 V
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V1 V2,
lookup SG X public -> lookup G1 X V1 -> lookup G2 X V2 -> V1 = V2
Equiv1 : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv2 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
============================
V1 = V2
< apply vars_eval_same_result to _ Vars Ev1 Ev2.
Subgoal 1:
Variables: SG G1 G2 E V1 V2 V
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V1 V2,
lookup SG X public -> lookup G1 X V1 -> lookup G2 X V2 -> V1 = V2
Equiv1 : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv2 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
============================
forall X U1 U2, mem X V -> lookup G1 X U1 -> lookup G2 X U2 -> U1 = U2
< intros Mem Lkp1 Lkp2.
Subgoal 1:
Variables: SG G1 G2 E V1 V2 V X U1 U2
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V1 V2,
lookup SG X public -> lookup G1 X V1 -> lookup G2 X V2 -> V1 = V2
Equiv1 : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv2 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
Mem : mem X V
Lkp1 : lookup G1 X U1
Lkp2 : lookup G2 X U2
============================
U1 = U2
< LkpS: apply level_public_vars to Lev Vars Mem.
Subgoal 1:
Variables: SG G1 G2 E V1 V2 V X U1 U2
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V1 V2,
lookup SG X public -> lookup G1 X V1 -> lookup G2 X V2 -> V1 = V2
Equiv1 : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv2 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
Mem : mem X V
Lkp1 : lookup G1 X U1
Lkp2 : lookup G2 X U2
LkpS : lookup SG X public
============================
U1 = U2
< apply Equiv to LkpS Lkp1 Lkp2.
Subgoal 1:
Variables: SG G1 G2 E V1 V2 V X U2
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V1 V2,
lookup SG X public -> lookup G1 X V1 -> lookup G2 X V2 -> V1 = V2
Equiv1 : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv2 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
Mem : mem X V
Lkp1 : lookup G1 X U2
Lkp2 : lookup G2 X U2
LkpS : lookup SG X public
============================
U2 = U2
< search.
Variables: SG G1 G2 E V2 V
IsE : is_e E
Lev : level SG E public
Ev1 : eval_e G1 E V2
Ev2 : eval_e G2 E V2
Vars : vars E V
Equiv : forall X V1 V2,
lookup SG X public -> lookup G1 X V1 -> lookup G2 X V2 -> V1 = V2
Equiv1 : forall X V, lookup SG X public -> lookup G1 X V -> lookup G2 X V
Equiv2 : forall X V, lookup SG X public -> lookup G2 X V -> lookup G1 X V
============================
V2 = V2
< search.
Proof completed.
< Extensible_Theorem
level_unique : forall SG E S1 S2,
LevA : level SG E S1 ->
LevB : level SG E S2 ->
S1 = S2
on LevA,
level_rf_unique : forall SG RF S1 S2,
LevA : rf_level SG RF S1 ->
LevB : rf_level SG RF S2 ->
S1 = S2
on LevA.
Subgoal 1.1:
Variables: SG S2 I
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (num I) public @
LevB : level SG (num I) S2
============================
public = S2
< case LevB.
Subgoal 1.1:
Variables: SG I
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (num I) public @
============================
public = public
< search.
Subgoal 1.2:
Variables: SG S1 S2 S3 S4 E2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (plus E1 E2) S1 @
LevB : level SG (plus E1 E2) S2
LevA1 : level SG E1 S3 *
LevA2 : level SG E2 S4 *
LevA3 : join S3 S4 S1
============================
S1 = S2
< LevB: case LevB.
Subgoal 1.2:
Variables: SG S1 S2 S3 S4 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (plus E1 E2) S1 @
LevA1 : level SG E1 S3 *
LevA2 : level SG E2 S4 *
LevA3 : join S3 S4 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH to LevA1 LevB.
Subgoal 1.2:
Variables: SG S1 S2 S4 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (plus E1 E2) S1 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S4 *
LevA3 : join S5 S4 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH to LevA2 LevB1.
Subgoal 1.2:
Variables: SG S1 S2 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (plus E1 E2) S1 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S6 *
LevA3 : join S5 S6 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply join_unique to LevA3 LevB2.
Subgoal 1.2:
Variables: SG S2 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (plus E1 E2) S2 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S6 *
LevA3 : join S5 S6 S2
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S2 = S2
< search.
Subgoal 1.3:
Variables: SG S1 S2 X
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (name X) S1 @
LevB : level SG (name X) S2
LevA1 : lookup SG X S1
============================
S1 = S2
< LevB: case LevB.
Subgoal 1.3:
Variables: SG S1 S2 X
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (name X) S1 @
LevA1 : lookup SG X S1
LevB : lookup SG X S2
============================
S1 = S2
< apply lookup_unique to LevA1 LevB.
Subgoal 1.3:
Variables: SG S2 X
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (name X) S2 @
LevA1 : lookup SG X S2
LevB : lookup SG X S2
============================
S2 = S2
< search.
Subgoal 1.4:
Variables: SG S1 S2 S3 S4 E2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (greater E1 E2) S1 @
LevB : level SG (greater E1 E2) S2
LevA1 : level SG E1 S3 *
LevA2 : level SG E2 S4 *
LevA3 : join S3 S4 S1
============================
S1 = S2
< LevB: case LevB.
Subgoal 1.4:
Variables: SG S1 S2 S3 S4 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (greater E1 E2) S1 @
LevA1 : level SG E1 S3 *
LevA2 : level SG E2 S4 *
LevA3 : join S3 S4 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH to LevA1 LevB.
Subgoal 1.4:
Variables: SG S1 S2 S4 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (greater E1 E2) S1 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S4 *
LevA3 : join S5 S4 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH to LevA2 LevB1.
Subgoal 1.4:
Variables: SG S1 S2 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (greater E1 E2) S1 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S6 *
LevA3 : join S5 S6 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply join_unique to LevA3 LevB2.
Subgoal 1.4:
Variables: SG S2 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (greater E1 E2) S2 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S6 *
LevA3 : join S5 S6 S2
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S2 = S2
< search.
Subgoal 1.5:
Variables: SG S1 S2 S3 S4 E2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (eq E1 E2) S1 @
LevB : level SG (eq E1 E2) S2
LevA1 : level SG E1 S3 *
LevA2 : level SG E2 S4 *
LevA3 : join S3 S4 S1
============================
S1 = S2
< LevB: case LevB.
Subgoal 1.5:
Variables: SG S1 S2 S3 S4 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (eq E1 E2) S1 @
LevA1 : level SG E1 S3 *
LevA2 : level SG E2 S4 *
LevA3 : join S3 S4 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH to LevA1 LevB.
Subgoal 1.5:
Variables: SG S1 S2 S4 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (eq E1 E2) S1 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S4 *
LevA3 : join S5 S4 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH to LevA2 LevB1.
Subgoal 1.5:
Variables: SG S1 S2 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (eq E1 E2) S1 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S6 *
LevA3 : join S5 S6 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply join_unique to LevA3 LevB2.
Subgoal 1.5:
Variables: SG S2 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (eq E1 E2) S2 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S6 *
LevA3 : join S5 S6 S2
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S2 = S2
< search.
Subgoal 1.6:
Variables: SG S1 S2 S3 S4 E2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (and E1 E2) S1 @
LevB : level SG (and E1 E2) S2
LevA1 : level SG E1 S3 *
LevA2 : level SG E2 S4 *
LevA3 : join S3 S4 S1
============================
S1 = S2
< LevB: case LevB.
Subgoal 1.6:
Variables: SG S1 S2 S3 S4 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (and E1 E2) S1 @
LevA1 : level SG E1 S3 *
LevA2 : level SG E2 S4 *
LevA3 : join S3 S4 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH to LevA1 LevB.
Subgoal 1.6:
Variables: SG S1 S2 S4 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (and E1 E2) S1 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S4 *
LevA3 : join S5 S4 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH to LevA2 LevB1.
Subgoal 1.6:
Variables: SG S1 S2 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (and E1 E2) S1 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S6 *
LevA3 : join S5 S6 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply join_unique to LevA3 LevB2.
Subgoal 1.6:
Variables: SG S2 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (and E1 E2) S2 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S6 *
LevA3 : join S5 S6 S2
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S2 = S2
< search.
Subgoal 1.7:
Variables: SG S1 S2 S3 S4 E2 E1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (or E1 E2) S1 @
LevB : level SG (or E1 E2) S2
LevA1 : level SG E1 S3 *
LevA2 : level SG E2 S4 *
LevA3 : join S3 S4 S1
============================
S1 = S2
< LevB: case LevB.
Subgoal 1.7:
Variables: SG S1 S2 S3 S4 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (or E1 E2) S1 @
LevA1 : level SG E1 S3 *
LevA2 : level SG E2 S4 *
LevA3 : join S3 S4 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH to LevA1 LevB.
Subgoal 1.7:
Variables: SG S1 S2 S4 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (or E1 E2) S1 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S4 *
LevA3 : join S5 S4 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH to LevA2 LevB1.
Subgoal 1.7:
Variables: SG S1 S2 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (or E1 E2) S1 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S6 *
LevA3 : join S5 S6 S1
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply join_unique to LevA3 LevB2.
Subgoal 1.7:
Variables: SG S2 E2 E1 S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (or E1 E2) S2 @
LevA1 : level SG E1 S5 *
LevA2 : level SG E2 S6 *
LevA3 : join S5 S6 S2
LevB : level SG E1 S5
LevB1 : level SG E2 S6
LevB2 : join S5 S6 S2
============================
S2 = S2
< search.
Subgoal 1.8:
Variables: SG S2
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG true public @
LevB : level SG true S2
============================
public = S2
< case LevB.
Subgoal 1.8:
Variables: SG
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG true public @
============================
public = public
< search.
Subgoal 1.9:
Variables: SG S2
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG false public @
LevB : level SG false S2
============================
public = S2
< case LevB.
Subgoal 1.9:
Variables: SG
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG false public @
============================
public = public
< search.
Subgoal 1.10:
Variables: SG S1 S2 Fields
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (recBuild Fields) S1 @
LevB : level SG (recBuild Fields) S2
LevA1 : rf_level SG Fields S1 *
============================
S1 = S2
< LevB: case LevB.
Subgoal 1.10:
Variables: SG S1 S2 Fields
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (recBuild Fields) S1 @
LevA1 : rf_level SG Fields S1 *
LevB : rf_level SG Fields S2
============================
S1 = S2
< apply IH1 to LevA1 LevB.
Subgoal 1.10:
Variables: SG S2 Fields
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (recBuild Fields) S2 @
LevA1 : rf_level SG Fields S2 *
LevB : rf_level SG Fields S2
============================
S2 = S2
< search.
Subgoal 1.11:
Variables: SG S1 S2 Field Rec
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (recFieldAccess Rec Field) S1 @
LevB : level SG (recFieldAccess Rec Field) S2
LevA1 : level SG Rec S1 *
============================
S1 = S2
< LevB: case LevB.
Subgoal 1.11:
Variables: SG S1 S2 Field Rec
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (recFieldAccess Rec Field) S1 @
LevA1 : level SG Rec S1 *
LevB : level SG Rec S2
============================
S1 = S2
< apply IH to LevA1 LevB.
Subgoal 1.11:
Variables: SG S2 Field Rec
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG (recFieldAccess Rec Field) S2 @
LevA1 : level SG Rec S2 *
LevB : level SG Rec S2
============================
S2 = S2
< search.
Subgoal 1.12:
Variables: SG S1 S2 ET
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG <unknown I e> S1 @
LevB : level SG <unknown I e> S2
LevA1 : |{e}- <unknown I e> ~~> ET
LevA2 : level SG ET S1 *
============================
S1 = S2
< LevB: case LevB.
Subgoal 1.12:
Variables: SG S1 S2 ET ET1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG <unknown I e> S1 @
LevA1 : |{e}- <unknown I e> ~~> ET
LevA2 : level SG ET S1 *
LevB : |{e}- <unknown I e> ~~> ET1
LevB1 : level SG ET1 S2
============================
S1 = S2
< apply proj_e_unique to LevA1 LevB.
Subgoal 1.12:
Variables: SG S1 S2 ET1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG <unknown I e> S1 @
LevA1 : |{e}- <unknown I e> ~~> ET1
LevA2 : level SG ET1 S1 *
LevB : |{e}- <unknown I e> ~~> ET1
LevB1 : level SG ET1 S2
============================
S1 = S2
< apply IH to LevA2 LevB1.
Subgoal 1.12:
Variables: SG S2 ET1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : level SG <unknown I e> S2 @
LevA1 : |{e}- <unknown I e> ~~> ET1
LevA2 : level SG ET1 S2 *
LevB : |{e}- <unknown I e> ~~> ET1
LevB1 : level SG ET1 S2
============================
S2 = S2
< search.
Subgoal 2.1:
Variables: SG S2
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : rf_level SG endRecFieldExprs public @
LevB : rf_level SG endRecFieldExprs S2
============================
public = S2
< case LevB.
Subgoal 2.1:
Variables: SG
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : rf_level SG endRecFieldExprs public @
============================
public = public
< search.
Subgoal 2.2:
Variables: SG S1 S2 S3 S4 Rest E L
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : rf_level SG (addRecFieldExprs L E Rest) S1 @
LevB : rf_level SG (addRecFieldExprs L E Rest) S2
LevA1 : level SG E S3 *
LevA2 : rf_level SG Rest S4 *
LevA3 : join S3 S4 S1
============================
S1 = S2
< LevB: case LevB.
Subgoal 2.2:
Variables: SG S1 S2 S3 S4 Rest E L S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : rf_level SG (addRecFieldExprs L E Rest) S1 @
LevA1 : level SG E S3 *
LevA2 : rf_level SG Rest S4 *
LevA3 : join S3 S4 S1
LevB : level SG E S5
LevB1 : rf_level SG Rest S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH to LevA1 LevB.
Subgoal 2.2:
Variables: SG S1 S2 S4 Rest E L S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : rf_level SG (addRecFieldExprs L E Rest) S1 @
LevA1 : level SG E S5 *
LevA2 : rf_level SG Rest S4 *
LevA3 : join S5 S4 S1
LevB : level SG E S5
LevB1 : rf_level SG Rest S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply IH1 to LevA2 LevB1.
Subgoal 2.2:
Variables: SG S1 S2 Rest E L S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : rf_level SG (addRecFieldExprs L E Rest) S1 @
LevA1 : level SG E S5 *
LevA2 : rf_level SG Rest S6 *
LevA3 : join S5 S6 S1
LevB : level SG E S5
LevB1 : rf_level SG Rest S6
LevB2 : join S5 S6 S2
============================
S1 = S2
< apply join_unique to LevA3 LevB2.
Subgoal 2.2:
Variables: SG S2 Rest E L S5 S6
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : rf_level SG (addRecFieldExprs L E Rest) S2 @
LevA1 : level SG E S5 *
LevA2 : rf_level SG Rest S6 *
LevA3 : join S5 S6 S2
LevB : level SG E S5
LevB1 : rf_level SG Rest S6
LevB2 : join S5 S6 S2
============================
S2 = S2
< search.
Subgoal 2.3:
Variables: SG S1 S2 RFT
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : rf_level SG <unknown I recFieldExprs> S1 @
LevB : rf_level SG <unknown I recFieldExprs> S2
LevA1 : |{recFieldExprs}- <unknown I recFieldExprs> ~~> RFT
LevA2 : rf_level SG RFT S1 *
============================
S1 = S2
< LevB: case LevB.
Subgoal 2.3:
Variables: SG S1 S2 RFT RFT1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : rf_level SG <unknown I recFieldExprs> S1 @
LevA1 : |{recFieldExprs}- <unknown I recFieldExprs> ~~> RFT
LevA2 : rf_level SG RFT S1 *
LevB : |{recFieldExprs}- <unknown I recFieldExprs> ~~> RFT1
LevB1 : rf_level SG RFT1 S2
============================
S1 = S2
< apply proj_rf_unique to LevA1 LevB.
Subgoal 2.3:
Variables: SG S1 S2 RFT1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : rf_level SG <unknown I recFieldExprs> S1 @
LevA1 : |{recFieldExprs}- <unknown I recFieldExprs> ~~> RFT1
LevA2 : rf_level SG RFT1 S1 *
LevB : |{recFieldExprs}- <unknown I recFieldExprs> ~~> RFT1
LevB1 : rf_level SG RFT1 S2
============================
S1 = S2
< apply IH1 to LevA2 LevB1.
Subgoal 2.3:
Variables: SG S2 RFT1
IH : forall SG E S1 S2, level SG E S1 * -> level SG E S2 -> S1 = S2
IH1 : forall SG RF S1 S2, rf_level SG RF S1 * -> rf_level SG RF S2 -> S1 = S2
LevA : rf_level SG <unknown I recFieldExprs> S2 @
LevA1 : |{recFieldExprs}- <unknown I recFieldExprs> ~~> RFT1
LevA2 : rf_level SG RFT1 S2 *
LevB : |{recFieldExprs}- <unknown I recFieldExprs> ~~> RFT1
LevB1 : rf_level SG RFT1 S2
============================
S2 = S2
< search.
Proof completed.
< Theorem level_not_public :
forall SG G1 G2 E V1 V2,
is_e E -> public_equiv SG G1 G2 -> level SG E public -> eval_e G1 E V1 ->
eval_e G2 E V2 -> (V1 = V2 -> false) -> false.
============================
forall SG G1 G2 E V1 V2,
is_e E -> public_equiv SG G1 G2 -> level SG E public -> eval_e G1 E V1 -> eval_e G2 E V2 ->
(V1 = V2 -> false) -> false
< intros Is Equiv Lev Ev1 Ev2 NEq.
Variables: SG G1 G2 E V1 V2
Is : is_e E
Equiv : public_equiv SG G1 G2
Lev : level SG E public
Ev1 : eval_e G1 E V1
Ev2 : eval_e G2 E V2
NEq : V1 = V2 -> false
============================
false
< apply level_secure to Is Lev Equiv Ev1 Ev2.
Variables: SG G1 G2 E V2
Is : is_e E
Equiv : public_equiv SG G1 G2
Lev : level SG E public
Ev1 : eval_e G1 E V2
Ev2 : eval_e G2 E V2
NEq : V2 = V2 -> false
============================
false
< backchain NEq.
Proof completed.
< Extensible_Theorem
stmt_public_branch : forall PC SG SG2 G G2 C X,
Sec : secure PC SG C SG2 ->
Ev : eval_c G C G2 ->
LkpSec : lookup SG X public ->
lookup SG2 X public
on Ev.
Subgoal 1:
Variables: PC SG SG2 G2 X
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG noop SG2
Ev : eval_c G2 noop G2 @
LkpSec : lookup SG X public
============================
lookup SG2 X public
< case Sec.
Subgoal 1:
Variables: PC SG2 G2 X
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G2 noop G2 @
LkpSec : lookup SG2 X public
============================
lookup SG2 X public
< search.
Subgoal 2:
Variables: PC SG SG2 G G2 X G1 C2 C1
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG (seq C1 C2) SG2
Ev : eval_c G (seq C1 C2) G2 @
LkpSec : lookup SG X public
Ev1 : eval_c G C1 G1 *
Ev2 : eval_c G1 C2 G2 *
============================
lookup SG2 X public
< Sec: case Sec.
Subgoal 2:
Variables: PC SG SG2 G G2 X G1 C2 C1 G3
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (seq C1 C2) G2 @
LkpSec : lookup SG X public
Ev1 : eval_c G C1 G1 *
Ev2 : eval_c G1 C2 G2 *
Sec : secure PC SG C1 G3
Sec1 : secure PC G3 C2 SG2
============================
lookup SG2 X public
< apply IH to Sec Ev1 _.
Subgoal 2:
Variables: PC SG SG2 G G2 X G1 C2 C1 G3
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (seq C1 C2) G2 @
LkpSec : lookup SG X public
Ev1 : eval_c G C1 G1 *
Ev2 : eval_c G1 C2 G2 *
Sec : secure PC SG C1 G3
Sec1 : secure PC G3 C2 SG2
H1 : lookup G3 X public
============================
lookup SG2 X public
< apply IH to Sec1 Ev2 _.
Subgoal 2:
Variables: PC SG SG2 G G2 X G1 C2 C1 G3
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (seq C1 C2) G2 @
LkpSec : lookup SG X public
Ev1 : eval_c G C1 G1 *
Ev2 : eval_c G1 C2 G2 *
Sec : secure PC SG C1 G3
Sec1 : secure PC G3 C2 SG2
H1 : lookup G3 X public
H2 : lookup SG2 X public
============================
lookup SG2 X public
< search.
Subgoal 3:
Variables: PC SG SG2 G X V X1 E Ty
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG (declare X1 Ty E) SG2
Ev : eval_c G (declare X1 Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
============================
lookup SG2 X public
< Sec: case Sec.
Subgoal 3:
Variables: SG G X V X1 E Ty
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declare X1 Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X1
============================
lookup ((X1, public)::SG) X public
< assert X1 = X -> false.
Subgoal 3.1:
Variables: SG G X V X1 E Ty
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declare X1 Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X1
============================
X1 = X -> false
< intros Eq.
Subgoal 3.1:
Variables: SG G X V X1 E Ty
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declare X1 Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X1
Eq : X1 = X
============================
false
< case Eq.
Subgoal 3.1:
Variables: SG G X V E Ty
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declare X Ty E) ((X, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X
============================
false
< apply no_lookup to Sec1 LkpSec.
Subgoal 3:
Variables: SG G X V X1 E Ty
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declare X1 Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X1
H1 : X1 = X -> false
============================
lookup ((X1, public)::SG) X public
< search.
Subgoal 4:
Variables: PC SG SG2 G X V X1 E
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG (assign X1 E) SG2
Ev : eval_c G (assign X1 E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
============================
lookup SG2 X public
< case Sec.
Subgoal 4.1:
Variables: SG2 G X V X1 E
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (assign X1 E) ((X1, V)::G) @
LkpSec : lookup SG2 X public
Ev1 : eval_e G E V
H1 : level SG2 E public
H2 : lookup SG2 X1 public
============================
lookup SG2 X public
< search.
Subgoal 4.2:
Variables: PC SG2 G X V X1 E S
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (assign X1 E) ((X1, V)::G) @
LkpSec : lookup SG2 X public
Ev1 : eval_e G E V
H1 : level SG2 E S
H2 : lookup SG2 X1 private
============================
lookup SG2 X public
< search.
Subgoal 5:
Variables: PC SG SG2 G G2 X Else Then Cond
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG (ifThenElse Cond Then Else) SG2
Ev : eval_c G (ifThenElse Cond Then Else) G2 @
LkpSec : lookup SG X public
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G2 *
============================
lookup SG2 X public
< Sec: case Sec.
Subgoal 5:
Variables: PC SG2 G G2 X Else Then Cond S NewPC GTh GEl
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (ifThenElse Cond Then Else) G2 @
LkpSec : lookup SG2 X public
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G2 *
Sec : level SG2 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG2 Then GTh
Sec3 : secure NewPC SG2 Else GEl
============================
lookup SG2 X public
< apply IH to Sec2 Ev2 _.
Subgoal 5:
Variables: PC SG2 G G2 X Else Then Cond S NewPC GTh GEl
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (ifThenElse Cond Then Else) G2 @
LkpSec : lookup SG2 X public
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G2 *
Sec : level SG2 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG2 Then GTh
Sec3 : secure NewPC SG2 Else GEl
H1 : lookup GTh X public
============================
lookup SG2 X public
< search.
Subgoal 6:
Variables: PC SG SG2 G G2 X Else Then Cond
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG (ifThenElse Cond Then Else) SG2
Ev : eval_c G (ifThenElse Cond Then Else) G2 @
LkpSec : lookup SG X public
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G2 *
============================
lookup SG2 X public
< Sec: case Sec.
Subgoal 6:
Variables: PC SG2 G G2 X Else Then Cond S NewPC GTh GEl
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (ifThenElse Cond Then Else) G2 @
LkpSec : lookup SG2 X public
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G2 *
Sec : level SG2 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG2 Then GTh
Sec3 : secure NewPC SG2 Else GEl
============================
lookup SG2 X public
< apply IH to Sec3 Ev2 _.
Subgoal 6:
Variables: PC SG2 G G2 X Else Then Cond S NewPC GTh GEl
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (ifThenElse Cond Then Else) G2 @
LkpSec : lookup SG2 X public
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G2 *
Sec : level SG2 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG2 Then GTh
Sec3 : secure NewPC SG2 Else GEl
H1 : lookup GEl X public
============================
lookup SG2 X public
< search.
Subgoal 7:
Variables: PC SG SG2 G2 X Body Cond
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG (while Cond Body) SG2
Ev : eval_c G2 (while Cond Body) G2 @
LkpSec : lookup SG X public
Ev1 : eval_e G2 Cond falseVal
============================
lookup SG2 X public
< case Sec.
Subgoal 7:
Variables: PC SG2 G2 X Body Cond S NewPC G1
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G2 (while Cond Body) G2 @
LkpSec : lookup SG2 X public
Ev1 : eval_e G2 Cond falseVal
H1 : level SG2 Cond S
H2 : join PC S NewPC
H3 : secure NewPC SG2 Body G1
============================
lookup SG2 X public
< search.
Subgoal 8:
Variables: PC SG SG2 G G2 X G1 Body Cond
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG (while Cond Body) SG2
Ev : eval_c G (while Cond Body) G2 @
LkpSec : lookup SG X public
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G1 *
Ev3 : eval_c G1 (while Cond Body) G2 *
============================
lookup SG2 X public
< Sec: case Sec (keep).
Subgoal 8:
Variables: PC SG2 G G2 X G1 Body Cond S NewPC G3
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG2 (while Cond Body) SG2
Ev : eval_c G (while Cond Body) G2 @
LkpSec : lookup SG2 X public
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G1 *
Ev3 : eval_c G1 (while Cond Body) G2 *
Sec1 : level SG2 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG2 Body G3
============================
lookup SG2 X public
< apply IH to Sec3 Ev2 _.
Subgoal 8:
Variables: PC SG2 G G2 X G1 Body Cond S NewPC G3
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG2 (while Cond Body) SG2
Ev : eval_c G (while Cond Body) G2 @
LkpSec : lookup SG2 X public
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G1 *
Ev3 : eval_c G1 (while Cond Body) G2 *
Sec1 : level SG2 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG2 Body G3
H1 : lookup G3 X public
============================
lookup SG2 X public
< apply IH to Sec Ev3 _.
Subgoal 8:
Variables: PC SG2 G G2 X G1 Body Cond S NewPC G3
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG2 (while Cond Body) SG2
Ev : eval_c G (while Cond Body) G2 @
LkpSec : lookup SG2 X public
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G1 *
Ev3 : eval_c G1 (while Cond Body) G2 *
Sec1 : level SG2 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG2 Body G3
H1 : lookup G3 X public
H2 : lookup SG2 X public
============================
lookup SG2 X public
< search.
Subgoal 9:
Variables: PC SG SG2 G X V Fields Result Rec E RecFields
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG (recUpdate Rec RecFields E) SG2
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
============================
lookup SG2 X public
< case Sec.
Subgoal 9.1:
Variables: SG2 G X V Fields Result Rec E RecFields
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
LkpSec : lookup SG2 X public
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
H1 : level SG2 E public
H2 : lookup SG2 Rec public
============================
lookup SG2 X public
< search.
Subgoal 9.2:
Variables: PC SG2 G X V Fields Result Rec E RecFields S
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
LkpSec : lookup SG2 X public
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
H1 : level SG2 E S
H2 : lookup SG2 Rec private
============================
lookup SG2 X public
< search.
Subgoal 10:
Variables: PC SG SG2 G X V X1 E Ty S
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG (declareSec X1 S Ty E) SG2
Ev : eval_c G (declareSec X1 S Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
============================
lookup SG2 X public
< Sec: case Sec.
Subgoal 10.1:
Variables: PC SG G X V X1 E Ty S1
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declareSec X1 private Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E S1
Sec1 : no_lookup SG X1
============================
lookup ((X1, private)::SG) X public
< assert X1 = X -> false.
Subgoal 10.1.1:
Variables: PC SG G X V X1 E Ty S1
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declareSec X1 private Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E S1
Sec1 : no_lookup SG X1
============================
X1 = X -> false
< intros Eq.
Subgoal 10.1.1:
Variables: PC SG G X V X1 E Ty S1
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declareSec X1 private Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E S1
Sec1 : no_lookup SG X1
Eq : X1 = X
============================
false
< case Eq.
Subgoal 10.1.1:
Variables: PC SG G X V E Ty S1
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E S1
Sec1 : no_lookup SG X
============================
false
< apply no_lookup to Sec1 LkpSec.
Subgoal 10.1:
Variables: PC SG G X V X1 E Ty S1
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declareSec X1 private Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E S1
Sec1 : no_lookup SG X1
H1 : X1 = X -> false
============================
lookup ((X1, private)::SG) X public
< search.
Subgoal 10.2:
Variables: SG G X V X1 E Ty
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declareSec X1 public Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X1
============================
lookup ((X1, public)::SG) X public
< assert X1 = X -> false.
Subgoal 10.2.1:
Variables: SG G X V X1 E Ty
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declareSec X1 public Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X1
============================
X1 = X -> false
< intros Eq.
Subgoal 10.2.1:
Variables: SG G X V X1 E Ty
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declareSec X1 public Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X1
Eq : X1 = X
============================
false
< case Eq.
Subgoal 10.2.1:
Variables: SG G X V E Ty
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declareSec X public Ty E) ((X, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X
============================
false
< apply no_lookup to Sec1 LkpSec.
Subgoal 10.2:
Variables: SG G X V X1 E Ty
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G (declareSec X1 public Ty E) ((X1, V)::G) @
LkpSec : lookup SG X public
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X1
H1 : X1 = X -> false
============================
lookup ((X1, public)::SG) X public
< search.
Subgoal 11:
Variables: PC SG SG2 G G2 X T
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Sec : secure PC SG <unknown K eval_c> SG2
Ev : eval_c G <unknown K eval_c> G2 @
LkpSec : lookup SG X public
Ev1 : |{c}- <unknown K eval_c> ~~> T
Ev2 : eval_c G T G2 *
============================
lookup SG2 X public
< Sec: case Sec.
Subgoal 11:
Variables: PC SG SG2 G G2 X T CT
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G <unknown K eval_c> G2 @
LkpSec : lookup SG X public
Ev1 : |{c}- <unknown K eval_c> ~~> T
Ev2 : eval_c G T G2 *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG2
============================
lookup SG2 X public
< apply proj_c_unique to Ev1 Sec.
Subgoal 11:
Variables: PC SG SG2 G G2 X CT
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G <unknown K eval_c> G2 @
LkpSec : lookup SG X public
Ev1 : |{c}- <unknown K eval_c> ~~> CT
Ev2 : eval_c G CT G2 *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG2
============================
lookup SG2 X public
< apply IH to Sec1 Ev2 _.
Subgoal 11:
Variables: PC SG SG2 G G2 X CT
IH : forall PC SG SG2 G G2 C X,
secure PC SG C SG2 -> eval_c G C G2 * -> lookup SG X public -> lookup SG2 X public
Ev : eval_c G <unknown K eval_c> G2 @
LkpSec : lookup SG X public
Ev1 : |{c}- <unknown K eval_c> ~~> CT
Ev2 : eval_c G CT G2 *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG2
H1 : lookup SG2 X public
============================
lookup SG2 X public
< search.
Proof completed.
< Theorem public_equiv_swap :
forall SG SG' GA GB,
(forall X, lookup SG X public -> lookup SG' X public) -> public_equiv SG' GA GB ->
public_equiv SG GA GB.
============================
forall SG SG' GA GB,
(forall X, lookup SG X public -> lookup SG' X public) -> public_equiv SG' GA GB ->
public_equiv SG GA GB
< intros LkpEquiv Eq.
Variables: SG SG' GA GB
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : public_equiv SG' GA GB
============================
public_equiv SG GA GB
< Eq: case Eq.
Variables: SG SG' GA GB
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
============================
public_equiv SG GA GB
< unfold .
Subgoal 1:
Variables: SG SG' GA GB
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
============================
forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
< intros LkpSec LkpA LkpB.
Subgoal 1:
Variables: SG SG' GA GB X V1 V2
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V1
LkpB : lookup GB X V2
============================
V1 = V2
< LkpSG': apply LkpEquiv to LkpSec.
Subgoal 1:
Variables: SG SG' GA GB X V1 V2
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V1
LkpB : lookup GB X V2
LkpSG' : lookup SG' X public
============================
V1 = V2
< apply Eq to LkpSG' LkpA LkpB.
Subgoal 1:
Variables: SG SG' GA GB X V2
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V2
LkpB : lookup GB X V2
LkpSG' : lookup SG' X public
============================
V2 = V2
< search.
Subgoal 2:
Variables: SG SG' GA GB
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
============================
forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
< intros LkpSec LkpA.
Subgoal 2:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
============================
lookup GB X V
< LkpSG': apply LkpEquiv to LkpSec.
Subgoal 2:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
LkpSG' : lookup SG' X public
============================
lookup GB X V
< apply Eq1 to LkpSG' LkpA.
Subgoal 2:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpA : lookup GA X V
LkpSG' : lookup SG' X public
H1 : lookup GB X V
============================
lookup GB X V
< search.
Subgoal 3:
Variables: SG SG' GA GB
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
============================
forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
< intros LkpSec LkpB.
Subgoal 3:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V
============================
lookup GA X V
< LkpSG': apply LkpEquiv to LkpSec.
Subgoal 3:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V
LkpSG' : lookup SG' X public
============================
lookup GA X V
< apply Eq2 to LkpSG' LkpB.
Subgoal 3:
Variables: SG SG' GA GB X V
LkpEquiv : forall X, lookup SG X public -> lookup SG' X public
Eq : forall X V1 V2,
lookup SG' X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Eq1 : forall X V, lookup SG' X public -> lookup GA X V -> lookup GB X V
Eq2 : forall X V, lookup SG' X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG X public
LkpB : lookup GB X V
LkpSG' : lookup SG' X public
H1 : lookup GA X V
============================
lookup GA X V
< search.
Proof completed.
< Extensible_Theorem
stmt_not_public_no_public_change : forall C S SG SG1 G G1,
Sec : secure S SG C SG1 ->
NEq : (S = public -> false) ->
Ev : eval_c G C G1 ->
public_equiv SG G G1
on Ev.
Subgoal 1:
Variables: S SG SG1 G1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG noop SG1
NEq : S = public -> false
Ev : eval_c G1 noop G1 @
============================
public_equiv SG G1 G1
< unfold .
Subgoal 1.1:
Variables: S SG SG1 G1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG noop SG1
NEq : S = public -> false
Ev : eval_c G1 noop G1 @
============================
forall X V1 V2,
lookup SG X public -> lookup G1 X V1 -> lookup G1 X V2 -> V1 = V2
< intros LkpSec LkpA LkpB.
Subgoal 1.1:
Variables: S SG SG1 G1 X V1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG noop SG1
NEq : S = public -> false
Ev : eval_c G1 noop G1 @
LkpSec : lookup SG X public
LkpA : lookup G1 X V1
LkpB : lookup G1 X V2
============================
V1 = V2
< apply lookup_unique to LkpA LkpB.
Subgoal 1.1:
Variables: S SG SG1 G1 X V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG noop SG1
NEq : S = public -> false
Ev : eval_c G1 noop G1 @
LkpSec : lookup SG X public
LkpA : lookup G1 X V2
LkpB : lookup G1 X V2
============================
V2 = V2
< search.
Subgoal 1.2:
Variables: S SG SG1 G1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG noop SG1
NEq : S = public -> false
Ev : eval_c G1 noop G1 @
============================
forall X V, lookup SG X public -> lookup G1 X V -> lookup G1 X V
< intros.
Subgoal 1.2:
Variables: S SG SG1 G1 X V
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG noop SG1
NEq : S = public -> false
Ev : eval_c G1 noop G1 @
H1 : lookup SG X public
H2 : lookup G1 X V
============================
lookup G1 X V
< search.
Subgoal 1.3:
Variables: S SG SG1 G1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG noop SG1
NEq : S = public -> false
Ev : eval_c G1 noop G1 @
============================
forall X V, lookup SG X public -> lookup G1 X V -> lookup G1 X V
< intros.
Subgoal 1.3:
Variables: S SG SG1 G1 X V
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG noop SG1
NEq : S = public -> false
Ev : eval_c G1 noop G1 @
H1 : lookup SG X public
H2 : lookup G1 X V
============================
lookup G1 X V
< search.
Subgoal 2:
Variables: S SG SG1 G G1 G2 C2 C1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (seq C1 C2) SG1
NEq : S = public -> false
Ev : eval_c G (seq C1 C2) G1 @
Ev1 : eval_c G C1 G2 *
Ev2 : eval_c G2 C2 G1 *
============================
public_equiv SG G G1
< Sec: case Sec.
Subgoal 2:
Variables: S SG SG1 G G1 G2 C2 C1 G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (seq C1 C2) G1 @
Ev1 : eval_c G C1 G2 *
Ev2 : eval_c G2 C2 G1 *
Sec : secure S SG C1 G3
Sec1 : secure S G3 C2 SG1
============================
public_equiv SG G G1
< EqGG2: apply IH to _ _ Ev1.
Subgoal 2:
Variables: S SG SG1 G G1 G2 C2 C1 G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (seq C1 C2) G1 @
Ev1 : eval_c G C1 G2 *
Ev2 : eval_c G2 C2 G1 *
Sec : secure S SG C1 G3
Sec1 : secure S G3 C2 SG1
EqGG2 : public_equiv SG G G2
============================
public_equiv SG G G1
< EqG2G1: apply IH to _ _ Ev2.
Subgoal 2:
Variables: S SG SG1 G G1 G2 C2 C1 G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (seq C1 C2) G1 @
Ev1 : eval_c G C1 G2 *
Ev2 : eval_c G2 C2 G1 *
Sec : secure S SG C1 G3
Sec1 : secure S G3 C2 SG1
EqGG2 : public_equiv SG G G2
EqG2G1 : public_equiv G3 G2 G1
============================
public_equiv SG G G1
< LkpEq1: assert forall X,
lookup SG X public -> lookup G3 X public.
Subgoal 2.1:
Variables: S SG SG1 G G1 G2 C2 C1 G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (seq C1 C2) G1 @
Ev1 : eval_c G C1 G2 *
Ev2 : eval_c G2 C2 G1 *
Sec : secure S SG C1 G3
Sec1 : secure S G3 C2 SG1
EqGG2 : public_equiv SG G G2
EqG2G1 : public_equiv G3 G2 G1
============================
forall X, lookup SG X public -> lookup G3 X public
< intros Lkp.
Subgoal 2.1:
Variables: S SG SG1 G G1 G2 C2 C1 G3 X
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (seq C1 C2) G1 @
Ev1 : eval_c G C1 G2 *
Ev2 : eval_c G2 C2 G1 *
Sec : secure S SG C1 G3
Sec1 : secure S G3 C2 SG1
EqGG2 : public_equiv SG G G2
EqG2G1 : public_equiv G3 G2 G1
Lkp : lookup SG X public
============================
lookup G3 X public
< apply stmt_public_branch to Sec Ev1 Lkp.
Subgoal 2.1:
Variables: S SG SG1 G G1 G2 C2 C1 G3 X
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (seq C1 C2) G1 @
Ev1 : eval_c G C1 G2 *
Ev2 : eval_c G2 C2 G1 *
Sec : secure S SG C1 G3
Sec1 : secure S G3 C2 SG1
EqGG2 : public_equiv SG G G2
EqG2G1 : public_equiv G3 G2 G1
Lkp : lookup SG X public
H1 : lookup G3 X public
============================
lookup G3 X public
< search.
Subgoal 2:
Variables: S SG SG1 G G1 G2 C2 C1 G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (seq C1 C2) G1 @
Ev1 : eval_c G C1 G2 *
Ev2 : eval_c G2 C2 G1 *
Sec : secure S SG C1 G3
Sec1 : secure S G3 C2 SG1
EqGG2 : public_equiv SG G G2
EqG2G1 : public_equiv G3 G2 G1
LkpEq1 : forall X, lookup SG X public -> lookup G3 X public
============================
public_equiv SG G G1
< Eq2: apply public_equiv_swap to LkpEq1 EqG2G1.
Subgoal 2:
Variables: S SG SG1 G G1 G2 C2 C1 G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (seq C1 C2) G1 @
Ev1 : eval_c G C1 G2 *
Ev2 : eval_c G2 C2 G1 *
Sec : secure S SG C1 G3
Sec1 : secure S G3 C2 SG1
EqGG2 : public_equiv SG G G2
EqG2G1 : public_equiv G3 G2 G1
LkpEq1 : forall X, lookup SG X public -> lookup G3 X public
Eq2 : public_equiv SG G2 G1
============================
public_equiv SG G G1
< apply public_equiv_trans to EqGG2 Eq2.
Subgoal 2:
Variables: S SG SG1 G G1 G2 C2 C1 G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (seq C1 C2) G1 @
Ev1 : eval_c G C1 G2 *
Ev2 : eval_c G2 C2 G1 *
Sec : secure S SG C1 G3
Sec1 : secure S G3 C2 SG1
EqGG2 : public_equiv SG G G2
EqG2G1 : public_equiv G3 G2 G1
LkpEq1 : forall X, lookup SG X public -> lookup G3 X public
Eq2 : public_equiv SG G2 G1
H1 : public_equiv SG G G1
============================
public_equiv SG G G1
< search.
Subgoal 3:
Variables: S SG SG1 G V X E Ty
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (declare X Ty E) SG1
NEq : S = public -> false
Ev : eval_c G (declare X Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
============================
public_equiv SG G ((X, V)::G)
< Sec: case Sec.
Subgoal 3:
Variables: SG G V X E Ty
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : public = public -> false
Ev : eval_c G (declare X Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X
============================
public_equiv SG G ((X, V)::G)
< apply NEq to _.
Subgoal 4:
Variables: S SG SG1 G V X E
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (assign X E) SG1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
============================
public_equiv SG G ((X, V)::G)
< Sec: case Sec.
Subgoal 4.1:
Variables: SG1 G V X E
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : public = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E public
Sec1 : lookup SG1 X public
============================
public_equiv SG1 G ((X, V)::G)
< apply NEq to _.
Subgoal 4.2:
Variables: S SG1 G V X E S1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
============================
public_equiv SG1 G ((X, V)::G)
< unfold .
Subgoal 4.2.1:
Variables: S SG1 G V X E S1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
============================
forall X1 V1 V2,
lookup SG1 X1 public -> lookup G X1 V1 -> lookup ((X, V)::G) X1 V2 -> V1 = V2
< intros LkpSec LkpA LkpB.
Subgoal 4.2.1:
Variables: S SG1 G V X E S1 X1 V1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpA : lookup G X1 V1
LkpB : lookup ((X, V)::G) X1 V2
============================
V1 = V2
< LkpB: case LkpB.
Subgoal 4.2.1.1:
Variables: S SG1 G E S1 X1 V1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X1 E) ((X1, V2)::G) @
Ev1 : eval_e G E V2
Sec : level SG1 E S1
Sec1 : lookup SG1 X1 private
LkpSec : lookup SG1 X1 public
LkpA : lookup G X1 V1
============================
V1 = V2
< apply lookup_unique to Sec1 LkpSec.
Subgoal 4.2.1.2:
Variables: S SG1 G V X E S1 X1 V1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpA : lookup G X1 V1
LkpB : X = X1 -> false
LkpB1 : lookup G X1 V2
============================
V1 = V2
< apply lookup_unique to LkpA LkpB1.
Subgoal 4.2.1.2:
Variables: S SG1 G V X E S1 X1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpA : lookup G X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup G X1 V2
============================
V2 = V2
< search.
Subgoal 4.2.2:
Variables: S SG1 G V X E S1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
============================
forall X1 V1,
lookup SG1 X1 public -> lookup G X1 V1 -> lookup ((X, V)::G) X1 V1
< intros LkpSec LkpG.
Subgoal 4.2.2:
Variables: S SG1 G V X E S1 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpG : lookup G X1 V1
============================
lookup ((X, V)::G) X1 V1
< Or: apply lookup_eq_or_not to Sec1 LkpSec.
Subgoal 4.2.2:
Variables: S SG1 G V X E S1 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpG : lookup G X1 V1
Or : X = X1 \/ (X = X1 -> false)
============================
lookup ((X, V)::G) X1 V1
< Eq: case Or.
Subgoal 4.2.2.1:
Variables: S SG1 G V E S1 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X1 E) ((X1, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X1 private
LkpSec : lookup SG1 X1 public
LkpG : lookup G X1 V1
============================
lookup ((X1, V)::G) X1 V1
< apply lookup_unique to Sec1 LkpSec.
Subgoal 4.2.2.2:
Variables: S SG1 G V X E S1 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpG : lookup G X1 V1
Eq : X = X1 -> false
============================
lookup ((X, V)::G) X1 V1
< search.
Subgoal 4.2.3:
Variables: S SG1 G V X E S1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
============================
forall X1 V1,
lookup SG1 X1 public -> lookup ((X, V)::G) X1 V1 -> lookup G X1 V1
< intros LkpSec LkpG+.
Subgoal 4.2.3:
Variables: S SG1 G V X E S1 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpG+ : lookup ((X, V)::G) X1 V1
============================
lookup G X1 V1
< Lkp: case LkpG+.
Subgoal 4.2.3.1:
Variables: S SG1 G E S1 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X1 E) ((X1, V1)::G) @
Ev1 : eval_e G E V1
Sec : level SG1 E S1
Sec1 : lookup SG1 X1 private
LkpSec : lookup SG1 X1 public
============================
lookup G X1 V1
< apply lookup_unique to Sec1 LkpSec.
Subgoal 4.2.3.2:
Variables: S SG1 G V X E S1 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (assign X E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
Lkp : X = X1 -> false
Lkp1 : lookup G X1 V1
============================
lookup G X1 V1
< search.
Subgoal 5:
Variables: S SG SG1 G G1 Else Then Cond
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (ifThenElse Cond Then Else) SG1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G1 *
============================
public_equiv SG G G1
< Sec: case Sec.
Subgoal 5:
Variables: S SG1 G G1 Else Then Cond S1 NewPC GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
============================
public_equiv SG1 G G1
< assert NewPC = public -> false.
Subgoal 5.1:
Variables: S SG1 G G1 Else Then Cond S1 NewPC GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
============================
NewPC = public -> false
< intros Eq.
Subgoal 5.1:
Variables: S SG1 G G1 Else Then Cond S1 NewPC GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
Eq : NewPC = public
============================
false
< case Eq.
Subgoal 5.1:
Variables: S SG1 G G1 Else Then Cond S1 GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
============================
false
< backchain NEq.
Subgoal 5.1:
Variables: S SG1 G G1 Else Then Cond S1 GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
============================
S = public
< apply join_public to Sec1.
Subgoal 5.1:
Variables: SG1 G G1 Else Then Cond GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : public = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G1 *
Sec : level SG1 Cond public
Sec1 : join public public public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
============================
public = public
< search.
Subgoal 5:
Variables: S SG1 G G1 Else Then Cond S1 NewPC GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
H1 : NewPC = public -> false
============================
public_equiv SG1 G G1
< apply IH to Sec2 _ Ev2.
Subgoal 5:
Variables: S SG1 G G1 Else Then Cond S1 NewPC GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Then G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
H1 : NewPC = public -> false
H2 : public_equiv SG1 G G1
============================
public_equiv SG1 G G1
< search.
Subgoal 6:
Variables: S SG SG1 G G1 Else Then Cond
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (ifThenElse Cond Then Else) SG1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G1 *
============================
public_equiv SG G G1
< Sec: case Sec.
Subgoal 6:
Variables: S SG1 G G1 Else Then Cond S1 NewPC GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
============================
public_equiv SG1 G G1
< assert NewPC = public -> false.
Subgoal 6.1:
Variables: S SG1 G G1 Else Then Cond S1 NewPC GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
============================
NewPC = public -> false
< intros Eq.
Subgoal 6.1:
Variables: S SG1 G G1 Else Then Cond S1 NewPC GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
Eq : NewPC = public
============================
false
< case Eq.
Subgoal 6.1:
Variables: S SG1 G G1 Else Then Cond S1 GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
============================
false
< backchain NEq.
Subgoal 6.1:
Variables: S SG1 G G1 Else Then Cond S1 GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
============================
S = public
< apply join_public to Sec1.
Subgoal 6.1:
Variables: SG1 G G1 Else Then Cond GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : public = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G1 *
Sec : level SG1 Cond public
Sec1 : join public public public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
============================
public = public
< search.
Subgoal 6:
Variables: S SG1 G G1 Else Then Cond S1 NewPC GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
H1 : NewPC = public -> false
============================
public_equiv SG1 G G1
< apply IH to Sec3 _ Ev2.
Subgoal 6:
Variables: S SG1 G G1 Else Then Cond S1 NewPC GTh GEl
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (ifThenElse Cond Then Else) G1 @
Ev1 : eval_e G Cond falseVal
Ev2 : eval_c G Else G1 *
Sec : level SG1 Cond S1
Sec1 : join S S1 NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
H1 : NewPC = public -> false
H2 : public_equiv SG1 G G1
============================
public_equiv SG1 G G1
< search.
Subgoal 7:
Variables: S SG SG1 G1 Body Cond
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G1 (while Cond Body) G1 @
Ev1 : eval_e G1 Cond falseVal
============================
public_equiv SG G1 G1
< unfold .
Subgoal 7.1:
Variables: S SG SG1 G1 Body Cond
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G1 (while Cond Body) G1 @
Ev1 : eval_e G1 Cond falseVal
============================
forall X V1 V2,
lookup SG X public -> lookup G1 X V1 -> lookup G1 X V2 -> V1 = V2
< intros LkpSec LkpA LkpB.
Subgoal 7.1:
Variables: S SG SG1 G1 Body Cond X V1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G1 (while Cond Body) G1 @
Ev1 : eval_e G1 Cond falseVal
LkpSec : lookup SG X public
LkpA : lookup G1 X V1
LkpB : lookup G1 X V2
============================
V1 = V2
< apply lookup_unique to LkpA LkpB.
Subgoal 7.1:
Variables: S SG SG1 G1 Body Cond X V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G1 (while Cond Body) G1 @
Ev1 : eval_e G1 Cond falseVal
LkpSec : lookup SG X public
LkpA : lookup G1 X V2
LkpB : lookup G1 X V2
============================
V2 = V2
< search.
Subgoal 7.2:
Variables: S SG SG1 G1 Body Cond
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G1 (while Cond Body) G1 @
Ev1 : eval_e G1 Cond falseVal
============================
forall X V, lookup SG X public -> lookup G1 X V -> lookup G1 X V
< intros LkpSec LkpG1.
Subgoal 7.2:
Variables: S SG SG1 G1 Body Cond X V
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G1 (while Cond Body) G1 @
Ev1 : eval_e G1 Cond falseVal
LkpSec : lookup SG X public
LkpG1 : lookup G1 X V
============================
lookup G1 X V
< search.
Subgoal 7.3:
Variables: S SG SG1 G1 Body Cond
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G1 (while Cond Body) G1 @
Ev1 : eval_e G1 Cond falseVal
============================
forall X V, lookup SG X public -> lookup G1 X V -> lookup G1 X V
< intros LkpSec LkpG1.
Subgoal 7.3:
Variables: S SG SG1 G1 Body Cond X V
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G1 (while Cond Body) G1 @
Ev1 : eval_e G1 Cond falseVal
LkpSec : lookup SG X public
LkpG1 : lookup G1 X V
============================
lookup G1 X V
< search.
Subgoal 8:
Variables: S SG SG1 G G1 G2 Body Cond
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G (while Cond Body) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G2 *
Ev3 : eval_c G2 (while Cond Body) G1 *
============================
public_equiv SG G G1
< Sec: case Sec (keep).
Subgoal 8:
Variables: S SG1 G G1 G2 Body Cond S1 NewPC G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG1 (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G (while Cond Body) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G2 *
Ev3 : eval_c G2 (while Cond Body) G1 *
Sec1 : level SG1 Cond S1
Sec2 : join S S1 NewPC
Sec3 : secure NewPC SG1 Body G3
============================
public_equiv SG1 G G1
< assert NewPC = public -> false.
Subgoal 8.1:
Variables: S SG1 G G1 G2 Body Cond S1 NewPC G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG1 (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G (while Cond Body) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G2 *
Ev3 : eval_c G2 (while Cond Body) G1 *
Sec1 : level SG1 Cond S1
Sec2 : join S S1 NewPC
Sec3 : secure NewPC SG1 Body G3
============================
NewPC = public -> false
< intros Eq.
Subgoal 8.1:
Variables: S SG1 G G1 G2 Body Cond S1 NewPC G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG1 (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G (while Cond Body) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G2 *
Ev3 : eval_c G2 (while Cond Body) G1 *
Sec1 : level SG1 Cond S1
Sec2 : join S S1 NewPC
Sec3 : secure NewPC SG1 Body G3
Eq : NewPC = public
============================
false
< case Eq.
Subgoal 8.1:
Variables: S SG1 G G1 G2 Body Cond S1 G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG1 (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G (while Cond Body) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G2 *
Ev3 : eval_c G2 (while Cond Body) G1 *
Sec1 : level SG1 Cond S1
Sec2 : join S S1 public
Sec3 : secure public SG1 Body G3
============================
false
< backchain NEq.
Subgoal 8.1:
Variables: S SG1 G G1 G2 Body Cond S1 G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG1 (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G (while Cond Body) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G2 *
Ev3 : eval_c G2 (while Cond Body) G1 *
Sec1 : level SG1 Cond S1
Sec2 : join S S1 public
Sec3 : secure public SG1 Body G3
============================
S = public
< apply join_public to Sec2.
Subgoal 8.1:
Variables: SG1 G G1 G2 Body Cond G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure public SG1 (while Cond Body) SG1
NEq : public = public -> false
Ev : eval_c G (while Cond Body) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G2 *
Ev3 : eval_c G2 (while Cond Body) G1 *
Sec1 : level SG1 Cond public
Sec2 : join public public public
Sec3 : secure public SG1 Body G3
============================
public = public
< search.
Subgoal 8:
Variables: S SG1 G G1 G2 Body Cond S1 NewPC G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG1 (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G (while Cond Body) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G2 *
Ev3 : eval_c G2 (while Cond Body) G1 *
Sec1 : level SG1 Cond S1
Sec2 : join S S1 NewPC
Sec3 : secure NewPC SG1 Body G3
H1 : NewPC = public -> false
============================
public_equiv SG1 G G1
< EqGG2: apply IH to Sec3 _ Ev2.
Subgoal 8:
Variables: S SG1 G G1 G2 Body Cond S1 NewPC G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG1 (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G (while Cond Body) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G2 *
Ev3 : eval_c G2 (while Cond Body) G1 *
Sec1 : level SG1 Cond S1
Sec2 : join S S1 NewPC
Sec3 : secure NewPC SG1 Body G3
H1 : NewPC = public -> false
EqGG2 : public_equiv SG1 G G2
============================
public_equiv SG1 G G1
< EqG2G1: apply IH to _ _ Ev3.
Subgoal 8:
Variables: S SG1 G G1 G2 Body Cond S1 NewPC G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG1 (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G (while Cond Body) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G2 *
Ev3 : eval_c G2 (while Cond Body) G1 *
Sec1 : level SG1 Cond S1
Sec2 : join S S1 NewPC
Sec3 : secure NewPC SG1 Body G3
H1 : NewPC = public -> false
EqGG2 : public_equiv SG1 G G2
EqG2G1 : public_equiv SG1 G2 G1
============================
public_equiv SG1 G G1
< apply public_equiv_trans to EqGG2 EqG2G1.
Subgoal 8:
Variables: S SG1 G G1 G2 Body Cond S1 NewPC G3
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG1 (while Cond Body) SG1
NEq : S = public -> false
Ev : eval_c G (while Cond Body) G1 @
Ev1 : eval_e G Cond trueVal
Ev2 : eval_c G Body G2 *
Ev3 : eval_c G2 (while Cond Body) G1 *
Sec1 : level SG1 Cond S1
Sec2 : join S S1 NewPC
Sec3 : secure NewPC SG1 Body G3
H1 : NewPC = public -> false
EqGG2 : public_equiv SG1 G G2
EqG2G1 : public_equiv SG1 G2 G1
H2 : public_equiv SG1 G G1
============================
public_equiv SG1 G G1
< search.
Subgoal 9:
Variables: S SG SG1 G V Fields Result Rec E RecFields
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (recUpdate Rec RecFields E) SG1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
============================
public_equiv SG G ((Rec, recVal Result)::G)
< Sec: case Sec.
Subgoal 9.1:
Variables: SG1 G V Fields Result Rec E RecFields
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : public = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
============================
public_equiv SG1 G ((Rec, recVal Result)::G)
< apply NEq to _.
Subgoal 9.2:
Variables: S SG1 G V Fields Result Rec E RecFields S1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
============================
public_equiv SG1 G ((Rec, recVal Result)::G)
< unfold .
Subgoal 9.2.1:
Variables: S SG1 G V Fields Result Rec E RecFields S1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
============================
forall X V1 V2,
lookup SG1 X public -> lookup G X V1 -> lookup ((Rec, recVal Result)::G) X V2 ->
V1 = V2
< intros LkpSec LkpA LkpB.
Subgoal 9.2.1:
Variables: S SG1 G V Fields Result Rec E RecFields S1 X V1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpA : lookup G X V1
LkpB : lookup ((Rec, recVal Result)::G) X V2
============================
V1 = V2
< LkpB: case LkpB.
Subgoal 9.2.1.1:
Variables: S SG1 G V Fields Result E RecFields S1 X V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate X RecFields E) ((X, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G X (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X public
LkpA : lookup G X V1
============================
V1 = recVal Result
< apply lookup_unique to Sec1 LkpSec.
Subgoal 9.2.1.2:
Variables: S SG1 G V Fields Result Rec E RecFields S1 X V1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpA : lookup G X V1
LkpB : Rec = X -> false
LkpB1 : lookup G X V2
============================
V1 = V2
< apply lookup_unique to LkpA LkpB1.
Subgoal 9.2.1.2:
Variables: S SG1 G V Fields Result Rec E RecFields S1 X V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpA : lookup G X V2
LkpB : Rec = X -> false
LkpB1 : lookup G X V2
============================
V2 = V2
< search.
Subgoal 9.2.2:
Variables: S SG1 G V Fields Result Rec E RecFields S1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
============================
forall X V,
lookup SG1 X public -> lookup G X V -> lookup ((Rec, recVal Result)::G) X V
< intros LkpSec LkpG.
Subgoal 9.2.2:
Variables: S SG1 G V Fields Result Rec E RecFields S1 X V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpG : lookup G X V1
============================
lookup ((Rec, recVal Result)::G) X V1
< Or: apply lookup_eq_or_not to Sec1 LkpSec.
Subgoal 9.2.2:
Variables: S SG1 G V Fields Result Rec E RecFields S1 X V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpG : lookup G X V1
Or : Rec = X \/ (Rec = X -> false)
============================
lookup ((Rec, recVal Result)::G) X V1
< Eq: case Or.
Subgoal 9.2.2.1:
Variables: S SG1 G V Fields Result E RecFields S1 X V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate X RecFields E) ((X, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G X (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X public
LkpG : lookup G X V1
============================
lookup ((X, recVal Result)::G) X V1
< apply lookup_unique to Sec1 LkpSec.
Subgoal 9.2.2.2:
Variables: S SG1 G V Fields Result Rec E RecFields S1 X V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpG : lookup G X V1
Eq : Rec = X -> false
============================
lookup ((Rec, recVal Result)::G) X V1
< search.
Subgoal 9.2.3:
Variables: S SG1 G V Fields Result Rec E RecFields S1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
============================
forall X V,
lookup SG1 X public -> lookup ((Rec, recVal Result)::G) X V -> lookup G X V
< intros LkpSec LkpG+.
Subgoal 9.2.3:
Variables: S SG1 G V Fields Result Rec E RecFields S1 X V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpG+ : lookup ((Rec, recVal Result)::G) X V1
============================
lookup G X V1
< Lkp: case LkpG+.
Subgoal 9.2.3.1:
Variables: S SG1 G V Fields Result E RecFields S1 X
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate X RecFields E) ((X, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G X (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X public
============================
lookup G X (recVal Result)
< apply lookup_unique to Sec1 LkpSec.
Subgoal 9.2.3.2:
Variables: S SG1 G V Fields Result Rec E RecFields S1 X V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (recUpdate Rec RecFields E) ((Rec, recVal Result)::G) @
Ev1 : eval_e G E V
Ev2 : lookup G Rec (recVal Fields)
Ev3 : update_rec_fields RecFields Fields V Result
Sec : level SG1 E S1
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
Lkp : Rec = X -> false
Lkp1 : lookup G X V1
============================
lookup G X V1
< search.
Subgoal 10:
Variables: S SG SG1 G V X E Ty S1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG (declareSec X S1 Ty E) SG1
NEq : S = public -> false
Ev : eval_c G (declareSec X S1 Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
============================
public_equiv SG G ((X, V)::G)
< Sec: case Sec.
Subgoal 10.1:
Variables: S SG G V X E Ty S2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
============================
public_equiv SG G ((X, V)::G)
< unfold .
Subgoal 10.1.1:
Variables: S SG G V X E Ty S2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
============================
forall X1 V1 V2,
lookup SG X1 public -> lookup G X1 V1 -> lookup ((X, V)::G) X1 V2 -> V1 = V2
< intros LkpSec LkpA LkpB.
Subgoal 10.1.1:
Variables: S SG G V X E Ty S2 X1 V1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
LkpSec : lookup SG X1 public
LkpA : lookup G X1 V1
LkpB : lookup ((X, V)::G) X1 V2
============================
V1 = V2
< LkpB: case LkpB.
Subgoal 10.1.1.1:
Variables: S SG G E Ty S2 X1 V1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X1 private Ty E) ((X1, V2)::G) @
Ev1 : eval_e G E V2
Sec : level SG E S2
Sec1 : no_lookup SG X1
LkpSec : lookup SG X1 public
LkpA : lookup G X1 V1
============================
V1 = V2
< apply no_lookup to Sec1 LkpSec.
Subgoal 10.1.1.2:
Variables: S SG G V X E Ty S2 X1 V1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
LkpSec : lookup SG X1 public
LkpA : lookup G X1 V1
LkpB : X = X1 -> false
LkpB1 : lookup G X1 V2
============================
V1 = V2
< apply lookup_unique to LkpA LkpB1.
Subgoal 10.1.1.2:
Variables: S SG G V X E Ty S2 X1 V2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
LkpSec : lookup SG X1 public
LkpA : lookup G X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup G X1 V2
============================
V2 = V2
< search.
Subgoal 10.1.2:
Variables: S SG G V X E Ty S2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
============================
forall X1 V1, lookup SG X1 public -> lookup G X1 V1 -> lookup ((X, V)::G) X1 V1
< intros LkpSec LkpG.
Subgoal 10.1.2:
Variables: S SG G V X E Ty S2 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
LkpSec : lookup SG X1 public
LkpG : lookup G X1 V1
============================
lookup ((X, V)::G) X1 V1
< assert X = X1 -> false.
Subgoal 10.1.2.1:
Variables: S SG G V X E Ty S2 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
LkpSec : lookup SG X1 public
LkpG : lookup G X1 V1
============================
X = X1 -> false
< intros Eq.
Subgoal 10.1.2.1:
Variables: S SG G V X E Ty S2 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
LkpSec : lookup SG X1 public
LkpG : lookup G X1 V1
Eq : X = X1
============================
false
< case Eq.
Subgoal 10.1.2.1:
Variables: S SG G V E Ty S2 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X1 private Ty E) ((X1, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X1
LkpSec : lookup SG X1 public
LkpG : lookup G X1 V1
============================
false
< apply no_lookup to Sec1 LkpSec.
Subgoal 10.1.2:
Variables: S SG G V X E Ty S2 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
LkpSec : lookup SG X1 public
LkpG : lookup G X1 V1
H1 : X = X1 -> false
============================
lookup ((X, V)::G) X1 V1
< search.
Subgoal 10.1.3:
Variables: S SG G V X E Ty S2
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
============================
forall X1 V1, lookup SG X1 public -> lookup ((X, V)::G) X1 V1 -> lookup G X1 V1
< intros LkpSec LkpG+.
Subgoal 10.1.3:
Variables: S SG G V X E Ty S2 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
LkpSec : lookup SG X1 public
LkpG+ : lookup ((X, V)::G) X1 V1
============================
lookup G X1 V1
< Lkp: case LkpG+.
Subgoal 10.1.3.1:
Variables: S SG G E Ty S2 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X1 private Ty E) ((X1, V1)::G) @
Ev1 : eval_e G E V1
Sec : level SG E S2
Sec1 : no_lookup SG X1
LkpSec : lookup SG X1 public
============================
lookup G X1 V1
< apply no_lookup to Sec1 LkpSec.
Subgoal 10.1.3.2:
Variables: S SG G V X E Ty S2 X1 V1
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G (declareSec X private Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E S2
Sec1 : no_lookup SG X
LkpSec : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup G X1 V1
============================
lookup G X1 V1
< search.
Subgoal 10.2:
Variables: SG G V X E Ty
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : public = public -> false
Ev : eval_c G (declareSec X public Ty E) ((X, V)::G) @
Ev1 : eval_e G E V
Sec : level SG E public
Sec1 : no_lookup SG X
============================
public_equiv SG G ((X, V)::G)
< apply NEq to _.
Subgoal 11:
Variables: S SG SG1 G G1 T
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
Sec : secure S SG <unknown K eval_c> SG1
NEq : S = public -> false
Ev : eval_c G <unknown K eval_c> G1 @
Ev1 : |{c}- <unknown K eval_c> ~~> T
Ev2 : eval_c G T G1 *
============================
public_equiv SG G G1
< Sec: case Sec.
Subgoal 11:
Variables: S SG SG1 G G1 T CT
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G <unknown K eval_c> G1 @
Ev1 : |{c}- <unknown K eval_c> ~~> T
Ev2 : eval_c G T G1 *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure S SG CT SG1
============================
public_equiv SG G G1
< apply proj_c_unique to Ev1 Sec.
Subgoal 11:
Variables: S SG SG1 G G1 CT
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G <unknown K eval_c> G1 @
Ev1 : |{c}- <unknown K eval_c> ~~> CT
Ev2 : eval_c G CT G1 *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure S SG CT SG1
============================
public_equiv SG G G1
< apply IH to _ _ Ev2.
Subgoal 11:
Variables: S SG SG1 G G1 CT
IH : forall C S SG SG1 G G1,
secure S SG C SG1 -> (S = public -> false) -> eval_c G C G1 * -> public_equiv SG G G1
NEq : S = public -> false
Ev : eval_c G <unknown K eval_c> G1 @
Ev1 : |{c}- <unknown K eval_c> ~~> CT
Ev2 : eval_c G CT G1 *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure S SG CT SG1
H1 : public_equiv SG G G1
============================
public_equiv SG G G1
< search.
Proof completed.
< Theorem while_no_public_change :
forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 -> public_equiv SG G G2.
============================
forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 -> public_equiv SG G G2
< induction on 4.
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
============================
forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 @ -> public_equiv SG G G2
< intros Sec Lev NEq Ev.
Variables: PC SG SG' Cond Body S G G2
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Sec : secure PC SG (while Cond Body) SG'
Lev : level SG Cond S
NEq : S = public -> false
Ev : eval_c G (while Cond Body) G2 @
============================
public_equiv SG G G2
< Ev: case Ev.
Subgoal 1:
Variables: PC SG SG' Cond Body S G2
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Sec : secure PC SG (while Cond Body) SG'
Lev : level SG Cond S
NEq : S = public -> false
Ev : eval_e G2 Cond falseVal
============================
public_equiv SG G2 G2
< backchain public_equiv_refl.
Subgoal 2:
Variables: PC SG SG' Cond Body S G G2 G1
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Sec : secure PC SG (while Cond Body) SG'
Lev : level SG Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueVal
Ev1 : eval_c G Body G1 *
Ev2 : eval_c G1 (while Cond Body) G2 *
============================
public_equiv SG G G2
< EqG1G2: apply IH to Sec Lev NEq Ev2.
Subgoal 2:
Variables: PC SG SG' Cond Body S G G2 G1
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Sec : secure PC SG (while Cond Body) SG'
Lev : level SG Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueVal
Ev1 : eval_c G Body G1 *
Ev2 : eval_c G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG G1 G2
============================
public_equiv SG G G2
< Sec: case Sec.
Subgoal 2:
Variables: PC SG' Cond Body S G G2 G1 S1 NewPC G3
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueVal
Ev1 : eval_c G Body G1 *
Ev2 : eval_c G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond S1
Sec1 : join PC S1 NewPC
Sec2 : secure NewPC SG' Body G3
============================
public_equiv SG' G G2
< EqGG1: apply stmt_not_public_no_public_change to Sec2 _ Ev1.
Subgoal 2.1:
Variables: PC SG' Cond Body S G G2 G1 S1 NewPC G3
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueVal
Ev1 : eval_c G Body G1 *
Ev2 : eval_c G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond S1
Sec1 : join PC S1 NewPC
Sec2 : secure NewPC SG' Body G3
============================
NewPC = public -> false
< intros Eq.
Subgoal 2.1:
Variables: PC SG' Cond Body S G G2 G1 S1 NewPC G3
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueVal
Ev1 : eval_c G Body G1 *
Ev2 : eval_c G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond S1
Sec1 : join PC S1 NewPC
Sec2 : secure NewPC SG' Body G3
Eq : NewPC = public
============================
false
< case Eq.
Subgoal 2.1:
Variables: PC SG' Cond Body S G G2 G1 S1 G3
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueVal
Ev1 : eval_c G Body G1 *
Ev2 : eval_c G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond S1
Sec1 : join PC S1 public
Sec2 : secure public SG' Body G3
============================
false
< apply join_public to Sec1.
Subgoal 2.1:
Variables: SG' Cond Body S G G2 G1 G3
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueVal
Ev1 : eval_c G Body G1 *
Ev2 : eval_c G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond public
Sec1 : join public public public
Sec2 : secure public SG' Body G3
============================
false
< apply level_unique to Lev Sec.
Subgoal 2.1:
Variables: SG' Cond Body G G2 G1 G3
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond public
NEq : public = public -> false
Ev : eval_e G Cond trueVal
Ev1 : eval_c G Body G1 *
Ev2 : eval_c G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond public
Sec1 : join public public public
Sec2 : secure public SG' Body G3
============================
false
< backchain NEq.
Subgoal 2:
Variables: PC SG' Cond Body S G G2 G1 S1 NewPC G3
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueVal
Ev1 : eval_c G Body G1 *
Ev2 : eval_c G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond S1
Sec1 : join PC S1 NewPC
Sec2 : secure NewPC SG' Body G3
EqGG1 : public_equiv SG' G G1
============================
public_equiv SG' G G2
< apply public_equiv_trans to EqGG1 EqG1G2.
Subgoal 2:
Variables: PC SG' Cond Body S G G2 G1 S1 NewPC G3
IH : forall PC SG SG' Cond Body S G G2,
secure PC SG (while Cond Body) SG' -> level SG Cond S -> (S = public -> false) ->
eval_c G (while Cond Body) G2 * -> public_equiv SG G G2
Lev : level SG' Cond S
NEq : S = public -> false
Ev : eval_e G Cond trueVal
Ev1 : eval_c G Body G1 *
Ev2 : eval_c G1 (while Cond Body) G2 *
EqG1G2 : public_equiv SG' G1 G2
Sec : level SG' Cond S1
Sec1 : join PC S1 NewPC
Sec2 : secure NewPC SG' Body G3
EqGG1 : public_equiv SG' G G1
H1 : public_equiv SG' G G2
============================
public_equiv SG' G G2
< search.
Proof completed.
< Extensible_Theorem
stmt_secure : forall C PC SG SG1 GA GA' GB GB',
Is : is_c C ->
Sec : secure PC SG C SG1 ->
Rel : public_equiv SG GA GB ->
EvA : eval_c GA C GA' ->
EvB : eval_c GB C GB' ->
public_equiv SG1 GA' GB'
on EvA.
Subgoal 1:
Variables: PC SG SG1 GA' GB GB'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c noop
Sec : secure PC SG noop SG1
Rel : public_equiv SG GA' GB
EvA : eval_c GA' noop GA' @
EvB : eval_c GB noop GB'
============================
public_equiv SG1 GA' GB'
< case EvB.
Subgoal 1:
Variables: PC SG SG1 GA' GB'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c noop
Sec : secure PC SG noop SG1
Rel : public_equiv SG GA' GB'
EvA : eval_c GA' noop GA' @
============================
public_equiv SG1 GA' GB'
< case Sec.
Subgoal 1:
Variables: PC SG1 GA' GB'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c noop
Rel : public_equiv SG1 GA' GB'
EvA : eval_c GA' noop GA' @
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 2:
Variables: PC SG SG1 GA GA' GB GB' G1 C2 C1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (seq C1 C2)
Sec : secure PC SG (seq C1 C2) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (seq C1 C2) GA' @
EvB : eval_c GB (seq C1 C2) GB'
EvA1 : eval_c GA C1 G1 *
EvA2 : eval_c G1 C2 GA' *
============================
public_equiv SG1 GA' GB'
< EvB: case EvB.
Subgoal 2:
Variables: PC SG SG1 GA GA' GB GB' G1 C2 C1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (seq C1 C2)
Sec : secure PC SG (seq C1 C2) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (seq C1 C2) GA' @
EvA1 : eval_c GA C1 G1 *
EvA2 : eval_c G1 C2 GA' *
EvB : eval_c GB C1 G2
EvB1 : eval_c G2 C2 GB'
============================
public_equiv SG1 GA' GB'
< Sec: case Sec.
Subgoal 2:
Variables: PC SG SG1 GA GA' GB GB' G1 C2 C1 G2 G3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (seq C1 C2)
Rel : public_equiv SG GA GB
EvA : eval_c GA (seq C1 C2) GA' @
EvA1 : eval_c GA C1 G1 *
EvA2 : eval_c G1 C2 GA' *
EvB : eval_c GB C1 G2
EvB1 : eval_c G2 C2 GB'
Sec : secure PC SG C1 G3
Sec1 : secure PC G3 C2 SG1
============================
public_equiv SG1 GA' GB'
< Is: case Is.
Subgoal 2:
Variables: PC SG SG1 GA GA' GB GB' G1 C2 C1 G2 G3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (seq C1 C2) GA' @
EvA1 : eval_c GA C1 G1 *
EvA2 : eval_c G1 C2 GA' *
EvB : eval_c GB C1 G2
EvB1 : eval_c G2 C2 GB'
Sec : secure PC SG C1 G3
Sec1 : secure PC G3 C2 SG1
Is : is_c C1
Is1 : is_c C2
============================
public_equiv SG1 GA' GB'
< apply IH to _ _ _ EvA1 EvB.
Subgoal 2:
Variables: PC SG SG1 GA GA' GB GB' G1 C2 C1 G2 G3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (seq C1 C2) GA' @
EvA1 : eval_c GA C1 G1 *
EvA2 : eval_c G1 C2 GA' *
EvB : eval_c GB C1 G2
EvB1 : eval_c G2 C2 GB'
Sec : secure PC SG C1 G3
Sec1 : secure PC G3 C2 SG1
Is : is_c C1
Is1 : is_c C2
H1 : public_equiv G3 G1 G2
============================
public_equiv SG1 GA' GB'
< apply IH to _ _ _ EvA2 EvB1.
Subgoal 2:
Variables: PC SG SG1 GA GA' GB GB' G1 C2 C1 G2 G3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (seq C1 C2) GA' @
EvA1 : eval_c GA C1 G1 *
EvA2 : eval_c G1 C2 GA' *
EvB : eval_c GB C1 G2
EvB1 : eval_c G2 C2 GB'
Sec : secure PC SG C1 G3
Sec1 : secure PC G3 C2 SG1
Is : is_c C1
Is1 : is_c C2
H1 : public_equiv G3 G1 G2
H2 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 3:
Variables: PC SG SG1 GA GB GB' V X E Ty
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (declare X Ty E)
Sec : secure PC SG (declare X Ty E) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V)::GA) @
EvB : eval_c GB (declare X Ty E) GB'
EvA1 : eval_e GA E V
============================
public_equiv SG1 ((X, V)::GA) GB'
< EvB: case EvB.
Subgoal 3:
Variables: PC SG SG1 GA GB V X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (declare X Ty E)
Sec : secure PC SG (declare X Ty E) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
============================
public_equiv SG1 ((X, V)::GA) ((X, V1)::GB)
< Sec: case Sec.
Subgoal 3:
Variables: SG GA GB V X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (declare X Ty E)
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
============================
public_equiv ((X, public)::SG) ((X, V)::GA) ((X, V1)::GB)
< Is: case Is.
Subgoal 3:
Variables: SG GA GB V X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
============================
public_equiv ((X, public)::SG) ((X, V)::GA) ((X, V1)::GB)
< apply level_secure to _ _ Rel EvA1 EvB.
Subgoal 3:
Variables: SG GA GB X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
============================
public_equiv ((X, public)::SG) ((X, V1)::GA) ((X, V1)::GB)
< unfold .
Subgoal 3.1:
Variables: SG GA GB X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
============================
forall X1 V2 V3,
lookup ((X, public)::SG) X1 public -> lookup ((X, V1)::GA) X1 V2 -> lookup ((X, V1)::GB) X1 V3 ->
V2 = V3
< intros LkpSec LkpA LkpB.
Subgoal 3.1:
Variables: SG GA GB X E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((X, public)::SG) X1 public
LkpA : lookup ((X, V1)::GA) X1 V2
LkpB : lookup ((X, V1)::GB) X1 V3
============================
V2 = V3
< LkpA: case LkpA.
Subgoal 3.1.1:
Variables: SG GA GB E Ty X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((X1, public)::SG) X1 public
LkpB : lookup ((X1, V2)::GB) X1 V3
============================
V2 = V3
< LkpB: case LkpB.
Subgoal 3.1.1.1:
Variables: SG GA GB E Ty X1 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V3)::GA) @
EvA1 : eval_e GA E V3
EvB : eval_e GB E V3
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((X1, public)::SG) X1 public
============================
V3 = V3
< search.
Subgoal 3.1.1.2:
Variables: SG GA GB E Ty X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((X1, public)::SG) X1 public
LkpB : X1 = X1 -> false
LkpB1 : lookup GB X1 V3
============================
V2 = V3
< apply LkpB to _.
Subgoal 3.1.2:
Variables: SG GA GB X E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((X, public)::SG) X1 public
LkpB : lookup ((X, V1)::GB) X1 V3
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
============================
V2 = V3
< LkpB: case LkpB.
Subgoal 3.1.2.1:
Variables: SG GA GB E Ty X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V3)::GA) @
EvA1 : eval_e GA E V3
EvB : eval_e GB E V3
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((X1, public)::SG) X1 public
LkpA : X1 = X1 -> false
LkpA1 : lookup GA X1 V2
============================
V2 = V3
< apply LkpA to _.
Subgoal 3.1.2.2:
Variables: SG GA GB X E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((X, public)::SG) X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
============================
V2 = V3
< Rel: case Rel.
Subgoal 3.1.2.2:
Variables: SG GA GB X E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((X, public)::SG) X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
V2 = V3
< LkpSec: case LkpSec.
Subgoal 3.1.2.2.1:
Variables: SG GA GB E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declare X1 Ty E) ((X1, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
LkpA : X1 = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X1 = X1 -> false
LkpB1 : lookup GB X1 V3
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
V2 = V3
< apply LkpA to _.
Subgoal 3.1.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
============================
V2 = V3
< apply Rel to LkpSec1 LkpA1 LkpB1.
Subgoal 3.1.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V3
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
============================
V3 = V3
< search.
Subgoal 3.2:
Variables: SG GA GB X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
============================
forall X1 V,
lookup ((X, public)::SG) X1 public -> lookup ((X, V1)::GA) X1 V -> lookup ((X, V1)::GB) X1 V
< intros LkpSec LkpA.
Subgoal 3.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((X, public)::SG) X1 public
LkpA : lookup ((X, V1)::GA) X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< LkpSec: case LkpSec.
Subgoal 3.2.1:
Variables: SG GA GB E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
LkpA : lookup ((X1, V1)::GA) X1 V2
============================
lookup ((X1, V1)::GB) X1 V2
< LkpA: case LkpA.
Subgoal 3.2.1.1:
Variables: SG GA GB E Ty X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
============================
lookup ((X1, V2)::GB) X1 V2
< search.
Subgoal 3.2.1.2:
Variables: SG GA GB E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
LkpA : X1 = X1 -> false
LkpA1 : lookup GA X1 V2
============================
lookup ((X1, V1)::GB) X1 V2
< apply LkpA to _.
Subgoal 3.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpA : lookup ((X, V1)::GA) X1 V2
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X, V1)::GB) X1 V2
< LkpA: case LkpA.
Subgoal 3.2.2.1:
Variables: SG GA GB E Ty X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : X1 = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X1, V2)::GB) X1 V2
< apply LkpSec to _.
Subgoal 3.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< Rel: case Rel.
Subgoal 3.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((X, V1)::GB) X1 V2
< apply Rel1 to LkpSec1 LkpA1.
Subgoal 3.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GB X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< search.
Subgoal 3.3:
Variables: SG GA GB X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
============================
forall X1 V,
lookup ((X, public)::SG) X1 public -> lookup ((X, V1)::GB) X1 V -> lookup ((X, V1)::GA) X1 V
< intros LkpSec LkpB.
Subgoal 3.3:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : lookup ((X, public)::SG) X1 public
LkpB : lookup ((X, V1)::GB) X1 V2
============================
lookup ((X, V1)::GA) X1 V2
< LkpSec: case LkpSec.
Subgoal 3.3.1:
Variables: SG GA GB E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
LkpB : lookup ((X1, V1)::GB) X1 V2
============================
lookup ((X1, V1)::GA) X1 V2
< LkpB: case LkpB.
Subgoal 3.3.1.1:
Variables: SG GA GB E Ty X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
============================
lookup ((X1, V2)::GA) X1 V2
< search.
Subgoal 3.3.1.2:
Variables: SG GA GB E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
LkpB : X1 = X1 -> false
LkpB1 : lookup GB X1 V2
============================
lookup ((X1, V1)::GA) X1 V2
< apply LkpB to _.
Subgoal 3.3.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpB : lookup ((X, V1)::GB) X1 V2
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X, V1)::GA) X1 V2
< LkpB: case LkpB.
Subgoal 3.3.2.1:
Variables: SG GA GB E Ty X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X1 Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Sec : level SG E public
Sec1 : no_lookup SG X1
Is : is_string X1
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : X1 = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X1, V2)::GA) X1 V2
< apply LkpSec to _.
Subgoal 3.3.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V2
============================
lookup ((X, V1)::GA) X1 V2
< Rel: case Rel.
Subgoal 3.3.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((X, V1)::GA) X1 V2
< apply Rel2 to LkpSec1 LkpB1.
Subgoal 3.3.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declare X Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Sec : level SG E public
Sec1 : no_lookup SG X
Is : is_string X
Is1 : is_ty Ty
Is2 : is_e E
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GA X1 V2
============================
lookup ((X, V1)::GA) X1 V2
< search.
Subgoal 4:
Variables: PC SG SG1 GA GB GB' V X E
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (assign X E)
Sec : secure PC SG (assign X E) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvB : eval_c GB (assign X E) GB'
EvA1 : eval_e GA E V
============================
public_equiv SG1 ((X, V)::GA) GB'
< EvB: case EvB.
Subgoal 4:
Variables: PC SG SG1 GA GB V X E V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (assign X E)
Sec : secure PC SG (assign X E) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
============================
public_equiv SG1 ((X, V)::GA) ((X, V1)::GB)
< Is: case Is.
Subgoal 4:
Variables: PC SG SG1 GA GB V X E V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Sec : secure PC SG (assign X E) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
============================
public_equiv SG1 ((X, V)::GA) ((X, V1)::GB)
< Sec: case Sec.
Subgoal 4.1:
Variables: SG1 GA GB V X E V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
============================
public_equiv SG1 ((X, V)::GA) ((X, V1)::GB)
< apply level_secure to _ Sec Rel EvA1 EvB.
Subgoal 4.1:
Variables: SG1 GA GB X E V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
============================
public_equiv SG1 ((X, V1)::GA) ((X, V1)::GB)
< unfold .
Subgoal 4.1.1:
Variables: SG1 GA GB X E V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
============================
forall X1 V2 V3,
lookup SG1 X1 public -> lookup ((X, V1)::GA) X1 V2 -> lookup ((X, V1)::GB) X1 V3 ->
V2 = V3
< intros LkpSec LkpA LkpB.
Subgoal 4.1.1:
Variables: SG1 GA GB X E V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpA : lookup ((X, V1)::GA) X1 V2
LkpB : lookup ((X, V1)::GB) X1 V3
============================
V2 = V3
< LkpA: case LkpA.
Subgoal 4.1.1.1:
Variables: SG1 GA GB E X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X1 public
LkpSec : lookup SG1 X1 public
LkpB : lookup ((X1, V2)::GB) X1 V3
============================
V2 = V3
< LkpB: case LkpB.
Subgoal 4.1.1.1.1:
Variables: SG1 GA GB E X1 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V3)::GA) @
EvA1 : eval_e GA E V3
EvB : eval_e GB E V3
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X1 public
LkpSec : lookup SG1 X1 public
============================
V3 = V3
< search.
Subgoal 4.1.1.1.2:
Variables: SG1 GA GB E X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X1 public
LkpSec : lookup SG1 X1 public
LkpB : X1 = X1 -> false
LkpB1 : lookup GB X1 V3
============================
V2 = V3
< apply LkpB to _.
Subgoal 4.1.1.2:
Variables: SG1 GA GB X E V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpB : lookup ((X, V1)::GB) X1 V3
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
============================
V2 = V3
< LkpB: case LkpB.
Subgoal 4.1.1.2.1:
Variables: SG1 GA GB E X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V3)::GA) @
EvA1 : eval_e GA E V3
EvB : eval_e GB E V3
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X1 public
LkpSec : lookup SG1 X1 public
LkpA : X1 = X1 -> false
LkpA1 : lookup GA X1 V2
============================
V2 = V3
< apply LkpA to _.
Subgoal 4.1.1.2.2:
Variables: SG1 GA GB X E V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
============================
V2 = V3
< Rel: case Rel.
Subgoal 4.1.1.2.2:
Variables: SG1 GA GB X E V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
V2 = V3
< apply Rel to LkpSec LkpA1 LkpB1.
Subgoal 4.1.1.2.2:
Variables: SG1 GA GB X E V1 X1 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V3
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
V3 = V3
< search.
Subgoal 4.1.2:
Variables: SG1 GA GB X E V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
============================
forall X1 V,
lookup SG1 X1 public -> lookup ((X, V1)::GA) X1 V -> lookup ((X, V1)::GB) X1 V
< intros LkpSec LkpA.
Subgoal 4.1.2:
Variables: SG1 GA GB X E V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpA : lookup ((X, V1)::GA) X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< LkpA: case LkpA.
Subgoal 4.1.2.1:
Variables: SG1 GA GB E X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X1 public
LkpSec : lookup SG1 X1 public
============================
lookup ((X1, V2)::GB) X1 V2
< search.
Subgoal 4.1.2.2:
Variables: SG1 GA GB X E V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< Rel: case Rel.
Subgoal 4.1.2.2:
Variables: SG1 GA GB X E V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
lookup ((X, V1)::GB) X1 V2
< apply Rel1 to LkpSec LkpA1.
Subgoal 4.1.2.2:
Variables: SG1 GA GB X E V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
H1 : lookup GB X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< search.
Subgoal 4.1.3:
Variables: SG1 GA GB X E V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
============================
forall X1 V,
lookup SG1 X1 public -> lookup ((X, V1)::GB) X1 V -> lookup ((X, V1)::GA) X1 V
< intros LkpSec LkpB.
Subgoal 4.1.3:
Variables: SG1 GA GB X E V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpB : lookup ((X, V1)::GB) X1 V2
============================
lookup ((X, V1)::GA) X1 V2
< LkpB: case LkpB.
Subgoal 4.1.3.1:
Variables: SG1 GA GB E X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X1 public
LkpSec : lookup SG1 X1 public
============================
lookup ((X1, V2)::GA) X1 V2
< search.
Subgoal 4.1.3.2:
Variables: SG1 GA GB X E V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V2
============================
lookup ((X, V1)::GA) X1 V2
< Rel: case Rel.
Subgoal 4.1.3.2:
Variables: SG1 GA GB X E V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
lookup ((X, V1)::GA) X1 V2
< apply Rel2 to LkpSec LkpB1.
Subgoal 4.1.3.2:
Variables: SG1 GA GB X E V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
LkpSec : lookup SG1 X1 public
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
H1 : lookup GA X1 V2
============================
lookup ((X, V1)::GA) X1 V2
< search.
Subgoal 4.2:
Variables: PC SG1 GA GB V X E V1 S
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
============================
public_equiv SG1 ((X, V)::GA) ((X, V1)::GB)
< unfold .
Subgoal 4.2.1:
Variables: PC SG1 GA GB V X E V1 S
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
============================
forall X1 V2 V3,
lookup SG1 X1 public -> lookup ((X, V)::GA) X1 V2 -> lookup ((X, V1)::GB) X1 V3 ->
V2 = V3
< intros LkpSec LkpA LkpB.
Subgoal 4.2.1:
Variables: PC SG1 GA GB V X E V1 S X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpA : lookup ((X, V)::GA) X1 V2
LkpB : lookup ((X, V1)::GB) X1 V3
============================
V2 = V3
< LkpA: case LkpA.
Subgoal 4.2.1.1:
Variables: PC SG1 GA GB E V1 S X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V1
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X1 private
LkpSec : lookup SG1 X1 public
LkpB : lookup ((X1, V1)::GB) X1 V3
============================
V2 = V3
< LkpB: case LkpB.
Subgoal 4.2.1.1.1:
Variables: PC SG1 GA GB E S X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V3
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X1 private
LkpSec : lookup SG1 X1 public
============================
V2 = V3
< apply lookup_unique to Sec1 LkpSec.
Subgoal 4.2.1.1.2:
Variables: PC SG1 GA GB E V1 S X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V1
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X1 private
LkpSec : lookup SG1 X1 public
LkpB : X1 = X1 -> false
LkpB1 : lookup GB X1 V3
============================
V2 = V3
< apply LkpB to _.
Subgoal 4.2.1.2:
Variables: PC SG1 GA GB V X E V1 S X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpB : lookup ((X, V1)::GB) X1 V3
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
============================
V2 = V3
< LkpB: case LkpB.
Subgoal 4.2.1.2.1:
Variables: PC SG1 GA GB V E S X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V3
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X1 private
LkpSec : lookup SG1 X1 public
LkpA : X1 = X1 -> false
LkpA1 : lookup GA X1 V2
============================
V2 = V3
< apply LkpA to _.
Subgoal 4.2.1.2.2:
Variables: PC SG1 GA GB V X E V1 S X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
============================
V2 = V3
< Rel: case Rel.
Subgoal 4.2.1.2.2:
Variables: PC SG1 GA GB V X E V1 S X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
V2 = V3
< apply Rel to LkpSec LkpA1 LkpB1.
Subgoal 4.2.1.2.2:
Variables: PC SG1 GA GB V X E V1 S X1 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V3
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
V3 = V3
< search.
Subgoal 4.2.2:
Variables: PC SG1 GA GB V X E V1 S
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
============================
forall X1 V2,
lookup SG1 X1 public -> lookup ((X, V)::GA) X1 V2 -> lookup ((X, V1)::GB) X1 V2
< intros LkpSec LkpA.
Subgoal 4.2.2:
Variables: PC SG1 GA GB V X E V1 S X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpA : lookup ((X, V)::GA) X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< LkpA: case LkpA.
Subgoal 4.2.2.1:
Variables: PC SG1 GA GB E V1 S X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V1
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X1 private
LkpSec : lookup SG1 X1 public
============================
lookup ((X1, V1)::GB) X1 V2
< apply lookup_unique to Sec1 LkpSec.
Subgoal 4.2.2.2:
Variables: PC SG1 GA GB V X E V1 S X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< Rel: case Rel.
Subgoal 4.2.2.2:
Variables: PC SG1 GA GB V X E V1 S X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
lookup ((X, V1)::GB) X1 V2
< apply Rel1 to LkpSec LkpA1.
Subgoal 4.2.2.2:
Variables: PC SG1 GA GB V X E V1 S X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
H1 : lookup GB X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< search.
Subgoal 4.2.3:
Variables: PC SG1 GA GB V X E V1 S
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
============================
forall X1 V2,
lookup SG1 X1 public -> lookup ((X, V1)::GB) X1 V2 -> lookup ((X, V)::GA) X1 V2
< intros LkpSec LkpB.
Subgoal 4.2.3:
Variables: PC SG1 GA GB V X E V1 S X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpB : lookup ((X, V1)::GB) X1 V2
============================
lookup ((X, V)::GA) X1 V2
< LkpB: case LkpB.
Subgoal 4.2.3.1:
Variables: PC SG1 GA GB V E S X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X1 E) ((X1, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X1 private
LkpSec : lookup SG1 X1 public
============================
lookup ((X1, V)::GA) X1 V2
< apply lookup_unique to Sec1 LkpSec.
Subgoal 4.2.3.2:
Variables: PC SG1 GA GB V X E V1 S X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V2
============================
lookup ((X, V)::GA) X1 V2
< Rel: case Rel.
Subgoal 4.2.3.2:
Variables: PC SG1 GA GB V X E V1 S X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
lookup ((X, V)::GA) X1 V2
< apply Rel2 to LkpSec LkpB1.
Subgoal 4.2.3.2:
Variables: PC SG1 GA GB V X E V1 S X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (assign X E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X1 public
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
H1 : lookup GA X1 V2
============================
lookup ((X, V)::GA) X1 V2
< search.
Subgoal 5:
Variables: PC SG SG1 GA GA' GB GB' Else Then Cond
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (ifThenElse Cond Then Else)
Sec : secure PC SG (ifThenElse Cond Then Else) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvB : eval_c GB (ifThenElse Cond Then Else) GB'
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
============================
public_equiv SG1 GA' GB'
< Is: case Is.
Subgoal 5:
Variables: PC SG SG1 GA GA' GB GB' Else Then Cond
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Sec : secure PC SG (ifThenElse Cond Then Else) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvB : eval_c GB (ifThenElse Cond Then Else) GB'
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
============================
public_equiv SG1 GA' GB'
< Sec: case Sec.
Subgoal 5:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvB : eval_c GB (ifThenElse Cond Then Else) GB'
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
============================
public_equiv SG1 GA' GB'
< EvB: case EvB.
Subgoal 5.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
============================
public_equiv SG1 GA' GB'
< EqGA'GB': apply IH to _ _ _ EvA2 EvB1.
Subgoal 5.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
EqGA'GB' : public_equiv GTh GA' GB'
============================
public_equiv SG1 GA' GB'
< LkpEq: assert forall X,
lookup SG1 X public -> lookup GTh X public.
Subgoal 5.1.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
EqGA'GB' : public_equiv GTh GA' GB'
============================
forall X, lookup SG1 X public -> lookup GTh X public
< intros Lkp.
Subgoal 5.1.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl X
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
EqGA'GB' : public_equiv GTh GA' GB'
Lkp : lookup SG1 X public
============================
lookup GTh X public
< apply stmt_public_branch to Sec2 EvA2 Lkp.
Subgoal 5.1.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl X
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
EqGA'GB' : public_equiv GTh GA' GB'
Lkp : lookup SG1 X public
H1 : lookup GTh X public
============================
lookup GTh X public
< search.
Subgoal 5.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
EqGA'GB' : public_equiv GTh GA' GB'
LkpEq : forall X, lookup SG1 X public -> lookup GTh X public
============================
public_equiv SG1 GA' GB'
< apply public_equiv_swap to LkpEq EqGA'GB'.
Subgoal 5.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
EqGA'GB' : public_equiv GTh GA' GB'
LkpEq : forall X, lookup SG1 X public -> lookup GTh X public
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 5.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
============================
public_equiv SG1 GA' GB'
< NEq: assert S = public -> false.
Subgoal 5.2.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
============================
S = public -> false
< intros Eq.
Subgoal 5.2.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
Eq : S = public
============================
false
< case Eq.
Subgoal 5.2.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond public
Sec1 : join PC public NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
============================
false
< apply level_not_public to Is _ _ EvA1 EvB _.
Subgoal 5.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
============================
public_equiv SG1 GA' GB'
< EqGAGA': apply stmt_not_public_no_public_change to Sec2 _ EvA2.
Subgoal 5.2.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
============================
NewPC = public -> false
< intros E.
Subgoal 5.2.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
E : NewPC = public
============================
false
< case E.
Subgoal 5.2.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
============================
false
< apply join_public to Sec1.
Subgoal 5.2.2:
Variables: SG1 GA GA' GB GB' Else Then Cond GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond public
Sec1 : join public public public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : public = public -> false
============================
false
< backchain NEq.
Subgoal 5.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
public_equiv SG1 GA' GB'
< EqGBGB': apply stmt_not_public_no_public_change to Sec3 _ EvB1.
Subgoal 5.2.3:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
NewPC = public -> false
< intros E.
Subgoal 5.2.3:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
E : NewPC = public
============================
false
< case E.
Subgoal 5.2.3:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
false
< apply join_public to Sec1.
Subgoal 5.2.3:
Variables: SG1 GA GA' GB GB' Else Then Cond GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond public
Sec1 : join public public public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : public = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
false
< backchain NEq.
Subgoal 5.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
============================
public_equiv SG1 GA' GB'
< EqGAGB': apply public_equiv_trans to Rel EqGBGB'.
Subgoal 5.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
============================
public_equiv SG1 GA' GB'
< EqGA'GA: apply public_equiv_symm to EqGAGA'.
Subgoal 5.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
============================
public_equiv SG1 GA' GB'
< EqGA'GB: apply public_equiv_trans to EqGA'GA Rel.
Subgoal 5.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
EqGA'GB : public_equiv SG1 GA' GB
============================
public_equiv SG1 GA' GB'
< apply public_equiv_trans to EqGA'GB EqGBGB'.
Subgoal 5.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Then GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
EqGA'GB : public_equiv SG1 GA' GB
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 6:
Variables: PC SG SG1 GA GA' GB GB' Else Then Cond
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (ifThenElse Cond Then Else)
Sec : secure PC SG (ifThenElse Cond Then Else) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvB : eval_c GB (ifThenElse Cond Then Else) GB'
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
============================
public_equiv SG1 GA' GB'
< Is: case Is.
Subgoal 6:
Variables: PC SG SG1 GA GA' GB GB' Else Then Cond
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Sec : secure PC SG (ifThenElse Cond Then Else) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvB : eval_c GB (ifThenElse Cond Then Else) GB'
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
============================
public_equiv SG1 GA' GB'
< Sec: case Sec.
Subgoal 6:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvB : eval_c GB (ifThenElse Cond Then Else) GB'
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
============================
public_equiv SG1 GA' GB'
< EvB: case EvB.
Subgoal 6.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
============================
public_equiv SG1 GA' GB'
< NEq: assert S = public -> false.
Subgoal 6.1.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
============================
S = public -> false
< intros Eq.
Subgoal 6.1.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
Eq : S = public
============================
false
< case Eq.
Subgoal 6.1.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond public
Sec1 : join PC public NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
============================
false
< apply level_not_public to Is _ _ EvA1 EvB _.
Subgoal 6.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
============================
public_equiv SG1 GA' GB'
< EqGAGA': apply stmt_not_public_no_public_change to Sec3 _ EvA2.
Subgoal 6.1.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
============================
NewPC = public -> false
< intros E.
Subgoal 6.1.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
E : NewPC = public
============================
false
< case E.
Subgoal 6.1.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
============================
false
< apply join_public to Sec1.
Subgoal 6.1.2:
Variables: SG1 GA GA' GB GB' Else Then Cond GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond public
Sec1 : join public public public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : public = public -> false
============================
false
< backchain NEq.
Subgoal 6.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
public_equiv SG1 GA' GB'
< EqGBGB': apply stmt_not_public_no_public_change to Sec2 _ EvB1.
Subgoal 6.1.3:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
NewPC = public -> false
< intros E.
Subgoal 6.1.3:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
E : NewPC = public
============================
false
< case E.
Subgoal 6.1.3:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
false
< apply join_public to Sec1.
Subgoal 6.1.3:
Variables: SG1 GA GA' GB GB' Else Then Cond GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond public
Sec1 : join public public public
Sec2 : secure public SG1 Then GTh
Sec3 : secure public SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : public = public -> false
EqGAGA' : public_equiv SG1 GA GA'
============================
false
< backchain NEq.
Subgoal 6.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
============================
public_equiv SG1 GA' GB'
< EqGAGB': apply public_equiv_trans to Rel EqGBGB'.
Subgoal 6.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
============================
public_equiv SG1 GA' GB'
< EqGA'GA: apply public_equiv_symm to EqGAGA'.
Subgoal 6.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
============================
public_equiv SG1 GA' GB'
< EqGA'GB: apply public_equiv_trans to EqGA'GA Rel.
Subgoal 6.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
EqGA'GB : public_equiv SG1 GA' GB
============================
public_equiv SG1 GA' GB'
< apply public_equiv_trans to EqGA'GB EqGBGB'.
Subgoal 6.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Then GB'
NEq : S = public -> false
EqGAGA' : public_equiv SG1 GA GA'
EqGBGB' : public_equiv SG1 GB GB'
EqGAGB' : public_equiv SG1 GA GB'
EqGA'GA : public_equiv SG1 GA' GA
EqGA'GB : public_equiv SG1 GA' GB
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 6.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
============================
public_equiv SG1 GA' GB'
< EqGA'GB': apply IH to _ _ _ EvA2 EvB1.
Subgoal 6.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
EqGA'GB' : public_equiv GEl GA' GB'
============================
public_equiv SG1 GA' GB'
< LkpEq: assert forall X,
lookup SG1 X public -> lookup GEl X public.
Subgoal 6.2.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
EqGA'GB' : public_equiv GEl GA' GB'
============================
forall X, lookup SG1 X public -> lookup GEl X public
< intros Lkp.
Subgoal 6.2.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl X
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
EqGA'GB' : public_equiv GEl GA' GB'
Lkp : lookup SG1 X public
============================
lookup GEl X public
< apply stmt_public_branch to Sec3 EvA2 Lkp.
Subgoal 6.2.1:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl X
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
EqGA'GB' : public_equiv GEl GA' GB'
Lkp : lookup SG1 X public
H1 : lookup GEl X public
============================
lookup GEl X public
< search.
Subgoal 6.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
EqGA'GB' : public_equiv GEl GA' GB'
LkpEq : forall X, lookup SG1 X public -> lookup GEl X public
============================
public_equiv SG1 GA' GB'
< apply public_equiv_swap to LkpEq EqGA'GB'.
Subgoal 6.2:
Variables: PC SG1 GA GA' GB GB' Else Then Cond S NewPC GTh GEl
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (ifThenElse Cond Then Else) GA' @
EvA1 : eval_e GA Cond falseVal
EvA2 : eval_c GA Else GA' *
Is : is_e Cond
Is1 : is_c Then
Is2 : is_c Else
Sec : level SG1 Cond S
Sec1 : join PC S NewPC
Sec2 : secure NewPC SG1 Then GTh
Sec3 : secure NewPC SG1 Else GEl
EvB : eval_e GB Cond falseVal
EvB1 : eval_c GB Else GB'
EqGA'GB' : public_equiv GEl GA' GB'
LkpEq : forall X, lookup SG1 X public -> lookup GEl X public
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 7:
Variables: PC SG SG1 GA' GB GB' Body Cond
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG (while Cond Body) SG1
Rel : public_equiv SG GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvB : eval_c GB (while Cond Body) GB'
EvA1 : eval_e GA' Cond falseVal
============================
public_equiv SG1 GA' GB'
< Is: case Is (keep).
Subgoal 7:
Variables: PC SG SG1 GA' GB GB' Body Cond
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG (while Cond Body) SG1
Rel : public_equiv SG GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvB : eval_c GB (while Cond Body) GB'
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
============================
public_equiv SG1 GA' GB'
< Sec: case Sec (keep).
Subgoal 7:
Variables: PC SG1 GA' GB GB' Body Cond S NewPC G1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvB : eval_c GB (while Cond Body) GB'
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
============================
public_equiv SG1 GA' GB'
< EvB: case EvB.
Subgoal 7.1:
Variables: PC SG1 GA' GB' Body Cond S NewPC G1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB'
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB' Cond falseVal
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 7.2:
Variables: PC SG1 GA' GB GB' Body Cond S NewPC G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
============================
public_equiv SG1 GA' GB'
< SNEq: assert S = public -> false.
Subgoal 7.2.1:
Variables: PC SG1 GA' GB GB' Body Cond S NewPC G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
============================
S = public -> false
< intros Eq.
Subgoal 7.2.1:
Variables: PC SG1 GA' GB GB' Body Cond S NewPC G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
Eq : S = public
============================
false
< case Eq.
Subgoal 7.2.1:
Variables: PC SG1 GA' GB GB' Body Cond NewPC G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond public
Sec2 : join PC public NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
============================
false
< apply level_not_public to Is1 _ _ EvA1 EvB _.
Subgoal 7.2:
Variables: PC SG1 GA' GB GB' Body Cond S NewPC G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
SNEq : S = public -> false
============================
public_equiv SG1 GA' GB'
< EqGBG2: apply stmt_not_public_no_public_change to Sec3 _ EvB1.
Subgoal 7.2.2:
Variables: PC SG1 GA' GB GB' Body Cond S NewPC G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
SNEq : S = public -> false
============================
NewPC = public -> false
< intros Eq.
Subgoal 7.2.2:
Variables: PC SG1 GA' GB GB' Body Cond S NewPC G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
SNEq : S = public -> false
Eq : NewPC = public
============================
false
< case Eq.
Subgoal 7.2.2:
Variables: PC SG1 GA' GB GB' Body Cond S G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S public
Sec3 : secure public SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
SNEq : S = public -> false
============================
false
< apply join_public to Sec2.
Subgoal 7.2.2:
Variables: SG1 GA' GB GB' Body Cond G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure public SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond public
Sec2 : join public public public
Sec3 : secure public SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
SNEq : public = public -> false
============================
false
< backchain SNEq.
Subgoal 7.2:
Variables: PC SG1 GA' GB GB' Body Cond S NewPC G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
SNEq : S = public -> false
EqGBG2 : public_equiv SG1 GB G2
============================
public_equiv SG1 GA' GB'
< EqGA'G2: apply public_equiv_trans to Rel EqGBG2.
Subgoal 7.2:
Variables: PC SG1 GA' GB GB' Body Cond S NewPC G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
SNEq : S = public -> false
EqGBG2 : public_equiv SG1 GB G2
EqGA'G2 : public_equiv SG1 GA' G2
============================
public_equiv SG1 GA' GB'
< EqG2GB': apply while_no_public_change to Sec Sec1 _ EvB2.
Subgoal 7.2:
Variables: PC SG1 GA' GB GB' Body Cond S NewPC G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
SNEq : S = public -> false
EqGBG2 : public_equiv SG1 GB G2
EqGA'G2 : public_equiv SG1 GA' G2
EqG2GB' : public_equiv SG1 G2 GB'
============================
public_equiv SG1 GA' GB'
< apply public_equiv_trans to EqGA'G2 EqG2GB'.
Subgoal 7.2:
Variables: PC SG1 GA' GB GB' Body Cond S NewPC G1 G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA' GB
EvA : eval_c GA' (while Cond Body) GA' @
EvA1 : eval_e GA' Cond falseVal
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G1
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G2
EvB2 : eval_c G2 (while Cond Body) GB'
SNEq : S = public -> false
EqGBG2 : public_equiv SG1 GB G2
EqGA'G2 : public_equiv SG1 GA' G2
EqG2GB' : public_equiv SG1 G2 GB'
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 8:
Variables: PC SG SG1 GA GA' GB GB' G1 Body Cond
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG (while Cond Body) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (while Cond Body) GA' @
EvB : eval_c GB (while Cond Body) GB'
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
============================
public_equiv SG1 GA' GB'
< Is: case Is (keep).
Subgoal 8:
Variables: PC SG SG1 GA GA' GB GB' G1 Body Cond
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG (while Cond Body) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (while Cond Body) GA' @
EvB : eval_c GB (while Cond Body) GB'
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
============================
public_equiv SG1 GA' GB'
< Sec: case Sec (keep).
Subgoal 8:
Variables: PC SG1 GA GA' GB GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (while Cond Body) GA' @
EvB : eval_c GB (while Cond Body) GB'
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
============================
public_equiv SG1 GA' GB'
< EvB: case EvB.
Subgoal 8.1:
Variables: PC SG1 GA GA' GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
============================
public_equiv SG1 GA' GB'
< SNEq: assert S = public -> false.
Subgoal 8.1.1:
Variables: PC SG1 GA GA' GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
============================
S = public -> false
< intros Eq.
Subgoal 8.1.1:
Variables: PC SG1 GA GA' GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
Eq : S = public
============================
false
< case Eq.
Subgoal 8.1.1:
Variables: PC SG1 GA GA' GB' G1 Body Cond NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond public
Sec2 : join PC public NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
============================
false
< apply level_not_public to Is1 _ _ EvA1 EvB _.
Subgoal 8.1:
Variables: PC SG1 GA GA' GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
SNEq : S = public -> false
============================
public_equiv SG1 GA' GB'
< EqGAG1: apply stmt_not_public_no_public_change to Sec3 _ EvA2.
Subgoal 8.1.2:
Variables: PC SG1 GA GA' GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
SNEq : S = public -> false
============================
NewPC = public -> false
< intros Eq.
Subgoal 8.1.2:
Variables: PC SG1 GA GA' GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
SNEq : S = public -> false
Eq : NewPC = public
============================
false
< case Eq.
Subgoal 8.1.2:
Variables: PC SG1 GA GA' GB' G1 Body Cond S G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S public
Sec3 : secure public SG1 Body G2
EvB : eval_e GB' Cond falseVal
SNEq : S = public -> false
============================
false
< apply join_public to Sec2.
Subgoal 8.1.2:
Variables: SG1 GA GA' GB' G1 Body Cond G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure public SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond public
Sec2 : join public public public
Sec3 : secure public SG1 Body G2
EvB : eval_e GB' Cond falseVal
SNEq : public = public -> false
============================
false
< backchain SNEq.
Subgoal 8.1:
Variables: PC SG1 GA GA' GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
SNEq : S = public -> false
EqGAG1 : public_equiv SG1 GA G1
============================
public_equiv SG1 GA' GB'
< EqG1GA': apply while_no_public_change to Sec Sec1 _ EvA3.
Subgoal 8.1:
Variables: PC SG1 GA GA' GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
SNEq : S = public -> false
EqGAG1 : public_equiv SG1 GA G1
EqG1GA' : public_equiv SG1 G1 GA'
============================
public_equiv SG1 GA' GB'
< EqGAGA': apply public_equiv_trans to EqGAG1 EqG1GA'.
Subgoal 8.1:
Variables: PC SG1 GA GA' GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
SNEq : S = public -> false
EqGAG1 : public_equiv SG1 GA G1
EqG1GA' : public_equiv SG1 G1 GA'
EqGAGA' : public_equiv SG1 GA GA'
============================
public_equiv SG1 GA' GB'
< EqGA'GA: apply public_equiv_symm to EqGAGA'.
Subgoal 8.1:
Variables: PC SG1 GA GA' GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
SNEq : S = public -> false
EqGAG1 : public_equiv SG1 GA G1
EqG1GA' : public_equiv SG1 G1 GA'
EqGAGA' : public_equiv SG1 GA GA'
EqGA'GA : public_equiv SG1 GA' GA
============================
public_equiv SG1 GA' GB'
< apply public_equiv_trans to EqGA'GA Rel.
Subgoal 8.1:
Variables: PC SG1 GA GA' GB' G1 Body Cond S NewPC G2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB'
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB' Cond falseVal
SNEq : S = public -> false
EqGAG1 : public_equiv SG1 GA G1
EqG1GA' : public_equiv SG1 G1 GA'
EqGAGA' : public_equiv SG1 GA GA'
EqGA'GA : public_equiv SG1 GA' GA
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 8.2:
Variables: PC SG1 GA GA' GB GB' G1 Body Cond S NewPC G2 G3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G3
EvB2 : eval_c G3 (while Cond Body) GB'
============================
public_equiv SG1 GA' GB'
< EqG1G3: apply IH to _ _ _ EvA2 EvB1.
Subgoal 8.2:
Variables: PC SG1 GA GA' GB GB' G1 Body Cond S NewPC G2 G3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G3
EvB2 : eval_c G3 (while Cond Body) GB'
EqG1G3 : public_equiv G2 G1 G3
============================
public_equiv SG1 GA' GB'
< LEq: assert forall X,
lookup SG1 X public -> lookup G2 X public.
Subgoal 8.2.1:
Variables: PC SG1 GA GA' GB GB' G1 Body Cond S NewPC G2 G3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G3
EvB2 : eval_c G3 (while Cond Body) GB'
EqG1G3 : public_equiv G2 G1 G3
============================
forall X, lookup SG1 X public -> lookup G2 X public
< intros Lkp.
Subgoal 8.2.1:
Variables: PC SG1 GA GA' GB GB' G1 Body Cond S NewPC G2 G3 X
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G3
EvB2 : eval_c G3 (while Cond Body) GB'
EqG1G3 : public_equiv G2 G1 G3
Lkp : lookup SG1 X public
============================
lookup G2 X public
< apply stmt_public_branch to Sec3 EvA2 Lkp.
Subgoal 8.2.1:
Variables: PC SG1 GA GA' GB GB' G1 Body Cond S NewPC G2 G3 X
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G3
EvB2 : eval_c G3 (while Cond Body) GB'
EqG1G3 : public_equiv G2 G1 G3
Lkp : lookup SG1 X public
H1 : lookup G2 X public
============================
lookup G2 X public
< search.
Subgoal 8.2:
Variables: PC SG1 GA GA' GB GB' G1 Body Cond S NewPC G2 G3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G3
EvB2 : eval_c G3 (while Cond Body) GB'
EqG1G3 : public_equiv G2 G1 G3
LEq : forall X, lookup SG1 X public -> lookup G2 X public
============================
public_equiv SG1 GA' GB'
< apply public_equiv_swap to LEq EqG1G3.
Subgoal 8.2:
Variables: PC SG1 GA GA' GB GB' G1 Body Cond S NewPC G2 G3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G3
EvB2 : eval_c G3 (while Cond Body) GB'
EqG1G3 : public_equiv G2 G1 G3
LEq : forall X, lookup SG1 X public -> lookup G2 X public
H1 : public_equiv SG1 G1 G3
============================
public_equiv SG1 GA' GB'
< EqG1GA': apply IH to Is Sec _ EvA3 EvB2.
Subgoal 8.2:
Variables: PC SG1 GA GA' GB GB' G1 Body Cond S NewPC G2 G3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (while Cond Body)
Sec : secure PC SG1 (while Cond Body) SG1
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (while Cond Body) GA' @
EvA1 : eval_e GA Cond trueVal
EvA2 : eval_c GA Body G1 *
EvA3 : eval_c G1 (while Cond Body) GA' *
Is1 : is_e Cond
Is2 : is_c Body
Sec1 : level SG1 Cond S
Sec2 : join PC S NewPC
Sec3 : secure NewPC SG1 Body G2
EvB : eval_e GB Cond trueVal
EvB1 : eval_c GB Body G3
EvB2 : eval_c G3 (while Cond Body) GB'
EqG1G3 : public_equiv G2 G1 G3
LEq : forall X, lookup SG1 X public -> lookup G2 X public
H1 : public_equiv SG1 G1 G3
EqG1GA' : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Subgoal 9:
Variables: PC SG SG1 GA GB GB' V Fields Result Rec E RecFields
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (recUpdate Rec RecFields E)
Sec : secure PC SG (recUpdate Rec RecFields E) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvB : eval_c GB (recUpdate Rec RecFields E) GB'
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
============================
public_equiv SG1 ((Rec, recVal Result)::GA) GB'
< EvB: case EvB.
Subgoal 9:
Variables: PC SG SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (recUpdate Rec RecFields E)
Sec : secure PC SG (recUpdate Rec RecFields E) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
============================
public_equiv SG1 ((Rec, recVal Result)::GA) ((Rec, recVal Result1)::GB)
< Is: case Is.
Subgoal 9:
Variables: PC SG SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Sec : secure PC SG (recUpdate Rec RecFields E) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
============================
public_equiv SG1 ((Rec, recVal Result)::GA) ((Rec, recVal Result1)::GB)
< Sec: case Sec.
Subgoal 9.1:
Variables: SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
============================
public_equiv SG1 ((Rec, recVal Result)::GA) ((Rec, recVal Result1)::GB)
< apply level_secure to _ Sec Rel EvA1 EvB.
Subgoal 9.1:
Variables: SG1 GA GB Fields Result Rec E RecFields V1 Fields1 Result1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V1 Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
============================
public_equiv SG1 ((Rec, recVal Result)::GA) ((Rec, recVal Result1)::GB)
< Rel: case Rel.
Subgoal 9.1:
Variables: SG1 GA GB Fields Result Rec E RecFields V1 Fields1 Result1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V1 Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
public_equiv SG1 ((Rec, recVal Result)::GA) ((Rec, recVal Result1)::GB)
< apply Rel to Sec1 EvA2 EvB1.
Subgoal 9.1:
Variables: SG1 GA GB Result Rec E RecFields V1 Fields1 Result1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
public_equiv SG1 ((Rec, recVal Result)::GA) ((Rec, recVal Result1)::GB)
< apply update_rec_fields_unique to EvA3 EvB2.
Subgoal 9.1:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
public_equiv SG1 ((Rec, recVal Result1)::GA) ((Rec, recVal Result1)::GB)
< unfold .
Subgoal 9.1.1:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
forall X V1 V2,
lookup SG1 X public -> lookup ((Rec, recVal Result1)::GA) X V1 -> lookup ((Rec, recVal Result1)::GB) X V2 ->
V1 = V2
< intros LkpSec LkpA LkpB.
Subgoal 9.1.1:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1 X V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
LkpA : lookup ((Rec, recVal Result1)::GA) X V2
LkpB : lookup ((Rec, recVal Result1)::GB) X V3
============================
V2 = V3
< LkpA: case LkpA.
Subgoal 9.1.1.1:
Variables: SG1 GA GB E RecFields V1 Fields1 Result1 X V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate X RecFields E) ((X, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA X (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB X (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string X
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
LkpB : lookup ((X, recVal Result1)::GB) X V3
============================
recVal Result1 = V3
< LkpB: case LkpB.
Subgoal 9.1.1.1.1:
Variables: SG1 GA GB E RecFields V1 Fields1 Result1 X
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate X RecFields E) ((X, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA X (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB X (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string X
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
============================
recVal Result1 = recVal Result1
< search.
Subgoal 9.1.1.1.2:
Variables: SG1 GA GB E RecFields V1 Fields1 Result1 X V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate X RecFields E) ((X, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA X (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB X (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string X
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
LkpB : X = X -> false
LkpB1 : lookup GB X V3
============================
recVal Result1 = V3
< apply LkpB to _.
Subgoal 9.1.1.2:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1 X V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
LkpB : lookup ((Rec, recVal Result1)::GB) X V3
LkpA : Rec = X -> false
LkpA1 : lookup GA X V2
============================
V2 = V3
< LkpB: case LkpB.
Subgoal 9.1.1.2.1:
Variables: SG1 GA GB E RecFields V1 Fields1 Result1 X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate X RecFields E) ((X, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA X (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB X (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string X
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
LkpA : X = X -> false
LkpA1 : lookup GA X V2
============================
V2 = recVal Result1
< apply LkpA to _.
Subgoal 9.1.1.2.2:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1 X V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
LkpA : Rec = X -> false
LkpA1 : lookup GA X V2
LkpB : Rec = X -> false
LkpB1 : lookup GB X V3
============================
V2 = V3
< apply Rel to LkpSec LkpA1 LkpB1.
Subgoal 9.1.1.2.2:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1 X V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
LkpA : Rec = X -> false
LkpA1 : lookup GA X V3
LkpB : Rec = X -> false
LkpB1 : lookup GB X V3
============================
V3 = V3
< search.
Subgoal 9.1.2:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
forall X V,
lookup SG1 X public -> lookup ((Rec, recVal Result1)::GA) X V -> lookup ((Rec, recVal Result1)::GB) X V
< intros LkpSec Lkp.
Subgoal 9.1.2:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1 X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
Lkp : lookup ((Rec, recVal Result1)::GA) X V2
============================
lookup ((Rec, recVal Result1)::GB) X V2
< Lkp: case Lkp.
Subgoal 9.1.2.1:
Variables: SG1 GA GB E RecFields V1 Fields1 Result1 X
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate X RecFields E) ((X, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA X (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB X (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string X
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
============================
lookup ((X, recVal Result1)::GB) X (recVal Result1)
< search.
Subgoal 9.1.2.2:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1 X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
Lkp : Rec = X -> false
Lkp1 : lookup GA X V2
============================
lookup ((Rec, recVal Result1)::GB) X V2
< apply Rel1 to LkpSec Lkp1.
Subgoal 9.1.2.2:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1 X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
Lkp : Rec = X -> false
Lkp1 : lookup GA X V2
H1 : lookup GB X V2
============================
lookup ((Rec, recVal Result1)::GB) X V2
< search.
Subgoal 9.1.3:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
forall X V,
lookup SG1 X public -> lookup ((Rec, recVal Result1)::GB) X V -> lookup ((Rec, recVal Result1)::GA) X V
< intros LkpSec Lkp.
Subgoal 9.1.3:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1 X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
Lkp : lookup ((Rec, recVal Result1)::GB) X V2
============================
lookup ((Rec, recVal Result1)::GA) X V2
< Lkp: case Lkp.
Subgoal 9.1.3.1:
Variables: SG1 GA GB E RecFields V1 Fields1 Result1 X
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate X RecFields E) ((X, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA X (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB X (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string X
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 X public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
============================
lookup ((X, recVal Result1)::GA) X (recVal Result1)
< search.
Subgoal 9.1.3.2:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1 X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
Lkp : Rec = X -> false
Lkp1 : lookup GB X V2
============================
lookup ((Rec, recVal Result1)::GA) X V2
< apply Rel2 to LkpSec Lkp1.
Subgoal 9.1.3.2:
Variables: SG1 GA GB Rec E RecFields V1 Fields1 Result1 X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result1)::GA) @
EvA1 : eval_e GA E V1
EvA2 : lookup GA Rec (recVal Fields1)
EvA3 : update_rec_fields RecFields Fields1 V1 Result1
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E public
Sec1 : lookup SG1 Rec public
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
LkpSec : lookup SG1 X public
Lkp : Rec = X -> false
Lkp1 : lookup GB X V2
H1 : lookup GA X V2
============================
lookup ((Rec, recVal Result1)::GA) X V2
< search.
Subgoal 9.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
============================
public_equiv SG1 ((Rec, recVal Result)::GA) ((Rec, recVal Result1)::GB)
< unfold .
Subgoal 9.2.1:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
============================
forall X V1 V2,
lookup SG1 X public -> lookup ((Rec, recVal Result)::GA) X V1 -> lookup ((Rec, recVal Result1)::GB) X V2 ->
V1 = V2
< intros LkpSec LkpA LkpB.
Subgoal 9.2.1:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpA : lookup ((Rec, recVal Result)::GA) X V2
LkpB : lookup ((Rec, recVal Result1)::GB) X V3
============================
V2 = V3
< LkpA: case LkpA.
Subgoal 9.2.1.1:
Variables: PC SG1 GA GB V Fields Result E RecFields V1 Fields1 Result1 S X V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate X RecFields E) ((X, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA X (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB X (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string X
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X public
LkpB : lookup ((X, recVal Result1)::GB) X V3
============================
recVal Result = V3
< apply lookup_unique to Sec1 LkpSec.
Subgoal 9.2.1.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpB : lookup ((Rec, recVal Result1)::GB) X V3
LkpA : Rec = X -> false
LkpA1 : lookup GA X V2
============================
V2 = V3
< LkpB: case LkpB.
Subgoal 9.2.1.2.1:
Variables: PC SG1 GA GB V Fields Result E RecFields V1 Fields1 Result1 S X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate X RecFields E) ((X, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA X (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB X (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string X
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X public
LkpA : X = X -> false
LkpA1 : lookup GA X V2
============================
V2 = recVal Result1
< apply LkpA to _.
Subgoal 9.2.1.2.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpA : Rec = X -> false
LkpA1 : lookup GA X V2
LkpB : Rec = X -> false
LkpB1 : lookup GB X V3
============================
V2 = V3
< Rel: case Rel.
Subgoal 9.2.1.2.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpA : Rec = X -> false
LkpA1 : lookup GA X V2
LkpB : Rec = X -> false
LkpB1 : lookup GB X V3
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
V2 = V3
< apply Rel to LkpSec LkpA1 LkpB1.
Subgoal 9.2.1.2.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
LkpA : Rec = X -> false
LkpA1 : lookup GA X V3
LkpB : Rec = X -> false
LkpB1 : lookup GB X V3
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
V3 = V3
< search.
Subgoal 9.2.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
============================
forall X V,
lookup SG1 X public -> lookup ((Rec, recVal Result)::GA) X V -> lookup ((Rec, recVal Result1)::GB) X V
< intros LkpSec Lkp.
Subgoal 9.2.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
Lkp : lookup ((Rec, recVal Result)::GA) X V2
============================
lookup ((Rec, recVal Result1)::GB) X V2
< Lkp: case Lkp.
Subgoal 9.2.2.1:
Variables: PC SG1 GA GB V Fields Result E RecFields V1 Fields1 Result1 S X
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate X RecFields E) ((X, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA X (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB X (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string X
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X public
============================
lookup ((X, recVal Result1)::GB) X (recVal Result)
< apply lookup_unique to Sec1 LkpSec.
Subgoal 9.2.2.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
Lkp : Rec = X -> false
Lkp1 : lookup GA X V2
============================
lookup ((Rec, recVal Result1)::GB) X V2
< Rel: case Rel.
Subgoal 9.2.2.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
Lkp : Rec = X -> false
Lkp1 : lookup GA X V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
lookup ((Rec, recVal Result1)::GB) X V2
< apply Rel1 to LkpSec Lkp1.
Subgoal 9.2.2.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
Lkp : Rec = X -> false
Lkp1 : lookup GA X V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
H1 : lookup GB X V2
============================
lookup ((Rec, recVal Result1)::GB) X V2
< search.
Subgoal 9.2.3:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
============================
forall X V,
lookup SG1 X public -> lookup ((Rec, recVal Result1)::GB) X V -> lookup ((Rec, recVal Result)::GA) X V
< intros LkpSec Lkp.
Subgoal 9.2.3:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
Lkp : lookup ((Rec, recVal Result1)::GB) X V2
============================
lookup ((Rec, recVal Result)::GA) X V2
< Lkp: case Lkp.
Subgoal 9.2.3.1:
Variables: PC SG1 GA GB V Fields Result E RecFields V1 Fields1 Result1 S X
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate X RecFields E) ((X, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA X (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB X (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string X
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 X private
LkpSec : lookup SG1 X public
============================
lookup ((X, recVal Result)::GA) X (recVal Result1)
< apply lookup_unique to Sec1 LkpSec.
Subgoal 9.2.3.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG1 GA GB
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
Lkp : Rec = X -> false
Lkp1 : lookup GB X V2
============================
lookup ((Rec, recVal Result)::GA) X V2
< Rel: case Rel.
Subgoal 9.2.3.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
Lkp : Rec = X -> false
Lkp1 : lookup GB X V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
============================
lookup ((Rec, recVal Result)::GA) X V2
< apply Rel2 to LkpSec Lkp1.
Subgoal 9.2.3.2:
Variables: PC SG1 GA GB V Fields Result Rec E RecFields V1 Fields1 Result1 S X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (recUpdate Rec RecFields E) ((Rec, recVal Result)::GA) @
EvA1 : eval_e GA E V
EvA2 : lookup GA Rec (recVal Fields)
EvA3 : update_rec_fields RecFields Fields V Result
EvB : eval_e GB E V1
EvB1 : lookup GB Rec (recVal Fields1)
EvB2 : update_rec_fields RecFields Fields1 V1 Result1
Is : is_string Rec
Is1 : is_recFields RecFields
Is2 : is_e E
Sec : level SG1 E S
Sec1 : lookup SG1 Rec private
LkpSec : lookup SG1 X public
Lkp : Rec = X -> false
Lkp1 : lookup GB X V2
Rel : forall X V1 V2,
lookup SG1 X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG1 X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG1 X public -> lookup GB X V -> lookup GA X V
H1 : lookup GA X V2
============================
lookup ((Rec, recVal Result)::GA) X V2
< search.
Subgoal 10:
Variables: PC SG SG1 GA GB GB' V X E Ty S
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (declareSec X S Ty E)
Sec : secure PC SG (declareSec X S Ty E) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X S Ty E) ((X, V)::GA) @
EvB : eval_c GB (declareSec X S Ty E) GB'
EvA1 : eval_e GA E V
============================
public_equiv SG1 ((X, V)::GA) GB'
< EvB: case EvB.
Subgoal 10:
Variables: PC SG SG1 GA GB V X E Ty S V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c (declareSec X S Ty E)
Sec : secure PC SG (declareSec X S Ty E) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X S Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
============================
public_equiv SG1 ((X, V)::GA) ((X, V1)::GB)
< Is: case Is.
Subgoal 10:
Variables: PC SG SG1 GA GB V X E Ty S V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Sec : secure PC SG (declareSec X S Ty E) SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X S Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel S
Is2 : is_ty Ty
Is3 : is_e E
============================
public_equiv SG1 ((X, V)::GA) ((X, V1)::GB)
< Sec: case Sec.
Subgoal 10.1:
Variables: PC SG GA GB V X E Ty V1 S1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
============================
public_equiv ((X, private)::SG) ((X, V)::GA) ((X, V1)::GB)
< unfold .
Subgoal 10.1.1:
Variables: PC SG GA GB V X E Ty V1 S1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
============================
forall X1 V2 V3,
lookup ((X, private)::SG) X1 public -> lookup ((X, V)::GA) X1 V2 -> lookup ((X, V1)::GB) X1 V3 ->
V2 = V3
< intros LkpSec LkpA LkpB.
Subgoal 10.1.1:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : lookup ((X, private)::SG) X1 public
LkpA : lookup ((X, V)::GA) X1 V2
LkpB : lookup ((X, V1)::GB) X1 V3
============================
V2 = V3
< LkpSec: case LkpSec.
Subgoal 10.1.1:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpA : lookup ((X, V)::GA) X1 V2
LkpB : lookup ((X, V1)::GB) X1 V3
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
============================
V2 = V3
< LkpA: case LkpA.
Subgoal 10.1.1.1:
Variables: PC SG GA GB E Ty V1 S1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 private Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V1
Is : is_string X1
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X1
LkpB : lookup ((X1, V1)::GB) X1 V3
LkpSec : X1 = X1 -> false
LkpSec1 : lookup SG X1 public
============================
V2 = V3
< apply LkpSec to _.
Subgoal 10.1.1.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpB : lookup ((X, V1)::GB) X1 V3
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
============================
V2 = V3
< LkpB: case LkpB.
Subgoal 10.1.1.2.1:
Variables: PC SG GA GB V E Ty S1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 private Ty E) ((X1, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V3
Is : is_string X1
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X1
LkpSec : X1 = X1 -> false
LkpSec1 : lookup SG X1 public
LkpA : X1 = X1 -> false
LkpA1 : lookup GA X1 V2
============================
V2 = V3
< apply LkpSec to _.
Subgoal 10.1.1.2.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
============================
V2 = V3
< Rel: case Rel.
Subgoal 10.1.1.2.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
V2 = V3
< apply Rel to LkpSec1 LkpA1 LkpB1.
Subgoal 10.1.1.2.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V3
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
V3 = V3
< search.
Subgoal 10.1.2:
Variables: PC SG GA GB V X E Ty V1 S1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
============================
forall X1 V2,
lookup ((X, private)::SG) X1 public -> lookup ((X, V)::GA) X1 V2 -> lookup ((X, V1)::GB) X1 V2
< intros LkpSec Lkp.
Subgoal 10.1.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : lookup ((X, private)::SG) X1 public
Lkp : lookup ((X, V)::GA) X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< LkpSec: case LkpSec.
Subgoal 10.1.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
Lkp : lookup ((X, V)::GA) X1 V2
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X, V1)::GB) X1 V2
< Lkp: case Lkp.
Subgoal 10.1.2.1:
Variables: PC SG GA GB E Ty V1 S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 private Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V1
Is : is_string X1
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X1
LkpSec : X1 = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X1, V1)::GB) X1 V2
< apply LkpSec to _.
Subgoal 10.1.2.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GA X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< Rel: case Rel.
Subgoal 10.1.2.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GA X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((X, V1)::GB) X1 V2
< apply Rel1 to LkpSec1 Lkp1.
Subgoal 10.1.2.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GA X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GB X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< search.
Subgoal 10.1.3:
Variables: PC SG GA GB V X E Ty V1 S1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
============================
forall X1 V2,
lookup ((X, private)::SG) X1 public -> lookup ((X, V1)::GB) X1 V2 -> lookup ((X, V)::GA) X1 V2
< intros LkpSec Lkp.
Subgoal 10.1.3:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : lookup ((X, private)::SG) X1 public
Lkp : lookup ((X, V1)::GB) X1 V2
============================
lookup ((X, V)::GA) X1 V2
< LkpSec: case LkpSec.
Subgoal 10.1.3:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
Lkp : lookup ((X, V1)::GB) X1 V2
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X, V)::GA) X1 V2
< Lkp: case Lkp.
Subgoal 10.1.3.1:
Variables: PC SG GA GB V E Ty S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 private Ty E) ((X1, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X1
LkpSec : X1 = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X1, V)::GA) X1 V2
< apply LkpSec to _.
Subgoal 10.1.3.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GB X1 V2
============================
lookup ((X, V)::GA) X1 V2
< Rel: case Rel.
Subgoal 10.1.3.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GB X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((X, V)::GA) X1 V2
< apply Rel2 to LkpSec1 Lkp1.
Subgoal 10.1.3.2:
Variables: PC SG GA GB V X E Ty V1 S1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X private Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel private
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E S1
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GB X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GA X1 V2
============================
lookup ((X, V)::GA) X1 V2
< search.
Subgoal 10.2:
Variables: SG GA GB V X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V)::GA) @
EvA1 : eval_e GA E V
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
============================
public_equiv ((X, public)::SG) ((X, V)::GA) ((X, V1)::GB)
< apply level_secure to _ Sec Rel EvA1 EvB.
Subgoal 10.2:
Variables: SG GA GB X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
============================
public_equiv ((X, public)::SG) ((X, V1)::GA) ((X, V1)::GB)
< unfold .
Subgoal 10.2.1:
Variables: SG GA GB X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
============================
forall X1 V2 V3,
lookup ((X, public)::SG) X1 public -> lookup ((X, V1)::GA) X1 V2 -> lookup ((X, V1)::GB) X1 V3 ->
V2 = V3
< intros LkpSec LkpA LkpB.
Subgoal 10.2.1:
Variables: SG GA GB X E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : lookup ((X, public)::SG) X1 public
LkpA : lookup ((X, V1)::GA) X1 V2
LkpB : lookup ((X, V1)::GB) X1 V3
============================
V2 = V3
< LkpA: case LkpA.
Subgoal 10.2.1.1:
Variables: SG GA GB E Ty X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
LkpSec : lookup ((X1, public)::SG) X1 public
LkpB : lookup ((X1, V2)::GB) X1 V3
============================
V2 = V3
< LkpB: case LkpB.
Subgoal 10.2.1.1.1:
Variables: SG GA GB E Ty X1 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V3)::GA) @
EvA1 : eval_e GA E V3
EvB : eval_e GB E V3
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
LkpSec : lookup ((X1, public)::SG) X1 public
============================
V3 = V3
< search.
Subgoal 10.2.1.1.2:
Variables: SG GA GB E Ty X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
LkpSec : lookup ((X1, public)::SG) X1 public
LkpB : X1 = X1 -> false
LkpB1 : lookup GB X1 V3
============================
V2 = V3
< apply LkpB to _.
Subgoal 10.2.1.2:
Variables: SG GA GB X E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : lookup ((X, public)::SG) X1 public
LkpB : lookup ((X, V1)::GB) X1 V3
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
============================
V2 = V3
< LkpB: case LkpB.
Subgoal 10.2.1.2.1:
Variables: SG GA GB E Ty X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V3)::GA) @
EvA1 : eval_e GA E V3
EvB : eval_e GB E V3
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
LkpSec : lookup ((X1, public)::SG) X1 public
LkpA : X1 = X1 -> false
LkpA1 : lookup GA X1 V2
============================
V2 = V3
< apply LkpA to _.
Subgoal 10.2.1.2.2:
Variables: SG GA GB X E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : lookup ((X, public)::SG) X1 public
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
============================
V2 = V3
< LkpSec: case LkpSec.
Subgoal 10.2.1.2.2.1:
Variables: SG GA GB E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
LkpA : X1 = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X1 = X1 -> false
LkpB1 : lookup GB X1 V3
============================
V2 = V3
< apply LkpA to _.
Subgoal 10.2.1.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
============================
V2 = V3
< Rel: case Rel.
Subgoal 10.2.1.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V2 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V2
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
V2 = V3
< apply Rel to LkpSec1 LkpA1 LkpB1.
Subgoal 10.2.1.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V3
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpA : X = X1 -> false
LkpA1 : lookup GA X1 V3
LkpB : X = X1 -> false
LkpB1 : lookup GB X1 V3
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
V3 = V3
< search.
Subgoal 10.2.2:
Variables: SG GA GB X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
============================
forall X1 V,
lookup ((X, public)::SG) X1 public -> lookup ((X, V1)::GA) X1 V -> lookup ((X, V1)::GB) X1 V
< intros LkpSec Lkp.
Subgoal 10.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : lookup ((X, public)::SG) X1 public
Lkp : lookup ((X, V1)::GA) X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< LkpSec: case LkpSec.
Subgoal 10.2.2.1:
Variables: SG GA GB E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
Lkp : lookup ((X1, V1)::GA) X1 V2
============================
lookup ((X1, V1)::GB) X1 V2
< Lkp: case Lkp.
Subgoal 10.2.2.1.1:
Variables: SG GA GB E Ty X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
============================
lookup ((X1, V2)::GB) X1 V2
< search.
Subgoal 10.2.2.1.2:
Variables: SG GA GB E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
Lkp : X1 = X1 -> false
Lkp1 : lookup GA X1 V2
============================
lookup ((X1, V1)::GB) X1 V2
< apply Lkp to _.
Subgoal 10.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
Lkp : lookup ((X, V1)::GA) X1 V2
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X, V1)::GB) X1 V2
< Lkp: case Lkp.
Subgoal 10.2.2.2.1:
Variables: SG GA GB E Ty X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
LkpSec : X1 = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X1, V2)::GB) X1 V2
< apply LkpSec to _.
Subgoal 10.2.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GA X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< Rel: case Rel.
Subgoal 10.2.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GA X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((X, V1)::GB) X1 V2
< apply Rel1 to LkpSec1 Lkp1.
Subgoal 10.2.2.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GA X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GB X1 V2
============================
lookup ((X, V1)::GB) X1 V2
< search.
Subgoal 10.2.3:
Variables: SG GA GB X E Ty V1
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
============================
forall X1 V,
lookup ((X, public)::SG) X1 public -> lookup ((X, V1)::GB) X1 V -> lookup ((X, V1)::GA) X1 V
< intros LkpSec Lkp.
Subgoal 10.2.3:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : lookup ((X, public)::SG) X1 public
Lkp : lookup ((X, V1)::GB) X1 V2
============================
lookup ((X, V1)::GA) X1 V2
< LkpSec: case LkpSec.
Subgoal 10.2.3.1:
Variables: SG GA GB E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
Lkp : lookup ((X1, V1)::GB) X1 V2
============================
lookup ((X1, V1)::GA) X1 V2
< Lkp: case Lkp.
Subgoal 10.2.3.1.1:
Variables: SG GA GB E Ty X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
============================
lookup ((X1, V2)::GA) X1 V2
< search.
Subgoal 10.2.3.1.2:
Variables: SG GA GB E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
Lkp : X1 = X1 -> false
Lkp1 : lookup GB X1 V2
============================
lookup ((X1, V1)::GA) X1 V2
< apply Lkp to _.
Subgoal 10.2.3.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
Lkp : lookup ((X, V1)::GB) X1 V2
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X, V1)::GA) X1 V2
< Lkp: case Lkp.
Subgoal 10.2.3.2.1:
Variables: SG GA GB E Ty X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X1 public Ty E) ((X1, V2)::GA) @
EvA1 : eval_e GA E V2
EvB : eval_e GB E V2
Is : is_string X1
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X1
LkpSec : X1 = X1 -> false
LkpSec1 : lookup SG X1 public
============================
lookup ((X1, V2)::GA) X1 V2
< apply LkpSec to _.
Subgoal 10.2.3.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Rel : public_equiv SG GA GB
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GB X1 V2
============================
lookup ((X, V1)::GA) X1 V2
< Rel: case Rel.
Subgoal 10.2.3.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GB X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
============================
lookup ((X, V1)::GA) X1 V2
< apply Rel2 to LkpSec1 Lkp1.
Subgoal 10.2.3.2.2:
Variables: SG GA GB X E Ty V1 X1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
EvA : eval_c GA (declareSec X public Ty E) ((X, V1)::GA) @
EvA1 : eval_e GA E V1
EvB : eval_e GB E V1
Is : is_string X
Is1 : is_seclevel public
Is2 : is_ty Ty
Is3 : is_e E
Sec : level SG E public
Sec1 : no_lookup SG X
LkpSec : X = X1 -> false
LkpSec1 : lookup SG X1 public
Lkp : X = X1 -> false
Lkp1 : lookup GB X1 V2
Rel : forall X V1 V2,
lookup SG X public -> lookup GA X V1 -> lookup GB X V2 -> V1 = V2
Rel1 : forall X V, lookup SG X public -> lookup GA X V -> lookup GB X V
Rel2 : forall X V, lookup SG X public -> lookup GB X V -> lookup GA X V
H1 : lookup GA X1 V2
============================
lookup ((X, V1)::GA) X1 V2
< search.
Subgoal 11:
Variables: PC SG SG1 GA GA' GB GB' T
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Sec : secure PC SG <unknown K eval_c> SG1
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> T
EvA2 : eval_c GA T GA' *
============================
public_equiv SG1 GA' GB'
< Sec: case Sec.
Subgoal 11:
Variables: PC SG SG1 GA GA' GB GB' T CT
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> T
EvA2 : eval_c GA T GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
============================
public_equiv SG1 GA' GB'
< apply proj_c_unique to EvA1 Sec.
Subgoal 11:
Variables: PC SG SG1 GA GA' GB GB' CT
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
============================
public_equiv SG1 GA' GB'
< EvBProj: apply proj_c_eval to EvA1 EvB.
Subgoal 11:
Variables: PC SG SG1 GA GA' GB GB' CT G'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
============================
public_equiv SG1 GA' GB'
< IsCT: apply proj_c_is to Sec Is.
Subgoal 11:
Variables: PC SG SG1 GA GA' GB GB' CT G'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
============================
public_equiv SG1 GA' GB'
< Equiv: apply IH to _ Sec1 Rel EvA2 EvBProj.
Subgoal 11:
Variables: PC SG SG1 GA GA' GB GB' CT G'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
============================
public_equiv SG1 GA' GB'
< LkpGB'G': assert forall X V,
lookup GB' X V -> lookup G' X V.
Subgoal 11.1:
Variables: PC SG SG1 GA GA' GB GB' CT G'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
============================
forall X V, lookup GB' X V -> lookup G' X V
< intros L.
Subgoal 11.1:
Variables: PC SG SG1 GA GA' GB GB' CT G' X V
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
L : lookup GB' X V
============================
lookup G' X V
< apply proj_c_eval_results to EvA1 EvB EvBProj L.
Subgoal 11.1:
Variables: PC SG SG1 GA GA' GB GB' CT G' X V
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
L : lookup GB' X V
H1 : lookup G' X V
============================
lookup G' X V
< search.
Subgoal 11:
Variables: PC SG SG1 GA GA' GB GB' CT G'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
============================
public_equiv SG1 GA' GB'
< EqG'GB': assert public_equiv SG1 G' GB'.
Subgoal 11.2:
Variables: PC SG SG1 GA GA' GB GB' CT G'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
============================
public_equiv SG1 G' GB'
< unfold .
Subgoal 11.2.1:
Variables: PC SG SG1 GA GA' GB GB' CT G'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
============================
forall X V1 V2,
lookup SG1 X public -> lookup G' X V1 -> lookup GB' X V2 -> V1 = V2
< intros LkpSec LkpG' LkpGB'.
Subgoal 11.2.1:
Variables: PC SG SG1 GA GA' GB GB' CT G' X V1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
LkpSec : lookup SG1 X public
LkpG' : lookup G' X V1
LkpGB' : lookup GB' X V2
============================
V1 = V2
< Lkp: apply LkpGB'G' to LkpGB'.
Subgoal 11.2.1:
Variables: PC SG SG1 GA GA' GB GB' CT G' X V1 V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
LkpSec : lookup SG1 X public
LkpG' : lookup G' X V1
LkpGB' : lookup GB' X V2
Lkp : lookup G' X V2
============================
V1 = V2
< apply lookup_unique to LkpG' Lkp.
Subgoal 11.2.1:
Variables: PC SG SG1 GA GA' GB GB' CT G' X V2
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
LkpSec : lookup SG1 X public
LkpG' : lookup G' X V2
LkpGB' : lookup GB' X V2
Lkp : lookup G' X V2
============================
V2 = V2
< search.
Subgoal 11.2.2:
Variables: PC SG SG1 GA GA' GB GB' CT G'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
============================
forall X V, lookup SG1 X public -> lookup G' X V -> lookup GB' X V
< intros LkpSec LkpG'.
Subgoal 11.2.2:
Variables: PC SG SG1 GA GA' GB GB' CT G' X V
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
LkpSec : lookup SG1 X public
LkpG' : lookup G' X V
============================
lookup GB' X V
< apply proj_c_eval_results_back to Sec EvB EvBProj LkpG'.
Subgoal 11.2.2:
Variables: PC SG SG1 GA GA' GB GB' CT G' X V
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
LkpSec : lookup SG1 X public
LkpG' : lookup G' X V
H1 : lookup GB' X V
============================
lookup GB' X V
< search.
Subgoal 11.2.3:
Variables: PC SG SG1 GA GA' GB GB' CT G'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
============================
forall X V, lookup SG1 X public -> lookup GB' X V -> lookup G' X V
< intros LkpSec LkpGB'.
Subgoal 11.2.3:
Variables: PC SG SG1 GA GA' GB GB' CT G' X V
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
LkpSec : lookup SG1 X public
LkpGB' : lookup GB' X V
============================
lookup G' X V
< backchain LkpGB'G'.
Subgoal 11:
Variables: PC SG SG1 GA GA' GB GB' CT G'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
EqG'GB' : public_equiv SG1 G' GB'
============================
public_equiv SG1 GA' GB'
< apply public_equiv_trans to Equiv EqG'GB'.
Subgoal 11:
Variables: PC SG SG1 GA GA' GB GB' CT G'
IH : forall C PC SG SG1 GA GA' GB GB',
is_c C -> secure PC SG C SG1 -> public_equiv SG GA GB -> eval_c GA C GA' * ->
eval_c GB C GB' -> public_equiv SG1 GA' GB'
Is : is_c <unknown K eval_c>
Rel : public_equiv SG GA GB
EvA : eval_c GA <unknown K eval_c> GA' @
EvB : eval_c GB <unknown K eval_c> GB'
EvA1 : |{c}- <unknown K eval_c> ~~> CT
EvA2 : eval_c GA CT GA' *
Sec : |{c}- <unknown K eval_c> ~~> CT
Sec1 : secure PC SG CT SG1
EvBProj : eval_c GB CT G'
IsCT : is_c CT
Equiv : public_equiv SG1 GA' G'
LkpGB'G' : forall X V, lookup GB' X V -> lookup G' X V
EqG'GB' : public_equiv SG1 G' GB'
H1 : public_equiv SG1 GA' GB'
============================
public_equiv SG1 GA' GB'
< search.
Proof completed.
