From stdpp Require Import prelude finite.[Loading ML file ring_plugin.cmxs (using legacy method) ... done]
[Loading ML file zify_plugin.cmxs (using legacy method) ... done]
[Loading ML file micromega_plugin.cmxs (using legacy method) ... done]
[Loading ML file btauto_plugin.cmxs (using legacy method) ... done]
From Coq Require Import Reals.
From VLSM.Lib Require Import Preamble ListExtras StdppListSet StdppExtras NatExtras.[Loading ML file coq-itauto.plugin ... done]
[Loading ML file extraction_plugin.cmxs (using legacy method) ... done]
[Loading ML file equations_plugin.cmxs (using legacy method) ... done]
From VLSM.Lib Require Import Measurable EquationsExtras.
From VLSM.Core Require Import VLSM Composition.
From VLSM.Core Require Import Equivocation MessageDependencies TraceableVLSM.
From VLSM.Core Require Import AnnotatedVLSM MsgDepLimitedEquivocation.

Core: Minimally Equivocating Traces

In this module, we define a choice_function and minimal_equivocation_choice, guaranteeing that the transition it chooses does not decrease the set of validators which are equivocating according to the msg_dep_is_globally_equivocating relation (see minimal_equivocation_choice_monotone).

We then show that the trace determined by state_to_trace using this choice function yields a minimally equivocating constrained trace reaching that state (see state_to_minimal_equivocation_trace_equivocation_monotonic).

Section sec_minimal_equivocation_choice.

The minimal equivocation choice function

Context
  `{EqDecision message}
  `{finite.Finite index}
  `{Inhabited index}
  (IM : index -> VLSM message)
  `{forall i, ComputableSentMessages (IM i)}
  `{forall i, ComputableReceivedMessages (IM i)}
  `{FullMessageDependencies message Cm message_dependencies full_message_dependencies}
  `{forall i, MessageDependencies (IM i) message_dependencies}
  (state_destructor : forall i, state (IM i) -> set (transition_item (IM i) * state (IM i)))
  (state_size : forall i, state (IM i) -> nat)
  `{forall i, TraceableVLSM (IM i) (state_destructor i) (state_size i)}
  (no_initial_messages_in_IM : no_initial_messages_in_IM_prop IM)
  `(sender : message -> option validator)
  `{!Irreflexive (tc_composite_observed_before_send IM message_dependencies)}
  (A : validator -> index)
  (Hchannel : channel_authentication_prop IM A sender)
  (Free := free_composite_vlsm IM)
  .

The nth (composite) transition from the given list is not sending any message.

Inductive CompositeNthNotSend
  (transitions : set (composite_transition_item IM * composite_state IM)) (n : nat) : Prop :=
| composite_nth_not_send :
    forall item s, transitions !! n = Some (item, s) -> output item = None ->
      CompositeNthNotSend transitions n.

Lemma not_CompositeNthNotSend_is_sent :
  forall (ts : set (composite_transition_item IM * composite_state IM)) (n : nat),
    ~ CompositeNthNotSend ts n ->
    forall item s, ts !! n = Some (item, s) -> exists m, output item = Some m.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (ts : set
          (composite_transition_item IM *
           composite_state IM)) (n : nat),
  ¬ CompositeNthNotSend ts n
  → ∀ (item : transition_item) (s : composite_state IM),
      ts !! n = Some (item, s)
      → ∃ m : message, output item = Some m
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (ts : set
          (composite_transition_item IM *
           composite_state IM)) (n : nat),
  ¬ CompositeNthNotSend ts n
  → ∀ (item : transition_item) (s : composite_state IM),
      ts !! n = Some (item, s)
      → ∃ m : message, output item = Some m
  intros * Hnsend **.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
ts: set
  (composite_transition_item IM *
   composite_state IM)
n: nat
Hnsend: ¬ CompositeNthNotSend ts n
item: transition_item
s: composite_state IM
H14: ts !! n = Some (item, s)
∃ m : message, output item = Some m
  destruct (output item) eqn: Houtput; [by eexists |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
ts: set
  (composite_transition_item IM *
   composite_state IM)
n: nat
Hnsend: ¬ CompositeNthNotSend ts n
item: transition_item
s: composite_state IM
H14: ts !! n = Some (item, s)
Houtput: output item = None
∃ m : message, None = Some m
  by contradict Hnsend; econstructor.
Qed.

The nth transition reaching s' from component i is not sending any message.

Definition composite_latest_not_send_prop (s' : composite_state IM) (i : index) (n : nat) : Prop :=
  CompositeNthNotSend (composite_state_destructor IM state_destructor s' i) n.

#[local] Instance composite_latest_not_send_dec s' :
  RelDecision (composite_latest_not_send_prop s').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
RelDecision (composite_latest_not_send_prop s')
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
RelDecision (composite_latest_not_send_prop s')
  intros i n.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
Decision (composite_latest_not_send_prop s' i n)
  destruct (composite_state_destructor IM state_destructor s' i !! n) as [[item s] |] eqn: Hdestruct.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
Decision (composite_latest_not_send_prop s' i n)
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n = None
Decision (composite_latest_not_send_prop s' i n)
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
Decision (composite_latest_not_send_prop s' i n) destruct (output item) as [m |] eqn: Hinput; [| by left; econstructor].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
m: message
Hinput: output item = Some m
Decision (composite_latest_not_send_prop s' i n)
    right; inversion 1 as [_item _s].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
m: message
Hinput: output item = Some m
H14: composite_latest_not_send_prop s' i n
_item: transition_item
_s: composite_state IM
H15: composite_state_destructor IM state_destructor
  s' i !! n = Some (_item, _s)
H16: output _item = None
False
    replace (_ !! n) with (Some (_item, _s)) in Hdestruct.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
_item: transition_item
_s: composite_state IM
Hdestruct: Some (_item, _s) = Some (item, s)
m: message
Hinput: output item = Some m
H14: composite_latest_not_send_prop s' i n
H15: composite_state_destructor IM state_destructor
  s' i !! n = Some (_item, _s)
H16: output _item = None
False
    by inversion Hdestruct; congruence.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n = None
Decision (composite_latest_not_send_prop s' i n) by right; inversion 1; cbv in *; congruence.
Qed.

The nth (composite) transition from the given list is sending a message which hasn't been previously observed.

Inductive CompositeNthSentNotObserved
  (transitions : set (composite_transition_item IM * composite_state IM)) (n : nat) : Prop :=
| composite_nth_sent_not_observed :
    forall item s,
      transitions !! n = Some (item, s) ->
      forall m, output item = Some m ->
      ~ CompositeHasBeenObserved IM message_dependencies s m ->
      CompositeNthSentNotObserved transitions n.

Lemma not_CompositeNthSentNotObserved_is_observed :
  forall (ts : set (composite_transition_item IM * composite_state IM)) (n : nat),
    ~ CompositeNthSentNotObserved ts n ->
    forall item s,
      ts !! n = Some (item, s) ->
      forall m, output item = Some m ->
      CompositeHasBeenObserved IM message_dependencies s m.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (ts : set
          (composite_transition_item IM *
           composite_state IM)) (n : nat),
  ¬ CompositeNthSentNotObserved ts n
  → ∀ (item : transition_item) (s : composite_state IM),
      ts !! n = Some (item, s)
      → ∀ m : message,
          output item = Some m
          → CompositeHasBeenObserved IM
              message_dependencies s m
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (ts : set
          (composite_transition_item IM *
           composite_state IM)) (n : nat),
  ¬ CompositeNthSentNotObserved ts n
  → ∀ (item : transition_item) (s : composite_state IM),
      ts !! n = Some (item, s)
      → ∀ m : message,
          output item = Some m
          → CompositeHasBeenObserved IM
              message_dependencies s m
  intros * Hnobs **.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
ts: set
  (composite_transition_item IM *
   composite_state IM)
n: nat
Hnobs: ¬ CompositeNthSentNotObserved ts n
item: transition_item
s: composite_state IM
H14: ts !! n = Some (item, s)
m: message
H15: output item = Some m
CompositeHasBeenObserved IM message_dependencies s m
  destruct (decide (CompositeHasBeenObserved IM message_dependencies s m)); [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
ts: set
  (composite_transition_item IM *
   composite_state IM)
n: nat
Hnobs: ¬ CompositeNthSentNotObserved ts n
item: transition_item
s: composite_state IM
H14: ts !! n = Some (item, s)
m: message
H15: output item = Some m
n0: ¬ CompositeHasBeenObserved IM
    message_dependencies s m
CompositeHasBeenObserved IM message_dependencies s m
  by contradict Hnobs; econstructor.
Qed.

The nth transition reaching s' from component i is sending a message which hasn't been previously observed.

Definition composite_latest_sent_not_observed_prop
  (s' : composite_state IM) (i : index) (n : nat) : Prop :=
  CompositeNthSentNotObserved (composite_state_destructor IM state_destructor s' i) n.

#[local] Instance composite_latest_sent_not_observed_dec s' :
  RelDecision (composite_latest_sent_not_observed_prop s').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
RelDecision
  (composite_latest_sent_not_observed_prop s')
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
RelDecision
  (composite_latest_sent_not_observed_prop s')
  intros i n.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
Decision
  (composite_latest_sent_not_observed_prop s' i n)
  destruct (composite_state_destructor IM state_destructor s' i !! n)
    as [[item s] |] eqn: Hdestruct;
    [| by right; inversion 1; cbv in *; congruence].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
Decision
  (composite_latest_sent_not_observed_prop s' i n)
  destruct (output item) as [m |] eqn: Houtput.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
m: message
Houtput: output item = Some m
Decision
  (composite_latest_sent_not_observed_prop s' i n)
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
Houtput: output item = None
Decision
  (composite_latest_sent_not_observed_prop s' i n)
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
m: message
Houtput: output item = Some m
Decision
  (composite_latest_sent_not_observed_prop s' i n) destruct (decide (CompositeHasBeenObserved IM message_dependencies s m));
      [| by left; econstructor].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
m: message
Houtput: output item = Some m
c: CompositeHasBeenObserved IM message_dependencies s
  m
Decision
  (composite_latest_sent_not_observed_prop s' i n)
    right; inversion 1 as [_item _s].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
m: message
Houtput: output item = Some m
c: CompositeHasBeenObserved IM message_dependencies s
  m
H14: composite_latest_sent_not_observed_prop s' i n
_item: transition_item
_s: composite_state IM
m0: message
H15: composite_state_destructor IM state_destructor
  s' i !! n = Some (_item, _s)
H16: output _item = Some m0
H17: ¬ CompositeHasBeenObserved IM
    message_dependencies _s m0
False
    replace (_ !! n) with (Some (_item, _s)) in Hdestruct.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
_item: transition_item
_s: composite_state IM
Hdestruct: Some (_item, _s) = Some (item, s)
m: message
Houtput: output item = Some m
c: CompositeHasBeenObserved IM message_dependencies s
  m
H14: composite_latest_sent_not_observed_prop s' i n
m0: message
H15: composite_state_destructor IM state_destructor
  s' i !! n = Some (_item, _s)
H16: output _item = Some m0
H17: ¬ CompositeHasBeenObserved IM
    message_dependencies _s m0
False
    by inversion Hdestruct; congruence.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
Houtput: output item = None
Decision
  (composite_latest_sent_not_observed_prop s' i n) right; inversion 1 as [_item _s].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
Houtput: output item = None
H14: composite_latest_sent_not_observed_prop s' i n
_item: transition_item
_s: composite_state IM
m: message
H15: composite_state_destructor IM state_destructor
  s' i !! n = Some (_item, _s)
H16: output _item = Some m
H17: ¬ CompositeHasBeenObserved IM
    message_dependencies _s m
False
    replace (_ !! n) with (Some (_item, _s)) in Hdestruct.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i: index
n: nat
item: composite_transition_item IM
s: composite_state IM
_item: transition_item
_s: composite_state IM
Hdestruct: Some (_item, _s) = Some (item, s)
Houtput: output item = None
H14: composite_latest_sent_not_observed_prop s' i n
m: message
H15: composite_state_destructor IM state_destructor
  s' i !! n = Some (_item, _s)
H16: output _item = Some m
H17: ¬ CompositeHasBeenObserved IM
    message_dependencies _s m
False
    by inversion Hdestruct; congruence.
Qed.

The first transition reaching s' from component i is sending a message which has been previously observed from the jth component of the state.

Record CompositeLatestSentObservedIn
  (s' : composite_state IM)  (i : index)  (j : index)
  (s : composite_state IM) (item : composite_transition_item IM) (m : message)
  : Prop :=
{
  clsoi_destructor :
    head (composite_state_destructor IM state_destructor s' i) = Some (item, s);
  clsoi_output : output item = Some m;
  clsoi_observed : HasBeenObserved (IM j) message_dependencies (s j) m;
}.

Characterizes the fact that:

the first transition reaching s' from component i is sending a message m_i,
the first transition reaching s' from component j is sending a message m_j, and
m_i and m_j are in the tc_composite_observed_before_send relation.

Record LatestCompositeObservedBeforeSend
  (s' : composite_state IM) (i : index) (j : index)
  (s_i : composite_state IM) (item_i : composite_transition_item IM) (m_i : message)
  (s_j : composite_state IM) (item_j : composite_transition_item IM) (m_j : message)
  : Prop :=
{
  lcobs_destruct_i : head (composite_state_destructor IM state_destructor s' i) = Some (item_i, s_i);
  lcobs_output_i : output item_i = Some m_i;
  lcobs_destruct_j : head (composite_state_destructor IM state_destructor s' j) = Some (item_j, s_j);
  lcobs_output_j : output item_j = Some m_j;
  lcobs_rel : tc_composite_observed_before_send IM message_dependencies m_i m_j;
}.

LatestCompositeObservedBeforeSend as a binary relation on indices of components for a given composite state.

Definition latest_composite_observed_before_send
  (s' : composite_state IM) (i j : index) : Prop :=
  exists s_i item_i m_i s_j item_j m_j,
    LatestCompositeObservedBeforeSend s' i j s_i item_i m_i s_j item_j m_j.

#[local] Instance latest_composite_observed_before_send_trans s' :
  Transitive (latest_composite_observed_before_send s').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Transitive (latest_composite_observed_before_send s')
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Transitive (latest_composite_observed_before_send s')
  intros i j k
    (s_i & item_i & m_i & s_j & item_j & m_j
      & [Hdestruct_i Houtput_i Hdestruct_j Houtput_j Hij])
    (_s_j & _item_j & _m_j & s_k & item_k & m_k
      & [H_destruct_j H_output_j Hdestruct_k Houtput_k Hjk]).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j, k: index
s_i: composite_state IM
item_i: composite_transition_item IM
m_i: message
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item_i, s_i)
Houtput_i: output item_i = Some m_i
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
Hij: tc_composite_observed_before_send IM
  message_dependencies m_i m_j
_s_j: composite_state IM
_item_j: composite_transition_item IM
_m_j: message
s_k: composite_state IM
item_k: composite_transition_item IM
m_k: message
H_destruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (_item_j, _s_j)
H_output_j: output _item_j = Some _m_j
Hdestruct_k: head
  (composite_state_destructor IM
     state_destructor s' k) =
Some (item_k, s_k)
Houtput_k: output item_k = Some m_k
Hjk: tc_composite_observed_before_send IM
  message_dependencies _m_j m_k
latest_composite_observed_before_send s' i k
  eexists _, _, _, _, _, _; constructor; [done.. |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j, k: index
s_i: composite_state IM
item_i: composite_transition_item IM
m_i: message
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item_i, s_i)
Houtput_i: output item_i = Some m_i
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
Hij: tc_composite_observed_before_send IM
  message_dependencies m_i m_j
_s_j: composite_state IM
_item_j: composite_transition_item IM
_m_j: message
s_k: composite_state IM
item_k: composite_transition_item IM
m_k: message
H_destruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (_item_j, _s_j)
H_output_j: output _item_j = Some _m_j
Hdestruct_k: head
  (composite_state_destructor IM
     state_destructor s' k) =
Some (item_k, s_k)
Houtput_k: output item_k = Some m_k
Hjk: tc_composite_observed_before_send IM
  message_dependencies _m_j m_k
tc_composite_observed_before_send IM
  message_dependencies m_i m_k
  etransitivity; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j, k: index
s_i: composite_state IM
item_i: composite_transition_item IM
m_i: message
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item_i, s_i)
Houtput_i: output item_i = Some m_i
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
Hij: tc_composite_observed_before_send IM
  message_dependencies m_i m_j
_s_j: composite_state IM
_item_j: composite_transition_item IM
_m_j: message
s_k: composite_state IM
item_k: composite_transition_item IM
m_k: message
H_destruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (_item_j, _s_j)
H_output_j: output _item_j = Some _m_j
Hdestruct_k: head
  (composite_state_destructor IM
     state_destructor s' k) =
Some (item_k, s_k)
Houtput_k: output item_k = Some m_k
Hjk: tc_composite_observed_before_send IM
  message_dependencies _m_j m_k
tc_composite_observed_before_send IM
  message_dependencies m_j m_k
  rewrite Hdestruct_j in H_destruct_j; inversion H_destruct_j;
    subst _s_j _item_j; clear H_destruct_j.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j, k: index
s_i: composite_state IM
item_i: composite_transition_item IM
m_i: message
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item_i, s_i)
Houtput_i: output item_i = Some m_i
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
Hij: tc_composite_observed_before_send IM
  message_dependencies m_i m_j
_m_j: message
s_k: composite_state IM
item_k: composite_transition_item IM
m_k: message
H_output_j: output item_j = Some _m_j
Hdestruct_k: head
  (composite_state_destructor IM
     state_destructor s' k) =
Some (item_k, s_k)
Houtput_k: output item_k = Some m_k
Hjk: tc_composite_observed_before_send IM
  message_dependencies _m_j m_k
tc_composite_observed_before_send IM
  message_dependencies m_j m_k
  by rewrite Houtput_j in H_output_j; inversion H_output_j; subst.
Qed.

#[local] Instance latest_composite_observed_before_send_irreflexive s' :
  Irreflexive (latest_composite_observed_before_send s').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Irreflexive (latest_composite_observed_before_send s')
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Irreflexive (latest_composite_observed_before_send s')
  intros a (s_i & item_i & m_i & s_j & item_j & m_j & [Hdestruct Houtput H_destruct H_output Hrel]).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
a: index
s_i: composite_state IM
item_i: composite_transition_item IM
m_i: message
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hdestruct: head
  (composite_state_destructor IM
     state_destructor s' a) =
Some (item_i, s_i)
Houtput: output item_i = Some m_i
H_destruct: head
  (composite_state_destructor IM
     state_destructor s' a) =
Some (item_j, s_j)
H_output: output item_j = Some m_j
Hrel: tc_composite_observed_before_send IM
  message_dependencies m_i m_j
False
  rewrite Hdestruct in H_destruct; inversion H_destruct; subst; clear H_destruct.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
a: index
m_i: message
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Houtput: output item_j = Some m_i
Hdestruct: head
  (composite_state_destructor IM
     state_destructor s' a) =
Some (item_j, s_j)
H_output: output item_j = Some m_j
Hrel: tc_composite_observed_before_send IM
  message_dependencies m_i m_j
False
  rewrite Houtput in H_output; inversion H_output; subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
a: index
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Houtput: output item_j = Some m_j
Hdestruct: head
  (composite_state_destructor IM
     state_destructor s' a) =
Some (item_j, s_j)
Hrel: tc_composite_observed_before_send IM
  message_dependencies m_j m_j
H_output: Some m_j = Some m_j
False
  by eapply irreflexivity.
Qed.

Lemma composite_latest_sent_observed_in_before_send
  (s' : composite_state IM) (i : index) (j : index)
  (s : composite_state IM) (item : composite_transition_item IM) (m : message)
  (Hij : CompositeLatestSentObservedIn s' i j s item m)
  (s_j : composite_state IM) (item_j : composite_transition_item IM) (m_j : message)
  : constrained_state_prop Free s' ->
    head (composite_state_destructor IM state_destructor s' j) = Some (item_j, s_j) ->
    output item_j = Some m_j ->
    latest_composite_observed_before_send s' i j.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hij: CompositeLatestSentObservedIn s' i j s item m
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
constrained_state_prop Free s'
→ head
    (composite_state_destructor IM state_destructor s'
       j) = Some (item_j, s_j)
  → output item_j = Some m_j
    → latest_composite_observed_before_send s' i j
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hij: CompositeLatestSentObservedIn s' i j s item m
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
constrained_state_prop Free s'
→ head
    (composite_state_destructor IM state_destructor s'
       j) = Some (item_j, s_j)
  → output item_j = Some m_j
    → latest_composite_observed_before_send s' i j
  intros Hs' Hdestruct_j Houtput_j.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hij: CompositeLatestSentObservedIn s' i j s item m
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
latest_composite_observed_before_send s' i j
  eapply composite_state_destructor_head_reachable in Hdestruct_j as Htj; [| done..].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hij: CompositeLatestSentObservedIn s' i j s item m
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j item_j
latest_composite_observed_before_send s' i j
  destruct Hij as [Hdestruct_i Houtput_i Hobs].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j item_j
latest_composite_observed_before_send s' i j
  exists s, item, m, s_j, item_j, m_j; constructor; [done.. |]; constructor.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j item_j
composite_observed_before_send IM message_dependencies
  m m_j
  apply head_Some_elem_of in Hdestruct_j as H_destruct_j.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j item_j
H_destruct_j: (item_j, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
composite_observed_before_send IM message_dependencies
  m m_j
  eapply composite_tv_state_destructor_index in H_destruct_j as Hlj.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j item_j
H_destruct_j: (item_j, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Hlj: projT1 (l item_j) = j
composite_observed_before_send IM message_dependencies
  m m_j
  apply input_valid_transition_preloaded_project_active_free in Htj as Htj'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j item_j
H_destruct_j: (item_j, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Hlj: projT1 (l item_j) = j
Htj': input_constrained_transition
  (IM (projT1 (l item_j))) 
  (projT2 (l item_j))
  (s_j (projT1 (l item_j)), input item_j)
  (destination item_j (projT1 (l item_j)),
   output item_j)
composite_observed_before_send IM message_dependencies
  m m_j
  eapply composite_tv_state_destructor_destination in H_destruct_j as Hdestination_j; [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
item_j: composite_transition_item IM
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item_j, s_j)
Houtput_j: output item_j = Some m_j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j item_j
H_destruct_j: (item_j, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Hlj: projT1 (l item_j) = j
Htj': input_constrained_transition
  (IM (projT1 (l item_j))) 
  (projT2 (l item_j))
  (s_j (projT1 (l item_j)), input item_j)
  (destination item_j (projT1 (l item_j)),
   output item_j)
Hdestination_j: destination item_j = s'
composite_observed_before_send IM message_dependencies
  m m_j
  destruct item_j, l as [_j lj]; cbn in *; subst _j destination.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: VLSM.output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
composite_observed_before_send IM message_dependencies
  m m_j
  destruct (decide (i = j)).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: VLSM.output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
e: i = j
composite_observed_before_send IM message_dependencies
  m m_j
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: VLSM.output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
composite_observed_before_send IM message_dependencies
  m m_j
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: VLSM.output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
e: i = j
composite_observed_before_send IM message_dependencies
  m m_j subst; rewrite Hdestruct_i in Hdestruct_j.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some (item, s)
Houtput_i: output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: Some (item, s) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
composite_observed_before_send IM message_dependencies
  m m_j
    inversion Hdestruct_j; subst item s_j; clear Hdestruct_j.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
j: index
s: composite_state IM
m: message
lj: label (IM j)
input: option message
m_j: message
Houtput_i: output
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |} = Some m
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s)
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
Hs': constrained_state_prop Free s'
Htj': input_constrained_transition 
  (IM j) lj (s j, input) (
  s' j, Some m_j)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' j
composite_observed_before_send IM message_dependencies
  m m_j
    by eexists _, _; constructor; [.. | constructor].
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: VLSM.output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
composite_observed_before_send IM message_dependencies
  m m_j eapply composite_state_destructor_head_reachable in Hdestruct_i as Hti; [| done..].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: head
  (composite_state_destructor IM
     state_destructor s' i) =
Some (item, s)
Houtput_i: VLSM.output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s item
composite_observed_before_send IM message_dependencies
  m m_j
    eapply head_Some_elem_of, composite_tv_state_destructor_destination
      in Hdestruct_i as Hdestination_i; [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: (item, s)
∈ composite_state_destructor IM
    state_destructor s' i
Houtput_i: VLSM.output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hdestination_i: destination item = s'
composite_observed_before_send IM message_dependencies
  m m_j
    eapply composite_tv_state_destructor_index in Hdestruct_i as Hli.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
item: composite_transition_item IM
m: message
Hdestruct_i: (item, s)
∈ composite_state_destructor IM
    state_destructor s' i
Houtput_i: VLSM.output item = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hdestination_i: destination item = s'
Hli: projT1 (l item) = i
composite_observed_before_send IM message_dependencies
  m m_j
    destruct item, l as [_i li]; cbn in *; subst _i destination.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0, output0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := output0
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
Houtput_i: output0 = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := output0
  |}
composite_observed_before_send IM message_dependencies
  m m_j
    replace (s j) with (s' j) in Hobs; cycle 1.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0, output0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := output0
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
Houtput_i: output0 = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := output0
  |}
s' j = s j
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0, output0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := output0
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
Houtput_i: output0 = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s' j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := output0
  |}
composite_observed_before_send IM message_dependencies
  m m_j
    {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0, output0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := output0
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
Houtput_i: output0 = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := output0
  |}
s' j = s j
      destruct Hti as [_ Hti]; cbn in Hti.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0, output0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := output0
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
Houtput_i: output0 = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
Hti: (let (si', om') :=
   transition li (s i, input0) in
 (state_update IM s i si', om')) = (
s', output0)
s' j = s j
      destruct (transition _ _ _) as [si' om'].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0, output0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := output0
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
Houtput_i: output0 = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
si': state (IM i)
om': option message
Hti: (state_update IM s i si', om') = (s', output0)
s' j = s j
      by inversion Hti; rewrite state_update_neq.
    }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0, output0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := output0
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
Houtput_i: output0 = Some m
Hobs: HasBeenObserved (IM j) message_dependencies
  (s' j) m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := output0
  |}
composite_observed_before_send IM message_dependencies
  m m_j
    eapply HasBeenObserved_step_update in Hobs as [Hobs | Hnow];
      [by eexists s_j, _; constructor; [.. | constructor 1] | | done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0, output0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := output0
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
Houtput_i: output0 = Some m
s_j: composite_state IM
lj: label (IM j)
input, output: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := output
   |}, s_j)
Houtput_j: output = Some m_j
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, output)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := output
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := output
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := output0
  |}
Hnow: ∃ m0 : message,
  (input = Some m0 ∨ output = Some m0)
  ∧ (m = m0
     ∨ msg_dep_happens_before
         message_dependencies m m0)
composite_observed_before_send IM message_dependencies
  m m_j
    destruct Hnow as (_mj & [H_input | H_output] & [Hnow | Hbefore]); subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
_mj: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some _mj
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
m_j: message
Hs': constrained_state_prop Free s'
Htj': input_constrained_transition 
  (IM j) lj (s_j j, Some _mj) (
  s' j, Some m_j)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := Some _mj;
    destination := s';
    output := Some m_j
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := Some _mj;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := Some _mj;
     destination := s';
     output := Some m_j
   |}, s_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some _mj
  |}
composite_observed_before_send IM message_dependencies
  _mj m_j
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
m_j: message
Hs': constrained_state_prop Free s'
_mj: message
Htj': input_constrained_transition 
  (IM j) lj (s_j j, Some _mj) (
  s' j, Some m_j)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := Some _mj;
    destination := s';
    output := Some m_j
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := Some _mj;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := Some _mj;
     destination := s';
     output := Some m_j
   |}, s_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
Hbefore: msg_dep_happens_before message_dependencies
  m _mj
composite_observed_before_send IM message_dependencies
  m m_j
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
_mj: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some _mj
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some _mj
  |}
H_output: Some m_j = Some _mj
composite_observed_before_send IM message_dependencies
  _mj m_j
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
_mj: message
H_output: Some m_j = Some _mj
Hbefore: msg_dep_happens_before message_dependencies
  m _mj
composite_observed_before_send IM message_dependencies
  m m_j
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
_mj: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some _mj
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
m_j: message
Hs': constrained_state_prop Free s'
Htj': input_constrained_transition 
  (IM j) lj (s_j j, Some _mj) (
  s' j, Some m_j)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := Some _mj;
    destination := s';
    output := Some m_j
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := Some _mj;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := Some _mj;
     destination := s';
     output := Some m_j
   |}, s_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some _mj
  |}
composite_observed_before_send IM message_dependencies
  _mj m_j by eexists s_j, _; constructor; [done.. | constructor 2].
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
m_j: message
Hs': constrained_state_prop Free s'
_mj: message
Htj': input_constrained_transition 
  (IM j) lj (s_j j, Some _mj) (
  s' j, Some m_j)
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := Some _mj;
    destination := s';
    output := Some m_j
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := Some _mj;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := Some _mj;
     destination := s';
     output := Some m_j
   |}, s_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
Hbefore: msg_dep_happens_before message_dependencies
  m _mj
composite_observed_before_send IM message_dependencies
  m m_j by eexists s_j, _; constructor; [done.. | constructor 3].
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
_mj: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some _mj
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some _mj
  |}
H_output: Some m_j = Some _mj
composite_observed_before_send IM message_dependencies
  _mj m_j apply Some_inj in H_output as <-.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m_j: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m_j
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m_j
  |}
composite_observed_before_send IM message_dependencies
  m_j m_j
      contradict n.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m_j: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m_j
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m_j
  |}
i = j
      apply input_valid_transition_preloaded_project_active_free in Hti as Hti'; cbn in Hti'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m_j: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m_j
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m_j
  |}
Hti': input_constrained_transition 
  (IM i) li (s i, input0) (
  s' i, Some m_j)
i = j
      specialize (Hchannel i m_j) as Hchannel_i.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m_j: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m_j
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m_j
  |}
Hti': input_constrained_transition 
  (IM i) li (s i, input0) (
  s' i, Some m_j)
Hchannel_i: can_emit
  (preloaded_with_all_messages_vlsm
     (IM i)) m_j
→ channel_authenticated_message A sender
    i m_j
i = j
      spec Hchannel_i; [by eexists _, _, _ |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m_j: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m_j
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m_j
  |}
Hti': input_constrained_transition 
  (IM i) li (s i, input0) (
  s' i, Some m_j)
Hchannel_i: channel_authenticated_message A sender i
  m_j
i = j
      specialize (Hchannel j m_j) as Hchannel_j.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m_j: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m_j
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m_j
  |}
Hti': input_constrained_transition 
  (IM i) li (s i, input0) (
  s' i, Some m_j)
Hchannel_i: channel_authenticated_message A sender i
  m_j
Hchannel_j: can_emit
  (preloaded_with_all_messages_vlsm
     (IM j)) m_j
→ channel_authenticated_message A sender
    j m_j
i = j
      spec Hchannel_j; [by eexists _, _, _ |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m_j: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m_j
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m_j
  |}
Hti': input_constrained_transition 
  (IM i) li (s i, input0) (
  s' i, Some m_j)
Hchannel_i: channel_authenticated_message A sender i
  m_j
Hchannel_j: channel_authenticated_message A sender j
  m_j
i = j
      by congruence.
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
_mj: message
H_output: Some m_j = Some _mj
Hbefore: msg_dep_happens_before message_dependencies
  m _mj
composite_observed_before_send IM message_dependencies
  m m_j apply Some_inj in H_output as <-.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
Hbefore: msg_dep_happens_before message_dependencies
  m m_j
composite_observed_before_send IM message_dependencies
  m m_j
      apply tc_r_iff in Hbefore as [Hdm | (m' & Hbefore & Hdm)].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
Hdm: msg_dep_rel message_dependencies m m_j
composite_observed_before_send IM message_dependencies
  m m_j
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
m': message
Hbefore: tc (msg_dep_rel message_dependencies) m m'
Hdm: msg_dep_rel message_dependencies m' m_j
composite_observed_before_send IM message_dependencies
  m m_j
      *message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
Hdm: msg_dep_rel message_dependencies m m_j
composite_observed_before_send IM message_dependencies
  m m_j by eapply composite_observed_before_send_subsumes_msg_dep_rel;
          [| eexists _, _, _ |].
      *message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
m': message
Hbefore: tc (msg_dep_rel message_dependencies) m m'
Hdm: msg_dep_rel message_dependencies m' m_j
composite_observed_before_send IM message_dependencies
  m m_j eapply @message_dependencies_are_necessary with (X := IM j) in Hdm as Hobs;
          [| done | by eexists _, _].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
m': message
Hbefore: tc (msg_dep_rel message_dependencies) m m'
Hdm: msg_dep_rel message_dependencies m' m_j
Hobs: has_been_directly_observed (IM j) (s' j) m'
composite_observed_before_send IM message_dependencies
  m m_j
        eapply has_been_directly_observed_step_update in Hobs; [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
m': message
Hbefore: tc (msg_dep_rel message_dependencies) m m'
Hdm: msg_dep_rel message_dependencies m' m_j
Hobs: (input = Some m' ∨ Some m_j = Some m')
∨ has_been_directly_observed (IM j) (s_j j) m'
composite_observed_before_send IM message_dependencies
  m m_j
        eexists s_j, _; constructor; [done.. |]; cbn.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
m': message
Hbefore: tc (msg_dep_rel message_dependencies) m m'
Hdm: msg_dep_rel message_dependencies m' m_j
Hobs: (input = Some m' ∨ Some m_j = Some m')
∨ has_been_directly_observed (IM j) (s_j j) m'
ObservedBeforeStateOrMessage (IM j)
  message_dependencies m (s_j j) input
        destruct Hobs as [[| Houtput] |]; subst; [by constructor | | by do 2 econstructor].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
m_j: message
Hs': constrained_state_prop Free s'
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m_j
   |}, s_j)
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m_j
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m_j
  |}
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
m': message
Hbefore: tc (msg_dep_rel message_dependencies) m m'
Hdm: msg_dep_rel message_dependencies m' m_j
Houtput: Some m_j = Some m'
ObservedBeforeStateOrMessage (IM j)
  message_dependencies m (s_j j) input
        apply Some_inj in Houtput; subst m_j.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
i, j: index
s: composite_state IM
li: label (IM i)
input0: option message
m: message
Hdestruct_i: ({|
   l := existT i li;
   input := input0;
   destination := s';
   output := Some m
 |}, s)
∈ composite_state_destructor IM
    state_destructor s' i
s_j: composite_state IM
lj: label (IM j)
input: option message
Hs': constrained_state_prop Free s'
m': message
Htj': input_constrained_transition 
  (IM j) lj (s_j j, input) (
  s' j, Some m')
Htj: input_constrained_transition_item
  (free_composite_vlsm IM) s_j
  {|
    l := existT j lj;
    input := input;
    destination := s';
    output := Some m'
  |}
H_destruct_j: ({|
   l := existT j lj;
   input := input;
   destination := s';
   output := Some m'
 |}, s_j)
∈ composite_state_destructor IM
    state_destructor s' j
Hdestruct_j: head
  (composite_state_destructor IM
     state_destructor s' j) =
Some
  ({|
     l := existT j lj;
     input := input;
     destination := s';
     output := Some m'
   |}, s_j)
n: i ≠ j
Hti: input_constrained_transition_item
  (free_composite_vlsm IM) s
  {|
    l := existT i li;
    input := input0;
    destination := s';
    output := Some m
  |}
Hbefore: tc (msg_dep_rel message_dependencies) m m'
Hdm: msg_dep_rel message_dependencies m' m'
ObservedBeforeStateOrMessage (IM j)
  message_dependencies m (s_j j) input
        by contradict Hdm; apply tc_reflect_irreflexive; typeclasses eauto.
Qed.

CompositeLatestSentObservedIn as a binary relation on indices of components for a given composite state.

Definition composite_latest_sent_observed_in
  (s' : composite_state IM) (i j : index) : Prop :=
  exists item s m, CompositeLatestSentObservedIn s' i j item s m.

Lemma traceable_vlsm_initial_state_dec :
  forall (i : index) (si : state (IM i)),
    constrained_state_prop (IM i) si ->
    Decision (initial_state_prop (IM i) si).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (i : index) (si : state (IM i)),
  constrained_state_prop (IM i) si
  → Decision (initial_state_prop si)
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (i : index) (si : state (IM i)),
  constrained_state_prop (IM i) si
  → Decision (initial_state_prop si)
  intros; destruct (decide (state_destructor i si = nil)).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
i: index
si: state (IM i)
H14: constrained_state_prop (IM i) si
e: state_destructor i si = []
Decision (initial_state_prop si)
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
i: index
si: state (IM i)
H14: constrained_state_prop (IM i) si
n: state_destructor i si ≠ []
Decision (initial_state_prop si)
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
i: index
si: state (IM i)
H14: constrained_state_prop (IM i) si
e: state_destructor i si = []
Decision (initial_state_prop si) by left; apply tv_state_destructor_initial.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
i: index
si: state (IM i)
H14: constrained_state_prop (IM i) si
n: state_destructor i si ≠ []
Decision (initial_state_prop si) by right; contradict n; apply tv_state_destructor_initial.
Qed.

Given a list of indices and a composite constrained state, select from the given list of indices the ones whose corresponding component state is initial.

Program Definition initial_indices
  (s : composite_state IM) (Hs : constrained_state_prop Free s) (is : list index)
  : list index :=
  @filter _ _ _ (fun i => initial_state_prop (IM i) (s i)) _ is.
Next Obligation.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is: list index
x: index
Decision (initial_state_prop (s x))
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is: list index
x: index
Decision (initial_state_prop (s x))
  by intros; eapply traceable_vlsm_initial_state_dec,
    composite_constrained_state_project.
Qed.

Given a predicate on lists of transitions and positions in those lists, a composite state and a list of indices, finds the first index (say i) and the largest position in the list of transitions from component i reaching the given state for which the predicate holds.

Definition find_decomposition
  (P : set (composite_transition_item IM * composite_state IM) -> nat -> Prop)
  `{forall s, RelDecision (fun i => P (composite_state_destructor IM state_destructor s i))}
  (s : composite_state IM)
  (indices : list index)
  : option (index * nat) :=
  find_first_indexed_largest_nat_with_propery_bounded
    (fun i => P (composite_state_destructor IM state_destructor s i))
    (fun i => length (composite_state_destructor IM state_destructor s i)) indices.

Given a composite state and a list of indices, finds first index i in the list and the largest position in the list of transitions from component i reaching the given state such that the corresponding transition is not sending any message.

Definition find_not_send_decomposition
  (s : composite_state IM) (is : list index) : option (index * nat) :=
  find_decomposition CompositeNthNotSend s is.

Definition find_sent_not_observed_decomposition
  (s : composite_state IM) (is : list index) : option (index * nat) :=
  find_decomposition CompositeNthSentNotObserved s is.

A choice_function selecting a transition that does not hide equivocation (according to the msg_dep_is_globally_equivocating definition).

To do so, it selects a transition which is either not sending a message, or sending a previously not observed message. The existence of such a transition is guaranteed by at_least_one_send_not_previously_observed.

Definition minimal_equivocation_choice
  (s : composite_state IM)
  (Hs : constrained_state_prop Free s)
  (is : list index)
  : index * nat :=
  match initial_indices s Hs is with
  | i :: _ => (i, 0)
  | [] =>
    match find_not_send_decomposition s is with
    | Some (i, n) => (i, n)
    | None =>
      match find_sent_not_observed_decomposition s is with
      | Some (i, n) => (i, n)
      | None => (hd inhabitant is, 0)
      end
    end
  end.

Lemma minimal_equivocation_choice_is_choosing_well :
  choosing_well IM state_destructor minimal_equivocation_choice.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
choosing_well IM state_destructor
  minimal_equivocation_choice
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
choosing_well IM state_destructor
  minimal_equivocation_choice
  intros ? * Hnodup Hinit; constructor; cycle 1.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
indices ≠ []
→ (minimal_equivocation_choice s' Hs' indices).1
  ∈ indices
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
∀ (i : index) (n : nat),
  minimal_equivocation_choice s' Hs' indices = (i, n)
  → ¬ initial_state_prop (s' i)
    → is_Some
        (composite_state_destructor IM
           state_destructor s' i !! n)
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
∀ Hs'' : constrained_state_prop
           (free_composite_vlsm IM) s',
  minimal_equivocation_choice s' Hs' indices =
  minimal_equivocation_choice s' Hs'' indices
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
indices ≠ []
→ (minimal_equivocation_choice s' Hs' indices).1
  ∈ indices intros Hindices; unfold minimal_equivocation_choice.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Hindices: indices ≠ []
match initial_indices s' Hs' indices with
| [] =>
    match find_not_send_decomposition s' indices with
    | Some (i, n) => (i, n)
    | None =>
        match
          find_sent_not_observed_decomposition s'
            indices
        with
        | Some (i, n) => (i, n)
        | None => (hd inhabitant indices, 0)
        end
    end
| i :: _ => (i, 0)
end.1 ∈ indices
    destruct initial_indices eqn: Heq_ii;
      [destruct (find_not_send_decomposition s' indices) as [[i n] |] eqn: Heq_ns |];
      [| destruct (find_sent_not_observed_decomposition s' indices) as [[i n] |] eqn: Heq_sno |];
      cbn in *.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Hindices: indices ≠ []
Heq_ii: initial_indices s' Hs' indices = []
i: index
n: nat
Heq_ns: find_not_send_decomposition s' indices =
Some (i, n)
i ∈ indices
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Hindices: indices ≠ []
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
i: index
n: nat
Heq_sno: find_sent_not_observed_decomposition s'
  indices = Some (i, n)
i ∈ indices
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Hindices: indices ≠ []
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
Heq_sno: find_sent_not_observed_decomposition s'
  indices = None
hd inhabitant indices ∈ indices
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Hindices: indices ≠ []
i: index
l: list index
Heq_ii: initial_indices s' Hs' indices = i :: l
i ∈ indices
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Hindices: indices ≠ []
Heq_ii: initial_indices s' Hs' indices = []
i: index
n: nat
Heq_ns: find_not_send_decomposition s' indices =
Some (i, n)
i ∈ indices by eapply find_first_indexed_largest_nat_with_propery_bounded_Some; [| done].
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Hindices: indices ≠ []
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
i: index
n: nat
Heq_sno: find_sent_not_observed_decomposition s'
  indices = Some (i, n)
i ∈ indices by eapply find_first_indexed_largest_nat_with_propery_bounded_Some; [| done].
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Hindices: indices ≠ []
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
Heq_sno: find_sent_not_observed_decomposition s'
  indices = None
hd inhabitant indices ∈ indices by destruct indices; [| left].
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Hindices: indices ≠ []
i: index
l: list index
Heq_ii: initial_indices s' Hs' indices = i :: l
i ∈ indices cut (i ∈ initial_indices s' Hs' indices); [| by rewrite Heq_ii; left].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Hindices: indices ≠ []
i: index
l: list index
Heq_ii: initial_indices s' Hs' indices = i :: l
i ∈ initial_indices s' Hs' indices → i ∈ indices
      by intros Hi; apply elem_of_list_filter in Hi as [].
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
∀ (i : index) (n : nat),
  minimal_equivocation_choice s' Hs' indices = (i, n)
  → ¬ initial_state_prop (s' i)
    → is_Some
        (composite_state_destructor IM
           state_destructor s' i !! n) intros i n; unfold minimal_equivocation_choice.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
n: nat
match initial_indices s' Hs' indices with
| [] =>
    match find_not_send_decomposition s' indices with
    | Some (i, n) => (i, n)
    | None =>
        match
          find_sent_not_observed_decomposition s'
            indices
        with
        | Some (i, n) => (i, n)
        | None => (hd inhabitant indices, 0)
        end
    end
| i :: _ => (i, 0)
end = (i, n)
→ ¬ initial_state_prop (s' i)
  → is_Some
      (composite_state_destructor IM state_destructor
         s' i !! n)
    destruct initial_indices eqn: Heq_ii;
      [destruct (find_not_send_decomposition s' indices) as [[_i _n] |] eqn: Heq_ns |];
      [| destruct (find_sent_not_observed_decomposition s' indices) as [[_i _n] |] eqn: Heq_sno |];
      cbn in *; intro Heq; inversion Heq; subst; clear Heq; intros Hninit.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
n: nat
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices =
Some (i, n)
Hninit: ¬ initial_state_prop (s' i)
is_Some
  (composite_state_destructor IM state_destructor s' i
   !! n)
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
n: nat
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
Heq_sno: find_sent_not_observed_decomposition s'
  indices = Some (i, n)
Hninit: ¬ initial_state_prop (s' i)
is_Some
  (composite_state_destructor IM state_destructor s' i
   !! n)
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
Heq_sno: find_sent_not_observed_decomposition s'
  indices = None
Hninit: ¬ initial_state_prop
    (s' (hd inhabitant indices))
is_Some
  (composite_state_destructor IM state_destructor s'
     (hd inhabitant indices) !! 0)
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
l: list index
Heq_ii: initial_indices s' Hs' indices = i :: l
Hninit: ¬ initial_state_prop (s' i)
is_Some
  (composite_state_destructor IM state_destructor s' i
   !! 0)
      +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
n: nat
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices =
Some (i, n)
Hninit: ¬ initial_state_prop (s' i)
is_Some
  (composite_state_destructor IM state_destructor s' i
   !! n) apply lookup_lt_is_Some_2.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
n: nat
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices =
Some (i, n)
Hninit: ¬ initial_state_prop (s' i)
n <
length
  (composite_state_destructor IM state_destructor s' i)
        apply find_first_indexed_largest_nat_with_propery_bounded_Some
          in Heq_ns as (_ & Hn & _); [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
n: nat
Heq_ii: initial_indices s' Hs' indices = []
Hn: find_largest_nat_with_property_bounded
  (CompositeNthNotSend
     (composite_state_destructor IM
        state_destructor s' i))
  (length
     (composite_state_destructor IM
        state_destructor s' i)) = 
Some n
Hninit: ¬ initial_state_prop (s' i)
n <
length
  (composite_state_destructor IM state_destructor s' i)
        by apply find_largest_nat_with_property_bounded_Some in Hn as [[Hn _] _].
      +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
n: nat
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
Heq_sno: find_sent_not_observed_decomposition s'
  indices = Some (i, n)
Hninit: ¬ initial_state_prop (s' i)
is_Some
  (composite_state_destructor IM state_destructor s' i
   !! n) apply lookup_lt_is_Some_2.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
n: nat
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
Heq_sno: find_sent_not_observed_decomposition s'
  indices = Some (i, n)
Hninit: ¬ initial_state_prop (s' i)
n <
length
  (composite_state_destructor IM state_destructor s' i)
        apply find_first_indexed_largest_nat_with_propery_bounded_Some
          in Heq_sno as (_ & Hn & _); [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
n: nat
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
Hn: find_largest_nat_with_property_bounded
  (CompositeNthSentNotObserved
     (composite_state_destructor IM
        state_destructor s' i))
  (length
     (composite_state_destructor IM
        state_destructor s' i)) = 
Some n
Hninit: ¬ initial_state_prop (s' i)
n <
length
  (composite_state_destructor IM state_destructor s' i)
        by apply find_largest_nat_with_property_bounded_Some in Hn as [[Hn _] _].
      +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
Heq_sno: find_sent_not_observed_decomposition s'
  indices = None
Hninit: ¬ initial_state_prop
    (s' (hd inhabitant indices))
is_Some
  (composite_state_destructor IM state_destructor s'
     (hd inhabitant indices) !! 0) apply lookup_lt_is_Some_2.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
Heq_sno: find_sent_not_observed_decomposition s'
  indices = None
Hninit: ¬ initial_state_prop
    (s' (hd inhabitant indices))
0 <
length
  (composite_state_destructor IM state_destructor s'
     (hd inhabitant indices))
        cut (composite_state_destructor IM state_destructor s' (hd inhabitant indices) <> []);
          [| by contradict Hninit; eapply composite_tv_state_destructor_initial].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Heq_ii: initial_indices s' Hs' indices = []
Heq_ns: find_not_send_decomposition s' indices = None
Heq_sno: find_sent_not_observed_decomposition s'
  indices = None
Hninit: ¬ initial_state_prop
    (s' (hd inhabitant indices))
composite_state_destructor IM state_destructor s'
  (hd inhabitant indices) ≠ []
→ 0 <
  length
    (composite_state_destructor IM state_destructor s'
       (hd inhabitant indices))
        by destruct (composite_state_destructor); simpl; [| lia].
      +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
l: list index
Heq_ii: initial_indices s' Hs' indices = i :: l
Hninit: ¬ initial_state_prop (s' i)
is_Some
  (composite_state_destructor IM state_destructor s' i
   !! 0) contradict Hninit.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
l: list index
Heq_ii: initial_indices s' Hs' indices = i :: l
initial_state_prop (s' i)
        cut (i ∈ initial_indices s' Hs' indices); [| by rewrite Heq_ii; left].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
i: index
l: list index
Heq_ii: initial_indices s' Hs' indices = i :: l
i ∈ initial_indices s' Hs' indices
→ initial_state_prop (s' i)
        by intro Hi; apply elem_of_list_filter in Hi as [].
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
∀ Hs'' : constrained_state_prop
           (free_composite_vlsm IM) s',
  minimal_equivocation_choice s' Hs' indices =
  minimal_equivocation_choice s' Hs'' indices intro; unfold minimal_equivocation_choice.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop 
  (free_composite_vlsm IM) s'
indices: list index
Hnodup: NoDup indices
Hinit: not_in_indices_initial_prop IM s' indices
Hs'': constrained_state_prop 
  (free_composite_vlsm IM) s'
match initial_indices s' Hs' indices with
| [] =>
    match find_not_send_decomposition s' indices with
    | Some (i, n) => (i, n)
    | None =>
        match
          find_sent_not_observed_decomposition s'
            indices
        with
        | Some (i, n) => (i, n)
        | None => (hd inhabitant indices, 0)
        end
    end
| i :: _ => (i, 0)
end =
match initial_indices s' Hs'' indices with
| [] =>
    match find_not_send_decomposition s' indices with
    | Some (i, n) => (i, n)
    | None =>
        match
          find_sent_not_observed_decomposition s'
            indices
        with
        | Some (i, n) => (i, n)
        | None => (hd inhabitant indices, 0)
        end
    end
| i :: _ => (i, 0)
end
    by unfold initial_indices; erewrite list_filter_iff.
Qed.

Suppose we have a composite state and a list of indices such that for each index from the list, the latest transition from the corresponding component of the composite state to this index is sending a message which has been previously observed in another component (the composite_latest_sent_observed_in relation).

Then we can create a new list of indices, using only indices from the initial list of indices, which is longer than the initial list of indices and which is a chain wrt to the composite_latest_sent_observed_in relation.

Note that since the new list is longer than the initial one, but doesn't use new indices, it implies that there is at least one index in the new list of indices which appears at least twice in the new list.

Lemma composite_latest_sent_observed_in_chain
  (is : list index)
  (Hne : is <> [])
  (s : composite_state IM)
  (Hs : constrained_state_prop Free s)
  (Hall_sent_observed : forall x : index, x ∈ is ->
    exists y, y ∈ is /\
    composite_latest_sent_observed_in s x y)
  : exists is', is' ⊆ is /\ length is' > length is /\
      ForAllSuffix2 (flip (composite_latest_sent_observed_in s)) is'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
∃ is' : list index,
  is' ⊆ is
  ∧ length is' > length is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is'
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
∃ is' : list index,
  is' ⊆ is
  ∧ length is' > length is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is'
  cut (forall n, exists is', length is' = n /\ is' ⊆ is /\
        ForAllSuffix2 (flip (composite_latest_sent_observed_in s)) is').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
(∀ n : nat,
   ∃ is' : list index,
     length is' = n
     ∧ is' ⊆ is
       ∧ ForAllSuffix2
           (flip (composite_latest_sent_observed_in s))
           is')
→ ∃ is' : list index,
    is' ⊆ is
    ∧ length is' > length is
      ∧ ForAllSuffix2
          (flip (composite_latest_sent_observed_in s))
          is'
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
∀ n : nat,
  ∃ is' : list index,
    length is' = n
    ∧ is' ⊆ is
      ∧ ForAllSuffix2
          (flip (composite_latest_sent_observed_in s))
          is'
  {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
(∀ n : nat,
   ∃ is' : list index,
     length is' = n
     ∧ is' ⊆ is
       ∧ ForAllSuffix2
           (flip (composite_latest_sent_observed_in s))
           is')
→ ∃ is' : list index,
    is' ⊆ is
    ∧ length is' > length is
      ∧ ForAllSuffix2
          (flip (composite_latest_sent_observed_in s))
          is'
    intros Hn; destruct (Hn (S (length is))) as (is' & Hlen & Hsub & Hall).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hn: ∀ n : nat,
  ∃ is' : list index,
    length is' = n
    ∧ is' ⊆ is
      ∧ ForAllSuffix2
          (flip
             (composite_latest_sent_observed_in s))
          is'
is': list index
Hlen: length is' = S (length is)
Hsub: is' ⊆ is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
∃ is' : list index,
  is' ⊆ is
  ∧ length is' > length is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is'
    by exists is'; split_and!; [| lia |].
  }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
∀ n : nat,
  ∃ is' : list index,
    length is' = n
    ∧ is' ⊆ is
      ∧ ForAllSuffix2
          (flip (composite_latest_sent_observed_in s))
          is'
  induction n; [exists []; repeat split; [by inversion 1 | by constructor] |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
n: nat
IHn: ∃ is' : list index,
  length is' = n
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip
           (composite_latest_sent_observed_in s))
        is'
∃ is' : list index,
  length is' = S n
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is'
  destruct n.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
IHn: ∃ is' : list index,
  length is' = 0
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip
           (composite_latest_sent_observed_in s))
        is'
∃ is' : list index,
  length is' = 1
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is'
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
n: nat
IHn: ∃ is' : list index,
  length is' = S n
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip
           (composite_latest_sent_observed_in s))
        is'
∃ is' : list index,
  length is' = S (S n)
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is'
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
IHn: ∃ is' : list index,
  length is' = 0
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip
           (composite_latest_sent_observed_in s))
        is'
∃ is' : list index,
  length is' = 1
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is' destruct is as [| i is]; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
i: index
is: list index
Hne: i :: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ i :: is
  → ∃ y : index,
      y ∈ i :: is
      ∧ composite_latest_sent_observed_in
          s x y
IHn: ∃ is' : list index,
  length is' = 0
  ∧ is' ⊆ i :: is
    ∧ ForAllSuffix2
        (flip
           (composite_latest_sent_observed_in s))
        is'
∃ is' : list index,
  length is' = 1
  ∧ is' ⊆ i :: is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is'
    exists [i]; repeat split; [| repeat constructor].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
i: index
is: list index
Hne: i :: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ i :: is
  → ∃ y : index,
      y ∈ i :: is
      ∧ composite_latest_sent_observed_in
          s x y
IHn: ∃ is' : list index,
  length is' = 0
  ∧ is' ⊆ i :: is
    ∧ ForAllSuffix2
        (flip
           (composite_latest_sent_observed_in s))
        is'
[i] ⊆ i :: is
    by intros _i; rewrite elem_of_list_singleton; intros ->; left.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
n: nat
IHn: ∃ is' : list index,
  length is' = S n
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip
           (composite_latest_sent_observed_in s))
        is'
∃ is' : list index,
  length is' = S (S n)
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is' destruct IHn as (is' & Hlen & Hsub & Hall).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
n: nat
is': list index
Hlen: length is' = S n
Hsub: is' ⊆ is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
∃ is' : list index,
  length is' = S (S n)
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is'
    destruct is' as [| i is']; [by cbn in Hlen |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
n: nat
i: index
is': list index
Hlen: length (i :: is') = S n
Hsub: i :: is' ⊆ is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  (i :: is')
∃ is' : list index,
  length is' = S (S n)
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is'
    destruct (Hall_sent_observed i) as (i' & Hi' & Hcomposite); [by apply Hsub; left |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
n: nat
i: index
is': list index
Hlen: length (i :: is') = S n
Hsub: i :: is' ⊆ is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  (i :: is')
i': index
Hi': i' ∈ is
Hcomposite: composite_latest_sent_observed_in s i i'
∃ is' : list index,
  length is' = S (S n)
  ∧ is' ⊆ is
    ∧ ForAllSuffix2
        (flip (composite_latest_sent_observed_in s))
        is'
    exists (i' :: i :: is').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
n: nat
i: index
is': list index
Hlen: length (i :: is') = S n
Hsub: i :: is' ⊆ is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  (i :: is')
i': index
Hi': i' ∈ is
Hcomposite: composite_latest_sent_observed_in s i i'
length (i' :: i :: is') = S (S n)
∧ i' :: i :: is' ⊆ is
  ∧ ForAllSuffix2
      (flip (composite_latest_sent_observed_in s))
      (i' :: i :: is')
    split_and!; [by rewrite <- Hlen | ..].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
n: nat
i: index
is': list index
Hlen: length (i :: is') = S n
Hsub: i :: is' ⊆ is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  (i :: is')
i': index
Hi': i' ∈ is
Hcomposite: composite_latest_sent_observed_in s i i'
i' :: i :: is' ⊆ is
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
n: nat
i: index
is': list index
Hlen: length (i :: is') = S n
Hsub: i :: is' ⊆ is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  (i :: is')
i': index
Hi': i' ∈ is
Hcomposite: composite_latest_sent_observed_in s i i'
ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  (i' :: i :: is')
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
n: nat
i: index
is': list index
Hlen: length (i :: is') = S n
Hsub: i :: is' ⊆ is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  (i :: is')
i': index
Hi': i' ∈ is
Hcomposite: composite_latest_sent_observed_in s i i'
i' :: i :: is' ⊆ is by inversion 1; subst; [| apply Hsub].
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hne: is ≠ []
s: composite_state IM
Hs: constrained_state_prop Free s
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
n: nat
i: index
is': list index
Hlen: length (i :: is') = S n
Hsub: i :: is' ⊆ is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  (i :: is')
i': index
Hi': i' ∈ is
Hcomposite: composite_latest_sent_observed_in s i i'
ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  (i' :: i :: is') by constructor.
Qed.

Under the assumptions of composite_latest_sent_observed_in_chain, all adjacent indices in the obtained chain are in the latest_composite_observed_before_send relation.

Lemma all_latest_composite_observed_before_send_one_step
  (s : composite_state IM)
  (Hs : constrained_state_prop Free s)
  (is is' : list index)
  (Hsub : is' ⊆ is)
  (Hall_sent_observed : forall x : index, x ∈ is ->
    exists y, y ∈ is /\
    composite_latest_sent_observed_in s x y)
  : ForAllSuffix2 (flip (composite_latest_sent_observed_in s)) is' ->
    forall j : nat,
    forall isj, is' !! j = Some isj ->
    forall isi, is' !! (S j) = Some isi ->
    latest_composite_observed_before_send s isi isj.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
ForAllSuffix2
  (flip (composite_latest_sent_observed_in s)) is'
→ ∀ (j : nat) (isj : index),
    is' !! j = Some isj
    → ∀ isi : index,
        is' !! S j = Some isi
        → latest_composite_observed_before_send s isi
            isj
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
ForAllSuffix2
  (flip (composite_latest_sent_observed_in s)) is'
→ ∀ (j : nat) (isj : index),
    is' !! j = Some isj
    → ∀ isi : index,
        is' !! S j = Some isi
        → latest_composite_observed_before_send s isi
            isj
  intros Hall j isj Hisj isi Hisi.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
j: nat
isj: index
Hisj: is' !! j = Some isj
isi: index
Hisi: is' !! S j = Some isi
latest_composite_observed_before_send s isi isj
  eapply ForAllSuffix2_lookup in Hisj as Hobs_j; [| done..].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
j: nat
isj: index
Hisj: is' !! j = Some isj
isi: index
Hisi: is' !! S j = Some isi
Hobs_j: flip (composite_latest_sent_observed_in s)
  isj isi
latest_composite_observed_before_send s isi isj
  destruct Hobs_j as (s_isi & item_isi & m_isi & Hobs_j).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
j: nat
isj: index
Hisj: is' !! j = Some isj
isi: index
Hisi: is' !! S j = Some isi
s_isi: composite_state IM
item_isi: composite_transition_item IM
m_isi: message
Hobs_j: CompositeLatestSentObservedIn s isi isj s_isi
  item_isi m_isi
latest_composite_observed_before_send s isi isj
  destruct (Hall_sent_observed isj) as (y & Hy & s_isj & item_isj & m_isj & []);
    [by eapply Hsub, elem_of_list_lookup_2 |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
j: nat
isj: index
Hisj: is' !! j = Some isj
isi: index
Hisi: is' !! S j = Some isi
s_isi: composite_state IM
item_isi: composite_transition_item IM
m_isi: message
Hobs_j: CompositeLatestSentObservedIn s isi isj s_isi
  item_isi m_isi
y: index
Hy: y ∈ is
s_isj: composite_state IM
item_isj: composite_transition_item IM
m_isj: message
clsoi_destructor0: head
  (composite_state_destructor IM
     state_destructor s isj) =
Some (item_isj, s_isj)
clsoi_output0: output item_isj = Some m_isj
clsoi_observed0: HasBeenObserved (IM y)
  message_dependencies 
  (s_isj y) m_isj
latest_composite_observed_before_send s isi isj
  by eapply composite_latest_sent_observed_in_before_send.
Qed.

Under the assumptions of composite_latest_sent_observed_in_chain, all pairs of indices from the obtained chain are in the latest_composite_observed_before_send relation.

Lemma all_latest_composite_observed_before_send
  (s : composite_state IM)
  (Hs : constrained_state_prop Free s)
  (is is' : list index)
  (Hsub : is' ⊆ is)
  (Hall_sent_observed : forall x : index, x ∈ is ->
    exists y, y ∈ is /\
    composite_latest_sent_observed_in s x y)
  : ForAllSuffix2 (flip (composite_latest_sent_observed_in s)) is' ->
    forall i j : nat, i > j ->
    forall isi, is' !! i = Some isi ->
    forall isj, is' !! j = Some isj ->
    latest_composite_observed_before_send s isi isj.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
ForAllSuffix2
  (flip (composite_latest_sent_observed_in s)) is'
→ ∀ i j : nat,
    i > j
    → ∀ isi : index,
        is' !! i = Some isi
        → ∀ isj : index,
            is' !! j = Some isj
            → latest_composite_observed_before_send s
                isi isj
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
ForAllSuffix2
  (flip (composite_latest_sent_observed_in s)) is'
→ ∀ i j : nat,
    i > j
    → ∀ isi : index,
        is' !! i = Some isi
        → ∀ isj : index,
            is' !! j = Some isj
            → latest_composite_observed_before_send s
                isi isj
  intros Hall i j Hij; unfold gt, lt in Hij; remember (S j) as k.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
i, j, k: nat
Heqk: k = S j
Hij: k ≤ i
∀ isi : index,
  is' !! i = Some isi
  → ∀ isj : index,
      is' !! j = Some isj
      → latest_composite_observed_before_send s isi
          isj
  revert j Heqk; induction Hij; intros j -> isi Hisi isj Hisj.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
j: nat
isi: index
Hisi: is' !! S j = Some isi
isj: index
Hisj: is' !! j = Some isj
latest_composite_observed_before_send s isi isj
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
m, j: nat
IHHij: ∀ j0 : nat,
  S j = S j0
  → ∀ isi : index,
      is' !! m = Some isi
      → ∀ isj : index,
          is' !! j0 = Some isj
          → latest_composite_observed_before_send
              s isi isj
Hij: S j ≤ m
isi: index
Hisi: is' !! S m = Some isi
isj: index
Hisj: is' !! j = Some isj
latest_composite_observed_before_send s isi isj
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
j: nat
isi: index
Hisi: is' !! S j = Some isi
isj: index
Hisj: is' !! j = Some isj
latest_composite_observed_before_send s isi isj by eapply all_latest_composite_observed_before_send_one_step.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
m, j: nat
IHHij: ∀ j0 : nat,
  S j = S j0
  → ∀ isi : index,
      is' !! m = Some isi
      → ∀ isj : index,
          is' !! j0 = Some isj
          → latest_composite_observed_before_send
              s isi isj
Hij: S j ≤ m
isi: index
Hisi: is' !! S m = Some isi
isj: index
Hisj: is' !! j = Some isj
latest_composite_observed_before_send s isi isj specialize (IHHij _ eq_refl).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
m, j: nat
IHHij: ∀ isi : index,
  is' !! m = Some isi
  → ∀ isj : index,
      is' !! j = Some isj
      → latest_composite_observed_before_send
          s isi isj
Hij: S j ≤ m
isi: index
Hisi: is' !! S m = Some isi
isj: index
Hisj: is' !! j = Some isj
latest_composite_observed_before_send s isi isj
    cut (is_Some (is' !! m)).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
m, j: nat
IHHij: ∀ isi : index,
  is' !! m = Some isi
  → ∀ isj : index,
      is' !! j = Some isj
      → latest_composite_observed_before_send
          s isi isj
Hij: S j ≤ m
isi: index
Hisi: is' !! S m = Some isi
isj: index
Hisj: is' !! j = Some isj
is_Some (is' !! m)
→ latest_composite_observed_before_send s isi isj
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
m, j: nat
IHHij: ∀ isi : index,
  is' !! m = Some isi
  → ∀ isj : index,
      is' !! j = Some isj
      → latest_composite_observed_before_send
          s isi isj
Hij: S j ≤ m
isi: index
Hisi: is' !! S m = Some isi
isj: index
Hisj: is' !! j = Some isj
is_Some (is' !! m)
    {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
m, j: nat
IHHij: ∀ isi : index,
  is' !! m = Some isi
  → ∀ isj : index,
      is' !! j = Some isj
      → latest_composite_observed_before_send
          s isi isj
Hij: S j ≤ m
isi: index
Hisi: is' !! S m = Some isi
isj: index
Hisj: is' !! j = Some isj
is_Some (is' !! m)
→ latest_composite_observed_before_send s isi isj
      intros [isi' Hisi'].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
m, j: nat
IHHij: ∀ isi : index,
  is' !! m = Some isi
  → ∀ isj : index,
      is' !! j = Some isj
      → latest_composite_observed_before_send
          s isi isj
Hij: S j ≤ m
isi: index
Hisi: is' !! S m = Some isi
isj: index
Hisj: is' !! j = Some isj
isi': index
Hisi': is' !! m = Some isi'
latest_composite_observed_before_send s isi isj
      transitivity isi'; [| by apply IHHij].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
m, j: nat
IHHij: ∀ isi : index,
  is' !! m = Some isi
  → ∀ isj : index,
      is' !! j = Some isj
      → latest_composite_observed_before_send
          s isi isj
Hij: S j ≤ m
isi: index
Hisi: is' !! S m = Some isi
isj: index
Hisj: is' !! j = Some isj
isi': index
Hisi': is' !! m = Some isi'
latest_composite_observed_before_send s isi isi'
      by eapply all_latest_composite_observed_before_send_one_step.
    }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is, is': list index
Hsub: is' ⊆ is
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s x y
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s))
  is'
m, j: nat
IHHij: ∀ isi : index,
  is' !! m = Some isi
  → ∀ isj : index,
      is' !! j = Some isj
      → latest_composite_observed_before_send
          s isi isj
Hij: S j ≤ m
isi: index
Hisi: is' !! S m = Some isi
isj: index
Hisj: is' !! j = Some isj
is_Some (is' !! m)
    by apply list_lookup_lt with (S m); [| lia].
Qed.

We would like to formalize the following idea:

If all possible transitions to the given state are send transitions, then at least one of the sent messages must not have been previously observed.

To do so, we will prove the following statement matching more closely the definition of minimal_equivocation_choice:

If there are no components in the initial state and if all possible transitions are sent and if all sent messages have been previously observed, then we have a contradiction.

Proof sketch:

Use composite_latest_sent_observed_in_chain to build a chain of indices larger than the initial list of indices, thus guaranteeing that at least one index, say i appears twice in the chain.
Instantiate all_latest_composite_observed_before_send, for the pair between the i above and itself to obtain that i is in relation latest_composite_observed_before_send with itself
Contradiction by latest_composite_observed_before_send_irreflexive.

Lemma at_least_one_send_not_previously_observed
  (s' : composite_state IM)
  (Hs' : constrained_state_prop Free s')
  (is : list index)
  (His : is <> [])
  (Hnodup : NoDup is)
  (Hinitial_outside : not_in_indices_initial_prop IM s' is)
  : initial_indices s' Hs' is = [] ->
    find_not_send_decomposition s' is = None ->
    find_sent_not_observed_decomposition s' is = None ->
      False.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
initial_indices s' Hs' is = []
→ find_not_send_decomposition s' is = None
  → find_sent_not_observed_decomposition s' is = None
    → False
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
initial_indices s' Hs' is = []
→ find_not_send_decomposition s' is = None
  → find_sent_not_observed_decomposition s' is = None
    → False
  intros Hinitial Hnot_send Hsent_not_obs.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
False
  assert (Hall_sent_observed :
    forall x : index, x ∈ is ->
      exists y, y ∈ is /\ composite_latest_sent_observed_in s' x y).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in s' x y
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
False
  {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in s' x y
    intros i Hi.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
i: index
Hi: i ∈ is
∃ y : index,
  y ∈ is ∧ composite_latest_sent_observed_in s' i y
    eapply Forall_filter_nil, Forall_forall in Hinitial; [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
i: index
Hi: i ∈ is
Hinitial: ¬ initial_state_prop (s' i)
∃ y : index,
  y ∈ is ∧ composite_latest_sent_observed_in s' i y
    eapply find_first_indexed_largest_nat_with_propery_bounded_None in Hnot_send, Hsent_not_obs;
      [| done..].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
Hinitial: ¬ initial_state_prop (s' i)
Hsent_not_obs: find_largest_nat_with_property_bounded
  (CompositeNthSentNotObserved
     (composite_state_destructor IM
        state_destructor s' i))
  (length
     (composite_state_destructor IM
        state_destructor s' i)) = None
Hnot_send: find_largest_nat_with_property_bounded
  (CompositeNthNotSend
     (composite_state_destructor IM
        state_destructor s' i))
  (length
     (composite_state_destructor IM
        state_destructor s' i)) = None
∃ y : index,
  y ∈ is ∧ composite_latest_sent_observed_in s' i y
    rewrite find_largest_nat_with_property_bounded_None in Hsent_not_obs, Hnot_send.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
Hinitial: ¬ initial_state_prop (s' i)
Hsent_not_obs: ∀ n : nat,
  n <
  length
    (composite_state_destructor IM
       state_destructor s' i)
  → ¬ CompositeNthSentNotObserved
        (composite_state_destructor IM
           state_destructor s' i) n
Hnot_send: ∀ n : nat,
  n <
  length
    (composite_state_destructor IM
       state_destructor s' i)
  → ¬ CompositeNthNotSend
        (composite_state_destructor IM
           state_destructor s' i) n
∃ y : index,
  y ∈ is ∧ composite_latest_sent_observed_in s' i y
    rewrite composite_tv_state_destructor_initial in Hinitial;
      [| by typeclasses eauto | done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
Hsent_not_obs: ∀ n : nat,
  n <
  length
    (composite_state_destructor IM
       state_destructor s' i)
  → ¬ CompositeNthSentNotObserved
        (composite_state_destructor IM
           state_destructor s' i) n
Hnot_send: ∀ n : nat,
  n <
  length
    (composite_state_destructor IM
       state_destructor s' i)
  → ¬ CompositeNthNotSend
        (composite_state_destructor IM
           state_destructor s' i) n
Hinitial: composite_state_destructor IM
  state_destructor s' i ≠ []
∃ y : index,
  y ∈ is ∧ composite_latest_sent_observed_in s' i y
    destruct composite_state_destructor as [| [item s]] eqn: Hdestruct;
      [done | clear Hinitial]; cbn in *.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
Hsent_not_obs: ∀ n : nat,
  n < S (length l)
  → ¬ CompositeNthSentNotObserved
        ((item, s) :: l) n
Hnot_send: ∀ n : nat,
  n < S (length l)
  → ¬ CompositeNthNotSend 
        ((item, s) :: l) n
∃ y : index,
  y ∈ is ∧ composite_latest_sent_observed_in s' i y
    specialize (Hnot_send 0); spec Hnot_send; [lia |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
Hsent_not_obs: ∀ n : nat,
  n < S (length l)
  → ¬ CompositeNthSentNotObserved
        ((item, s) :: l) n
Hnot_send: ¬ CompositeNthNotSend ((item, s) :: l) 0
∃ y : index,
  y ∈ is ∧ composite_latest_sent_observed_in s' i y
    specialize (Hsent_not_obs 0); spec Hsent_not_obs; [lia |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
Hnot_send: ¬ CompositeNthNotSend ((item, s) :: l) 0
Hsent_not_obs: ¬ CompositeNthSentNotObserved
    ((item, s) :: l) 0
∃ y : index,
  y ∈ is ∧ composite_latest_sent_observed_in s' i y
    eapply not_CompositeNthNotSend_is_sent in Hnot_send as [m Houtput]; [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
Hsent_not_obs: ¬ CompositeNthSentNotObserved
    ((item, s) :: l) 0
m: message
Houtput: output item = Some m
∃ y : index,
  y ∈ is ∧ composite_latest_sent_observed_in s' i y
    eapply not_CompositeNthSentNotObserved_is_observed in Hsent_not_obs; [| done..].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
Hsent_not_obs: CompositeHasBeenObserved IM
  message_dependencies s m
∃ y : index,
  y ∈ is ∧ composite_latest_sent_observed_in s' i y
    apply composite_HasBeenObserved_iff in Hsent_not_obs as [y Hobs].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
y: index
Hobs: HasBeenObserved (IM y) message_dependencies
  (s y) m
∃ y : index,
  y ∈ is ∧ composite_latest_sent_observed_in s' i y
    exists y; split.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
y: index
Hobs: HasBeenObserved (IM y) message_dependencies
  (s y) m
y ∈ is
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
y: index
Hobs: HasBeenObserved (IM y) message_dependencies
  (s y) m
composite_latest_sent_observed_in s' i y
    -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
y: index
Hobs: HasBeenObserved (IM y) message_dependencies
  (s y) m
y ∈ is destruct (decide (elem_of y is)); [done | exfalso].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
y: index
Hobs: HasBeenObserved (IM y) message_dependencies
  (s y) m
n: y ∉ is
False
      cut (initial_state_prop (IM y) (s y)).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
y: index
Hobs: HasBeenObserved (IM y) message_dependencies
  (s y) m
n: y ∉ is
initial_state_prop (s y) → False
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
y: index
Hobs: HasBeenObserved (IM y) message_dependencies
  (s y) m
n: y ∉ is
initial_state_prop (s y)
      {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
y: index
Hobs: HasBeenObserved (IM y) message_dependencies
  (s y) m
n: y ∉ is
initial_state_prop (s y) → False
        by intro; inversion Hobs; eapply has_been_directly_observed_no_inits.
      }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
y: index
Hobs: HasBeenObserved (IM y) message_dependencies
  (s y) m
n: y ∉ is
initial_state_prop (s y)
      eapply composite_tv_state_destructor_preserves_not_in_indices_initial
        with (n := 0) in Hinitial_outside;
        [| typeclasses eauto | done | by rewrite Hdestruct].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
y: index
Hobs: HasBeenObserved (IM y) message_dependencies
  (s y) m
n: y ∉ is
Hinitial_outside: not_in_indices_initial_prop IM s is
initial_state_prop (s y)
      by apply Hinitial_outside.
    -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
i: index
Hi: i ∈ is
item: composite_transition_item IM
s: composite_state IM
l: list
  (composite_transition_item IM *
   composite_state IM)
Hdestruct: composite_state_destructor IM
  state_destructor s' i = 
(item, s) :: l
m: message
Houtput: output item = Some m
y: index
Hobs: HasBeenObserved (IM y) message_dependencies
  (s y) m
composite_latest_sent_observed_in s' i y by exists s, item, m; constructor; [rewrite Hdestruct | ..].
  }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
False
  destruct (composite_latest_sent_observed_in_chain _ His _ Hs' Hall_sent_observed)
    as (is' & Hsub & Hlen & Hall).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
False
  destruct (longer_subseteq_has_dups _ _ Hsub Hlen)
    as (k1 & k2 & i' & Hnk12 & Hi1 & Hi2).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
False
  assert (k1 > k2 \/ k2 > k1) as [Hk12 | Hk21] by lia.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk12: k1 > k2
False
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk21: k2 > k1
False
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk12: k1 > k2
False eapply irreflexivity.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk12: k1 > k2
Irreflexive ?R
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk12: k1 > k2
?R ?x ?x
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk12: k1 > k2
Irreflexive ?R by apply latest_composite_observed_before_send_irreflexive.
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk12: k1 > k2
latest_composite_observed_before_send ?s' ?x ?x by apply (all_latest_composite_observed_before_send _ Hs' _ _ Hsub
        Hall_sent_observed Hall _ _ Hk12 i' Hi1 i' Hi2).
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk21: k2 > k1
False eapply irreflexivity.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk21: k2 > k1
Irreflexive ?R
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk21: k2 > k1
?R ?x ?x
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk21: k2 > k1
Irreflexive ?R by apply latest_composite_observed_before_send_irreflexive.
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s': composite_state IM
Hs': constrained_state_prop Free s'
is: list index
His: is ≠ []
Hnodup: NoDup is
Hinitial_outside: not_in_indices_initial_prop IM s'
  is
Hinitial: initial_indices s' Hs' is = []
Hnot_send: find_not_send_decomposition s' is = None
Hsent_not_obs: find_sent_not_observed_decomposition
  s' is = None
Hall_sent_observed: ∀ x : index,
  x ∈ is
  → ∃ y : index,
      y ∈ is
      ∧ composite_latest_sent_observed_in
          s' x y
is': list index
Hsub: is' ⊆ is
Hlen: length is' > length is
Hall: ForAllSuffix2
  (flip (composite_latest_sent_observed_in s'))
  is'
k1, k2: nat
i': index
Hnk12: k1 ≠ k2
Hi1: is' !! k1 = Some i'
Hi2: is' !! k2 = Some i'
Hk21: k2 > k1
latest_composite_observed_before_send ?s' ?x ?x by apply (all_latest_composite_observed_before_send _ Hs' _ _ Hsub
        Hall_sent_observed Hall _ _ Hk21 i' Hi2 i' Hi1).
Qed.

The main result of this section: the transition chosen by the minimal_equivocation_choice function does not hide existing equivocation.

Lemma minimal_equivocation_choice_monotone :
  forall (is : list index), NoDup is ->
  forall (s' : composite_state IM) (Hs' : constrained_state_prop Free s'),
    not_in_indices_initial_prop IM s' is ->
    forall (i : index) (Hi : i ∈ is) (n : nat),
      minimal_equivocation_choice s' Hs' is  = (i, n) ->
      forall (s : composite_state IM) (item : composite_transition_item IM),
        composite_state_destructor IM state_destructor s' i !! n = Some (item, s) ->
        forall v : validator,
          msg_dep_is_globally_equivocating IM message_dependencies sender s v ->
          msg_dep_is_globally_equivocating IM message_dependencies sender s' v.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ is : list index,
  NoDup is
  → ∀ (s' : composite_state IM) (Hs' : constrained_state_prop
                                         Free s'),
      not_in_indices_initial_prop IM s' is
      → ∀ i : index,
          i ∈ is
          → ∀ n : nat,
              minimal_equivocation_choice s' Hs' is =
              (i, n)
              → ∀ (s : composite_state IM) (item : 
                                            composite_transition_item
                                              IM),
                  composite_state_destructor IM
                    state_destructor s' i !! n =
                  Some (item, s)
                  → ∀ v : validator,
                      msg_dep_is_globally_equivocating
                        IM message_dependencies sender
                        s v
                      → msg_dep_is_globally_equivocating
                          IM message_dependencies
                          sender s' v
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ is : list index,
  NoDup is
  → ∀ (s' : composite_state IM) (Hs' : constrained_state_prop
                                         Free s'),
      not_in_indices_initial_prop IM s' is
      → ∀ i : index,
          i ∈ is
          → ∀ n : nat,
              minimal_equivocation_choice s' Hs' is =
              (i, n)
              → ∀ (s : composite_state IM) (item : 
                                            composite_transition_item
                                              IM),
                  composite_state_destructor IM
                    state_destructor s' i !! n =
                  Some (item, s)
                  → ∀ v : validator,
                      msg_dep_is_globally_equivocating
                        IM message_dependencies sender
                        s v
                      → msg_dep_is_globally_equivocating
                          IM message_dependencies
                          sender s' v
  intros is Hnodup s' Hs' Hnis i Hi n Hchoice s item Hdestruct v [m []].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
s': composite_state IM
Hs': constrained_state_prop Free s'
Hnis: not_in_indices_initial_prop IM s' is
i: index
Hi: i ∈ is
n: nat
Hchoice: minimal_equivocation_choice s' Hs' is =
(i, n)
s: composite_state IM
item: composite_transition_item IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
msg_dep_is_globally_equivocating IM
  message_dependencies sender s' v
  eapply composite_state_destructor_lookup_reachable in Hdestruct as Ht;
    [| typeclasses eauto | done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
s': composite_state IM
Hs': constrained_state_prop Free s'
Hnis: not_in_indices_initial_prop IM s' is
i: index
Hi: i ∈ is
n: nat
Hchoice: minimal_equivocation_choice s' Hs' is =
(i, n)
s: composite_state IM
item: composite_transition_item IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
msg_dep_is_globally_equivocating IM
  message_dependencies sender s' v
  eapply transition_preserves_CompositeHasBeenObserved
    in mdgee_rec_observed as Hobs'; [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
s': composite_state IM
Hs': constrained_state_prop Free s'
Hnis: not_in_indices_initial_prop IM s' is
i: index
Hi: i ∈ is
n: nat
Hchoice: minimal_equivocation_choice s' Hs' is =
(i, n)
s: composite_state IM
item: composite_transition_item IM
Hdestruct: composite_state_destructor IM
  state_destructor s' i !! n =
Some (item, s)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
msg_dep_is_globally_equivocating IM
  message_dependencies sender s' v
  assert (destination item = s') as <-
    by (eapply composite_tv_state_destructor_destination, elem_of_list_lookup_2; eauto).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Hchoice: minimal_equivocation_choice
  (destination item) Hs' is = (
i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
msg_dep_is_globally_equivocating IM
  message_dependencies sender (destination item) v
  exists m; constructor; [done.. |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Hchoice: minimal_equivocation_choice
  (destination item) Hs' is = (
i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
¬ composite_has_been_sent IM (destination item) m
  cut (output item <> Some m).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Hchoice: minimal_equivocation_choice
  (destination item) Hs' is = (
i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
→ ¬ composite_has_been_sent IM (destination item) m
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Hchoice: minimal_equivocation_choice
  (destination item) Hs' is = (
i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
  {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Hchoice: minimal_equivocation_choice
  (destination item) Hs' is = (
i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
→ ¬ composite_has_been_sent IM (destination item) m
    intro.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Hchoice: minimal_equivocation_choice
  (destination item) Hs' is = (
i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
H14: output item ≠ Some m
¬ composite_has_been_sent IM (destination item) m
    destruct (free_composite_has_been_sent_stepwise_props IM) as [_].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Hchoice: minimal_equivocation_choice
  (destination item) Hs' is = (
i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
H14: output item ≠ Some m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_sent IM
        s' msg
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_sent
            IM s msg
¬ composite_has_been_sent IM (destination item) m
    rewrite oracle_step_update by done; cbn.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Hchoice: minimal_equivocation_choice
  (destination item) Hs' is = (
i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
H14: output item ≠ Some m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_sent IM
        s' msg
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_sent
            IM s msg
¬ (output item = Some m
   ∨ composite_has_been_sent IM s m)
    by intros [].
  }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Hchoice: minimal_equivocation_choice
  (destination item) Hs' is = (
i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
  unfold minimal_equivocation_choice in Hchoice.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Hchoice: match
  initial_indices (destination item) Hs' is
with
| [] =>
    match
      find_not_send_decomposition
        (destination item) is
    with
    | Some (i, n) => (i, n)
    | None =>
        match
          find_sent_not_observed_decomposition
            (destination item) is
        with
        | Some (i, n) => (i, n)
        | None => (hd inhabitant is, 0)
        end
    end
| i :: _ => (i, 0)
end = (i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
  destruct initial_indices eqn: Heq_ii;
    [destruct find_not_send_decomposition as [[_i _n] |] eqn: Heq_ns |];
    [| destruct find_sent_not_observed_decomposition as [[_i _n] |] eqn: Heq_sno |];
    cbn in *; inversion Hchoice; subst; clear Hchoice.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = 
Some (i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = None
Heq_sno: find_sent_not_observed_decomposition
  (destination item) is = 
Some (i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item)
  (hd inhabitant is) !! 0 = 
Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: hd inhabitant is ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = None
Heq_sno: find_sent_not_observed_decomposition
  (destination item) is = None
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! 0 = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
l: list index
Heq_ii: initial_indices (destination item) Hs' is =
i :: l
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = 
Some (i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m apply find_first_indexed_largest_nat_with_propery_bounded_Some
      in Heq_ns as (_ & Hn & _); [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Hn: find_largest_nat_with_property_bounded
  (CompositeNthNotSend
     (composite_state_destructor IM
        state_destructor 
        (destination item) i))
  (length
     (composite_state_destructor IM
        state_destructor 
        (destination item) i)) = 
Some n
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
    apply find_largest_nat_with_property_bounded_Some
      in Hn as [[_ [_item _s H_destruct Houtput]] _].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
_item: transition_item
_s: composite_state IM
H_destruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (_item, _s)
Houtput: output _item = None
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
    cbv in Hdestruct, H_destruct; rewrite H_destruct in Hdestruct; clear H_destruct.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
_item: transition_item
_s: composite_state IM
Hdestruct: Some (_item, _s) = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Houtput: output _item = None
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
    inversion Hdestruct; subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: Some (item, s) = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Houtput: output item = None
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
    by rewrite Houtput.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = None
Heq_sno: find_sent_not_observed_decomposition
  (destination item) is = 
Some (i, n)
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m apply find_first_indexed_largest_nat_with_propery_bounded_Some
      in Heq_sno as (_ & Hn & _); [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = None
Hn: find_largest_nat_with_property_bounded
  (CompositeNthSentNotObserved
     (composite_state_destructor IM
        state_destructor 
        (destination item) i))
  (length
     (composite_state_destructor IM
        state_destructor 
        (destination item) i)) = 
Some n
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
    apply find_largest_nat_with_property_bounded_Some
      in Hn as [[_ [_item _s H_destruct _m Houtput Hno]] _].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = None
_item: transition_item
_s: composite_state IM
H_destruct: composite_state_destructor IM
  state_destructor (destination item) i
!! n = Some (_item, _s)
_m: message
Houtput: output _item = Some _m
Hno: ¬ CompositeHasBeenObserved IM
    message_dependencies _s _m
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
    cbv in Hdestruct, H_destruct; rewrite H_destruct in Hdestruct; clear H_destruct.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
_item: transition_item
_s: composite_state IM
Hdestruct: Some (_item, _s) = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = None
_m: message
Houtput: output _item = Some _m
Hno: ¬ CompositeHasBeenObserved IM
    message_dependencies _s _m
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
    inversion Hdestruct; subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: Some (item, s) = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = None
_m: message
Houtput: output item = Some _m
Hno: ¬ CompositeHasBeenObserved IM
    message_dependencies s _m
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m
    rewrite Houtput.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
n: nat
s: composite_state IM
Hdestruct: Some (item, s) = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = None
_m: message
Houtput: output item = Some _m
Hno: ¬ CompositeHasBeenObserved IM
    message_dependencies s _m
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
Some _m ≠ Some m
    by destruct (decide (_m = m)); [subst | congruence].
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item)
  (hd inhabitant is) !! 0 = 
Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: hd inhabitant is ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = None
Heq_sno: find_sent_not_observed_decomposition
  (destination item) is = None
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m destruct (decide (is = [])); [by subst; inversion Hi |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item)
  (hd inhabitant is) !! 0 = 
Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: hd inhabitant is ∈ is
Heq_ii: initial_indices (destination item) Hs' is =
[]
Heq_ns: find_not_send_decomposition
  (destination item) is = None
Heq_sno: find_sent_not_observed_decomposition
  (destination item) is = None
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
n: is ≠ []
output item ≠ Some m
    by exfalso; eapply at_least_one_send_not_previously_observed.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! 0 = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
l: list index
Heq_ii: initial_indices (destination item) Hs' is =
i :: l
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
output item ≠ Some m assert (Hii : i ∈ initial_indices (destination item) Hs' is) by (rewrite Heq_ii; left).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! 0 = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
l: list index
Heq_ii: initial_indices (destination item) Hs' is =
i :: l
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
Hii: i ∈ initial_indices (destination item) Hs' is
output item ≠ Some m
    apply elem_of_list_filter in Hii as [Hii _].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! 0 = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
l: list index
Heq_ii: initial_indices (destination item) Hs' is =
i :: l
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
Hii: initial_state_prop (destination item i)
output item ≠ Some m
    eapply composite_tv_state_destructor_initial in Hii; [| typeclasses eauto | done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H13: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
is: list index
Hnodup: NoDup is
item: composite_transition_item IM
i: index
s: composite_state IM
Hdestruct: composite_state_destructor IM
  state_destructor (destination item) i
!! 0 = Some (item, s)
Hnis: not_in_indices_initial_prop IM
  (destination item) is
Hs': constrained_state_prop Free (destination item)
Hi: i ∈ is
l: list index
Heq_ii: initial_indices (destination item) Hs' is =
i :: l
v: validator
m: message
mdgee_sender: sender m = Some v
mdgee_rec_observed: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent IM s m
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
Hobs': CompositeHasBeenObserved IM
  message_dependencies 
  (destination item) m
Hii: composite_state_destructor IM state_destructor
  (destination item) i = []
output item ≠ Some m
    by rewrite Hii in Hdestruct.
Qed.

End sec_minimal_equivocation_choice.

Section sec_minimal_equivocation_trace.

Extracting a minimally-equivocating trace

Context
  `{EqDecision message}
  `{finite.Finite index}
  `{Inhabited index}
  (IM : index -> VLSM message)
  `{forall i, ComputableSentMessages (IM i)}
  `{forall i, ComputableReceivedMessages (IM i)}
  `{FullMessageDependencies message Cm message_dependencies full_message_dependencies}
  `{forall i, MessageDependencies (IM i) message_dependencies}
  `{forall i s, Decision (initial_state_prop (IM i) s)}
  (state_destructor : forall i, state (IM i) -> set (transition_item (IM i) * state (IM i)))
  (state_size : forall i, state (IM i) -> nat)
  `{forall i, TraceableVLSM (IM i) (state_destructor i) (state_size i)}
  `(sender : message -> option validator)
  `{!Irreflexive (tc_composite_observed_before_send IM message_dependencies)}
  (A : validator -> index)
  (Hchannel : channel_authentication_prop IM A sender)
  (Free := free_composite_vlsm IM)
  .

The minimally-equivocating trace is obtained by instantiating composite_state_to_trace with the minimal_equivocation_choice function.

By reachable_composite_state_to_trace, we know that the obtained trace is a constrained trace.

Definition state_to_minimal_equivocation_trace
  (s : composite_state IM) (Hs : constrained_state_prop Free s)
  : composite_state IM * list (composite_transition_item IM) :=
  composite_state_to_trace IM state_destructor state_size
    (minimal_equivocation_choice IM state_destructor state_size) s Hs.

The trace obtained through state_to_minimal_equivocation_trace is not hiding equivocation at any step, therefore being indeed a minimally-equivocating trace reaching its final state.

Lemma state_to_minimal_equivocation_trace_equivocation_monotonic :
  forall (s : composite_state IM) (Hs : constrained_state_prop Free s),
  forall is tr, state_to_minimal_equivocation_trace s Hs = (is, tr) ->
  forall (pre suf : list (composite_transition_item IM))
    (item : composite_transition_item IM),
    tr = pre ++ [item] ++ suf ->
    forall v : validator,
      msg_dep_is_globally_equivocating IM message_dependencies sender
        (finite_trace_last is pre) v ->
      msg_dep_is_globally_equivocating IM message_dependencies sender
        (destination item) v.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
H13: ∀ (i : index) (s : state (IM i)),
  Decision (initial_state_prop s)
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H14: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (Hs : constrained_state_prop
                                   Free s) (is : composite_state
                                                 IM) 
  (tr : list (composite_transition_item IM)),
  state_to_minimal_equivocation_trace s Hs = (is, tr)
  → ∀ (pre suf : list (composite_transition_item IM)) 
      (item : composite_transition_item IM),
      tr = pre ++ [item] ++ suf
      → ∀ v : validator,
          msg_dep_is_globally_equivocating IM
            message_dependencies sender
            (finite_trace_last is pre) v
          → msg_dep_is_globally_equivocating IM
              message_dependencies sender
              (destination item) v
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
H13: ∀ (i : index) (s : state (IM i)),
  Decision (initial_state_prop s)
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H14: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (Hs : constrained_state_prop
                                   Free s) (is : composite_state
                                                 IM) 
  (tr : list (composite_transition_item IM)),
  state_to_minimal_equivocation_trace s Hs = (is, tr)
  → ∀ (pre suf : list (composite_transition_item IM)) 
      (item : composite_transition_item IM),
      tr = pre ++ [item] ++ suf
      → ∀ v : validator,
          msg_dep_is_globally_equivocating IM
            message_dependencies sender
            (finite_trace_last is pre) v
          → msg_dep_is_globally_equivocating IM
              message_dependencies sender
              (destination item) v
  intros.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
H13: ∀ (i : index) (s : state (IM i)),
  Decision (initial_state_prop s)
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H14: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is: composite_state IM
tr: list (composite_transition_item IM)
H15: state_to_minimal_equivocation_trace s Hs =
(is, tr)
pre, suf: list (composite_transition_item IM)
item: composite_transition_item IM
H16: tr = pre ++ [item] ++ suf
v: validator
H17: msg_dep_is_globally_equivocating IM
  message_dependencies sender
  (finite_trace_last is pre) v
msg_dep_is_globally_equivocating IM
  message_dependencies sender (destination item) v
  eapply composite_state_to_trace_P_monotonic with
    (P := fun s => msg_dep_is_globally_equivocating IM message_dependencies sender s v);
    [by eapply minimal_equivocation_choice_is_choosing_well | | done..].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
H0: Inhabited index
IM: index → VLSM message
H1: ∀ i : index, ComputableSentMessages (IM i)
H2: ∀ i : index, ComputableReceivedMessages (IM i)
Cm: Type
H3: ElemOf message Cm
H4: Empty Cm
H5: Singleton message Cm
H6: Union Cm
H7: Intersection Cm
H8: Difference Cm
H9: Elements message Cm
EqDecision2: EqDecision message
H10: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
H11: FullMessageDependencies message_dependencies
  full_message_dependencies
H12: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
H13: ∀ (i : index) (s : state (IM i)),
  Decision (initial_state_prop s)
state_destructor: ∀ i : index,
  state (IM i)
  → set
      (transition_item *
       state (IM i))
state_size: ∀ i : index, state (IM i) → nat
H14: ∀ i : index,
  TraceableVLSM (IM i) 
    (state_destructor i) 
    (state_size i)
validator: Type
sender: message → option validator
Irreflexive0: Irreflexive
  (tc_composite_observed_before_send IM
     message_dependencies)
A: validator → index
Hchannel: channel_authentication_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
Hs: constrained_state_prop Free s
is: composite_state IM
tr: list (composite_transition_item IM)
H15: state_to_minimal_equivocation_trace s Hs =
(is, tr)
pre, suf: list (composite_transition_item IM)
item: composite_transition_item IM
H16: tr = pre ++ [item] ++ suf
v: validator
H17: msg_dep_is_globally_equivocating IM
  message_dependencies sender
  (finite_trace_last is pre) v
chosen_transition_preserves_P IM state_destructor
  (λ s : composite_state IM,
     msg_dep_is_globally_equivocating IM
       message_dependencies sender s v)
  (minimal_equivocation_choice IM state_destructor
     state_size)
  by intros ? **; eapply minimal_equivocation_choice_monotone.
Qed.

End sec_minimal_equivocation_trace.