From stdpp Require Import prelude.[Loading ML file ring_plugin.cmxs (using legacy method) ... done]
[Loading ML file zify_plugin.cmxs (using legacy method) ... done]
[Loading ML file micromega_plugin.cmxs (using legacy method) ... done]
[Loading ML file btauto_plugin.cmxs (using legacy method) ... done]
From Coq Require Import Reals.
From VLSM.Lib Require Import Preamble ListExtras ListSetExtras FinSetExtras.[Loading ML file coq-itauto.plugin ... done]
From VLSM.Core Require Import VLSM VLSMProjections Composition.
From VLSM.Core Require Import SubProjectionTraces MessageDependencies Equivocation.
From VLSM.Core Require Import NoEquivocation FixedSetEquivocation TraceWiseEquivocation.

Core: Witnessed Equivocation

Although is_equivocating_tracewise provides a very precise notion of equivocation, it does not guarantee the monotonicity of the set of equivocators along a trace.

The witnessed equivocation assumption is a possible way to address this issue.

Starting from the (reasonable) assumption that for any state s, there is a trace ending in s whose equivocating_senders_in_trace are precisely the equivocators of s (the WitnessedEquivocationCapability), we can show that for each Free valid state there exists a valid trace with the strong_trace_witnessing_equivocation_property, i.e., a trace whose every prefix is a witness for its corresponding end state (Lemma free_has_strong_trace_witnessing_equivocation_prop). In particular, the set of equivocators is monotonically increasing for such a trace (Lemma strong_witness_equivocating_validators_prefix_monotonicity).

We then use this result to show that any free valid state is also a valid state for a composition under the fixed_equivocation_constraint induced by its set of equivocators.

Section sec_witnessed_equivocation.

Context
  `{EqDecision message}
  `{finite.Finite index}
  (IM : index -> VLSM message)
  `{forall i : index, HasBeenSentCapability (IM i)}
  `{forall i : index, HasBeenReceivedCapability (IM i)}
  `{finite.Finite validator}
  (Free := free_composite_vlsm IM)
  (PreFree := preloaded_with_all_messages_vlsm Free)
  (threshold : R)
  `{ReachableThreshold validator Cv threshold}
  (A : validator -> index)
  (sender : message -> option validator)
  `{RelDecision _ _ (is_equivocating_tracewise_no_has_been_sent IM A sender)}
  (Htracewise_BasicEquivocation : BasicEquivocation (composite_state IM) validator Cv threshold
    := equivocation_dec_tracewise IM threshold A sender)
  (equivocating_validators :=
    equivocating_validators (BasicEquivocation := Htracewise_BasicEquivocation))
  .

A trace witnesses the equivocation of its final state s if its set of equivocators is precisely that of the equivocating_validators of s.

Definition trace_witnessing_equivocation_prop
  is tr
  (s := finite_trace_last is tr)
  : Prop :=
  forall v, v ∈ equivocating_validators s <->
    exists (m : message), (sender m = Some v) /\ equivocation_in_trace PreFree m tr.

Lemma equivocating_senders_in_trace_witnessing_equivocation_prop
  is tr
  (Htr : trace_witnessing_equivocation_prop is tr)
  (s := finite_trace_last is tr)
  : set_eq (elements (equivocating_validators s)) (equivocating_senders_in_trace IM sender tr).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
is: state (composite_type IM)
tr: list transition_item
Htr: trace_witnessing_equivocation_prop is tr
s:= finite_trace_last is tr: state (composite_type IM)
set_eq (elements (equivocating_validators s))
  (equivocating_senders_in_trace IM sender tr)
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
is: state (composite_type IM)
tr: list transition_item
Htr: trace_witnessing_equivocation_prop is tr
s:= finite_trace_last is tr: state (composite_type IM)
set_eq (elements (equivocating_validators s))
  (equivocating_senders_in_trace IM sender tr)
  split; intros v Hv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
is: state (composite_type IM)
tr: list transition_item
Htr: trace_witnessing_equivocation_prop is tr
s:= finite_trace_last is tr: state (composite_type IM)
v: validator
Hv: v ∈ elements (equivocating_validators s)
v ∈ equivocating_senders_in_trace IM sender tr
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
is: state (composite_type IM)
tr: list transition_item
Htr: trace_witnessing_equivocation_prop is tr
s:= finite_trace_last is tr: state (composite_type IM)
v: validator
Hv: v ∈ equivocating_senders_in_trace IM sender tr
v ∈ elements (equivocating_validators s)
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
is: state (composite_type IM)
tr: list transition_item
Htr: trace_witnessing_equivocation_prop is tr
s:= finite_trace_last is tr: state (composite_type IM)
v: validator
Hv: v ∈ elements (equivocating_validators s)
v ∈ equivocating_senders_in_trace IM sender tr by apply elem_of_elements, Htr in Hv; apply elem_of_equivocating_senders_in_trace.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
is: state (composite_type IM)
tr: list transition_item
Htr: trace_witnessing_equivocation_prop is tr
s:= finite_trace_last is tr: state (composite_type IM)
v: validator
Hv: v ∈ equivocating_senders_in_trace IM sender tr
v ∈ elements (equivocating_validators s) by eapply elem_of_elements, Htr, elem_of_equivocating_senders_in_trace.
Qed.

A composition of VLSMs has the witnessed equivocation capability if towards any valid states there exist a trace witnessing its equivocation.

Class WitnessedEquivocationCapability : Prop :=
{
  is_equivocating_tracewise_witness :
    forall s, constrained_state_prop Free s ->
    exists is tr, finite_constrained_trace_init_to Free is s tr /\
      trace_witnessing_equivocation_prop is tr
}.

Section sec_witnessed_equivocation_properties.

Context
  (Hke : WitnessedEquivocationCapability)
  (Hsender_safety : sender_safety_alt_prop IM A sender)
  .

Lemma initial_state_witnessing_equivocation_prop
  s
  (Hs : composite_initial_state_prop IM s)
  : trace_witnessing_equivocation_prop s [].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
trace_witnessing_equivocation_prop s []
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
trace_witnessing_equivocation_prop s []
  intros v.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
v ∈ equivocating_validators (finite_trace_last s [])
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m [])
  unfold finite_trace_last.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
v
∈ equivocating_validators
    (List.last (map destination []) s)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m []) simpl.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
v ∈ equivocating_validators s
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m [])
  rewrite <- elem_of_elements.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
v ∈ elements (equivocating_validators s)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m [])
  replace (elements (equivocating_validators s)) with (@nil validator).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
v ∈ []
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m [])
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
[] = elements (equivocating_validators s)
  simpl.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
v ∈ []
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m [])
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
[] = elements (equivocating_validators s)
  split; [by inversion 1 |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
(∃ m : message,
   sender m = Some v
   ∧ equivocation_in_trace PreFree m []) → v ∈ []
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
[] = elements (equivocating_validators s)
  intros [m [_ Hmsg]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
m: message
Hmsg: equivocation_in_trace PreFree m []
v ∈ []
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
[] = elements (equivocating_validators s)
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
m: message
Hmsg: equivocation_in_trace PreFree m []
v ∈ [] by elim (no_equivocation_in_empty_trace PreFree m).
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
[] = elements (equivocating_validators s) by symmetry; apply elements_empty_iff, equivocating_validators_empty_in_initial_state.
Qed.

For any trace having the trace_witnessing_equivocation_property, its final transition is monotonic w.r.t. the equivocating_validators.

Lemma equivocating_validators_witness_monotonicity
  (is s : composite_state IM)
  (tr : list (composite_transition_item IM))
  (Htr : finite_constrained_trace_init_to Free is s tr)
  (item : composite_transition_item IM)
  (Hwitness : trace_witnessing_equivocation_prop is (tr ++ [item]))
  (s' := destination item)
  : equivocating_validators s ⊆ equivocating_validators s'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: state (composite_type IM)
equivocating_validators s ⊆ equivocating_validators s'
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: state (composite_type IM)
equivocating_validators s ⊆ equivocating_validators s'
  intros v Hv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: state (composite_type IM)
v: validator
Hv: v ∈ equivocating_validators s
v ∈ equivocating_validators s'
  specialize (Hwitness v).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
v: validator
Hwitness: v
∈ equivocating_validators
    (finite_trace_last is (tr ++ [item]))
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr ++ [item]))
s':= destination item: state (composite_type IM)
Hv: v ∈ equivocating_validators s
v ∈ equivocating_validators s'
  rewrite finite_trace_last_is_last in Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr ++ [item]))
s':= destination item: state (composite_type IM)
Hv: v ∈ equivocating_validators s
v ∈ equivocating_validators s'
  apply Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr ++ [item]))
s':= destination item: state (composite_type IM)
Hv: v ∈ equivocating_validators s
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
  apply equivocating_validators_is_equivocating_tracewise_iff in Hv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr ++ [item]))
s':= destination item: state (composite_type IM)
Hv: is_equivocating_tracewise_no_has_been_sent IM A
  sender s v
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
  specialize (Hv _ _ Htr) as [m [Hmsg Heqv]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr ++ [item]))
s':= destination item: state (composite_type IM)
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM)) m tr
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
  exists m.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr ++ [item]))
s':= destination item: state (composite_type IM)
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM)) m tr
sender m = Some v
∧ equivocation_in_trace PreFree m (tr ++ [item]) split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr ++ [item]))
s':= destination item: state (composite_type IM)
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM)) m tr
equivocation_in_trace PreFree m (tr ++ [item])
  by apply equivocation_in_trace_prefix.
Qed.

Given a trace with the trace_witnessing_equivocation_property, if the equivocating_validators for the destination of its last transition are included in the equivocating_validators for the source of its last transition, the the trace without its last transition also has the trace_witnessing_equivocation_property.

Lemma input_valid_transition_reflects_trace_witnessing_equivocation_prop
  (is s : composite_state IM)
  (tr : list (composite_transition_item IM))
  (Htr : finite_constrained_trace_init_to Free is s tr)
  (item : composite_transition_item IM)
  (Hwitness : trace_witnessing_equivocation_prop is (tr ++ [item]))
  (s' := destination item)
  (Hincl : equivocating_validators s' ⊆ equivocating_validators s)
  : trace_witnessing_equivocation_prop is tr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: state (composite_type IM)
Hincl: equivocating_validators s'
⊆ equivocating_validators s
trace_witnessing_equivocation_prop is tr
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: state (composite_type IM)
Hincl: equivocating_validators s'
⊆ equivocating_validators s
trace_witnessing_equivocation_prop is tr
  apply finite_valid_trace_init_to_last in Htr as Hlst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: state (composite_type IM)
Hincl: equivocating_validators s'
⊆ equivocating_validators s
Hlst: finite_trace_last is tr = s
trace_witnessing_equivocation_prop is tr
  intros v; split; simpl in *; rewrite Hlst in *.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: composite_state IM
Hincl: equivocating_validators s'
⊆ equivocating_validators s
Hlst: finite_trace_last is tr = s
v: validator
v ∈ equivocating_validators s
→ ∃ m : message,
    sender m = Some v
    ∧ equivocation_in_trace PreFree m tr
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: composite_state IM
Hincl: equivocating_validators s'
⊆ equivocating_validators s
Hlst: finite_trace_last is tr = s
v: validator
(∃ m : message,
   sender m = Some v
   ∧ equivocation_in_trace PreFree m tr)
→ v ∈ equivocating_validators s
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: composite_state IM
Hincl: equivocating_validators s'
⊆ equivocating_validators s
Hlst: finite_trace_last is tr = s
v: validator
v ∈ equivocating_validators s
→ ∃ m : message,
    sender m = Some v
    ∧ equivocation_in_trace PreFree m tr intros Hv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: composite_state IM
Hincl: equivocating_validators s'
⊆ equivocating_validators s
Hlst: finite_trace_last is tr = s
v: validator
Hv: v ∈ equivocating_validators s
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m tr
    by eapply equivocating_validators_is_equivocating_tracewise_iff
      with (ReachableThreshold0 := H11).
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: composite_state IM
Hincl: equivocating_validators s'
⊆ equivocating_validators s
Hlst: finite_trace_last is tr = s
v: validator
(∃ m : message,
   sender m = Some v
   ∧ equivocation_in_trace PreFree m tr)
→ v ∈ equivocating_validators s intros (msg & Hsender & Heqv).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: composite_state IM
Hincl: equivocating_validators s'
⊆ equivocating_validators s
Hlst: finite_trace_last is tr = s
v: validator
msg: message
Hsender: sender msg = Some v
Heqv: equivocation_in_trace PreFree msg tr
v ∈ equivocating_validators s
    apply Hincl.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s':= destination item: composite_state IM
Hincl: equivocating_validators s'
⊆ equivocating_validators s
Hlst: finite_trace_last is tr = s
v: validator
msg: message
Hsender: sender msg = Some v
Heqv: equivocation_in_trace PreFree msg tr
v ∈ equivocating_validators s'
    specialize (Hwitness v);
    rewrite finite_trace_last_is_last in Hwitness;
    apply Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr ++ [item]))
s':= destination item: composite_state IM
Hincl: equivocating_validators s'
⊆ equivocating_validators s
Hlst: finite_trace_last is tr = s
msg: message
Hsender: sender msg = Some v
Heqv: equivocation_in_trace PreFree msg tr
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
    exists msg.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr ++ [item]))
s':= destination item: composite_state IM
Hincl: equivocating_validators s'
⊆ equivocating_validators s
Hlst: finite_trace_last is tr = s
msg: message
Hsender: sender msg = Some v
Heqv: equivocation_in_trace PreFree msg tr
sender msg = Some v
∧ equivocation_in_trace PreFree msg (tr ++ [item]) split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
item: composite_transition_item IM
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr ++ [item]))
s':= destination item: composite_state IM
Hincl: equivocating_validators s'
⊆ equivocating_validators s
Hlst: finite_trace_last is tr = s
msg: message
Hsender: sender msg = Some v
Heqv: equivocation_in_trace PreFree msg tr
equivocation_in_trace PreFree msg (tr ++ [item])
    by apply equivocation_in_trace_prefix.
Qed.

An equivocator for the destination of a transition is either an equivocation for the source as well, or it is the sender of the received message and that message is not sent by any trace witnessing the source of the transition.

Lemma equivocating_validators_step_update
    l s om s' om'
    (Ht : input_constrained_transition Free l (s, om) (s', om'))
    v
    : v ∈ equivocating_validators s' ->
      v ∈ equivocating_validators s \/
      (exists m, om = Some m /\
      sender m = Some v /\
      forall is tr
      (Htr : finite_constrained_trace_init_to Free is s tr)
      (Hwitness : trace_witnessing_equivocation_prop is tr),
      ~ trace_has_message (field_selector output) m tr).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
om: option message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, om) (s', om')
v: validator
v ∈ equivocating_validators s'
→ v ∈ equivocating_validators s
  ∨ (∃ m : message,
       om = Some m
       ∧ sender m = Some v
         ∧ (∀ (is : state
                      (preloaded_with_all_messages_vlsm
                         Free)) (tr : list
                                        transition_item),
              finite_constrained_trace_init_to Free is
                s tr
              → trace_witnessing_equivocation_prop is
                  tr
                → ¬ trace_has_message
                      (field_selector output) m tr))
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
om: option message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, om) (s', om')
v: validator
v ∈ equivocating_validators s'
→ v ∈ equivocating_validators s
  ∨ (∃ m : message,
       om = Some m
       ∧ sender m = Some v
         ∧ (∀ (is : state
                      (preloaded_with_all_messages_vlsm
                         Free)) (tr : list
                                        transition_item),
              finite_constrained_trace_init_to Free is
                s tr
              → trace_witnessing_equivocation_prop is
                  tr
                → ¬ trace_has_message
                      (field_selector output) m tr))
  intro Hv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
om: option message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, om) (s', om')
v: validator
Hv: v ∈ equivocating_validators s'
v ∈ equivocating_validators s
∨ (∃ m : message,
     om = Some m
     ∧ sender m = Some v
       ∧ (∀ (is : state
                    (preloaded_with_all_messages_vlsm
                       Free)) (tr : list
                                      transition_item),
            finite_constrained_trace_init_to Free is s
              tr
            → trace_witnessing_equivocation_prop is tr
              → ¬ trace_has_message
                    (field_selector output) m tr))
  destruct (decide (v ∈ elements (equivocating_validators s))) as [Hnv | Hnv]
  ; rewrite elem_of_elements in Hnv; [by left | right].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
om: option message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, om) (s', om')
v: validator
Hv: v ∈ equivocating_validators s'
Hnv: v ∉ equivocating_validators s
∃ m : message,
  om = Some m
  ∧ sender m = Some v
    ∧ (∀ (is : state
                 (preloaded_with_all_messages_vlsm
                    Free)) (tr : list transition_item),
         finite_constrained_trace_init_to Free is s tr
         → trace_witnessing_equivocation_prop is tr
           → ¬ trace_has_message
                 (field_selector output) m tr)
  apply equivocating_validators_is_equivocating_tracewise_iff in Hv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
om: option message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, om) (s', om')
v: validator
Hv: is_equivocating_tracewise_no_has_been_sent IM A
  sender s' v
Hnv: v ∉ equivocating_validators s
∃ m : message,
  om = Some m
  ∧ sender m = Some v
    ∧ (∀ (is : state
                 (preloaded_with_all_messages_vlsm
                    Free)) (tr : list transition_item),
         finite_constrained_trace_init_to Free is s tr
         → trace_witnessing_equivocation_prop is tr
           → ¬ trace_has_message
                 (field_selector output) m tr)
  destruct (transition_is_equivocating_tracewise_char IM A sender  _ _ _ _ _ Ht _ Hv)
    as [| Hom];
    [by contradict Hnv; apply equivocating_validators_is_equivocating_tracewise_iff |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
om: option message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, om) (s', om')
v: validator
Hv: is_equivocating_tracewise_no_has_been_sent IM A
  sender s' v
Hnv: v ∉ equivocating_validators s
Hom: om ≫= sender = Some v
∃ m : message,
  om = Some m
  ∧ sender m = Some v
    ∧ (∀ (is : state
                 (preloaded_with_all_messages_vlsm
                    Free)) (tr : list transition_item),
         finite_constrained_trace_init_to Free is s tr
         → trace_witnessing_equivocation_prop is tr
           → ¬ trace_has_message
                 (field_selector output) m tr)
  destruct om as [m |]; simpl in Hom; [| by congruence].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
Hv: is_equivocating_tracewise_no_has_been_sent IM A
  sender s' v
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
∃ m0 : message,
  Some m = Some m0
  ∧ sender m0 = Some v
    ∧ (∀ (is : state
                 (preloaded_with_all_messages_vlsm
                    Free)) (tr : list transition_item),
         finite_constrained_trace_init_to Free is s tr
         → trace_witnessing_equivocation_prop is tr
           → ¬ trace_has_message
                 (field_selector output) m0 tr)
  exists m; split_and!; [done.. |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
Hv: is_equivocating_tracewise_no_has_been_sent IM A
  sender s' v
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
∀ (is : state (preloaded_with_all_messages_vlsm Free)) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message (field_selector output) m tr
  intros is tr [Htr Hinit] Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
Hv: is_equivocating_tracewise_no_has_been_sent IM A
  sender s' v
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is tr
¬ trace_has_message (field_selector output) m tr
  specialize (extend_right_finite_trace_from_to _ Htr Ht) as Htr'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
Hv: is_equivocating_tracewise_no_has_been_sent IM A
  sender s' v
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is tr
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
¬ trace_has_message (field_selector output) m tr
  specialize (Hv _ _ (conj Htr' Hinit)).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
Hv: ∃ m0 : message,
  sender m0 = Some v
  ∧ equivocation_in_trace
      (preloaded_with_all_messages_vlsm
         (free_composite_vlsm IM)) m0
      (tr ++
       [{|
          l := l;
          input := Some m;
          destination := s';
          output := om'
        |}])
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is tr
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
¬ trace_has_message (field_selector output) m tr
  destruct Hv as [m' [Hm' [prefix [item [suffix [Heq Heqv]]]]]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix: list transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is tr
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
¬ trace_has_message (field_selector output) m tr
  destruct_list_last suffix suffix' item' Heqsuffix.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix: list transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ [item]
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is tr
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = []
¬ trace_has_message (field_selector output) m tr
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is tr
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
¬ trace_has_message (field_selector output) m tr
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix: list transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ [item]
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is tr
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = []
¬ trace_has_message (field_selector output) m tr apply app_inj_tail in Heq.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix: list transition_item
Heq: tr = prefix
∧ {|
    l := l;
    input := Some m;
    destination := s';
    output := om'
  |} = item
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is tr
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = []
¬ trace_has_message (field_selector output) m tr destruct Heq; subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
m': message
Hm': sender m' = Some v
prefix: list transition_item
Heqv: input
  {|
    l := l;
    input := Some m;
    destination := s';
    output := om'
  |} = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  prefix
Hinit: initial_state_prop is
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (prefix ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  prefix
¬ trace_has_message (field_selector output) m prefix
    simpl in Heqv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
m': message
Hm': sender m' = Some v
prefix: list transition_item
Heqv: Some m = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  prefix
Hinit: initial_state_prop is
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (prefix ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  prefix
¬ trace_has_message (field_selector output) m prefix destruct Heqv as [Heq_m Heqv].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
m': message
Hm': sender m' = Some v
prefix: list transition_item
Heq_m: Some m = Some m'
Heqv: ¬ trace_has_message (field_selector output) m'
    prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  prefix
Hinit: initial_state_prop is
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (prefix ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  prefix
¬ trace_has_message (field_selector output) m prefix
    by inversion Heq_m.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is tr
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
¬ trace_has_message (field_selector output) m tr elim Hnv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is tr
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
v ∈ equivocating_validators s
    specialize (Hwitness v).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: v
∈ equivocating_validators
    (finite_trace_last is tr)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m tr)
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
v ∈ equivocating_validators s
    apply finite_valid_trace_from_to_last in Htr as Hs.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: v
∈ equivocating_validators
    (finite_trace_last is tr)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m tr)
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
Hs: finite_trace_last is tr = s
v ∈ equivocating_validators s
    simpl in Hs, Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: v
∈ equivocating_validators
    (finite_trace_last is tr)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m tr)
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
Hs: finite_trace_last is tr = s
v ∈ equivocating_validators s rewrite Hs in Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: v ∈ equivocating_validators s
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m tr)
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
Hs: finite_trace_last is tr = s
v ∈ equivocating_validators s
    apply Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: v ∈ equivocating_validators s
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m tr)
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
Hs: finite_trace_last is tr = s
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m tr exists m'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: v ∈ equivocating_validators s
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m tr)
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
Hs: finite_trace_last is tr = s
sender m' = Some v
∧ equivocation_in_trace PreFree m' tr split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: v ∈ equivocating_validators s
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m tr)
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
Hs: finite_trace_last is tr = s
equivocation_in_trace PreFree m' tr
    exists prefix, item, suffix'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: v ∈ equivocating_validators s
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m tr)
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
Hs: finite_trace_last is tr = s
tr = prefix ++ item :: suffix'
∧ input item = Some m'
  ∧ ¬ trace_has_message (field_selector output) m'
        prefix
    split; [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ item :: suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: v ∈ equivocating_validators s
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m tr)
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
Hs: finite_trace_last is tr = s
tr = prefix ++ item :: suffix'
    change (item :: suffix' ++ [item']) with ([item] ++ suffix' ++ [item']) in Heq.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr ++
[{|
   l := l;
   input := Some m;
   destination := s';
   output := om'
 |}] = prefix ++ [item] ++ suffix' ++ [item']
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: v ∈ equivocating_validators s
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m tr)
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
Hs: finite_trace_last is tr = s
tr = prefix ++ item :: suffix'
    rewrite !app_assoc in Heq; apply app_inj_tail in Heq; rewrite <- !app_assoc in Heq.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
m: message
s': state (preloaded_with_all_messages_vlsm Free)
om': option message
Ht: input_constrained_transition Free l (
  s, Some m) (s', om')
v: validator
tr: list transition_item
m': message
Hm': sender m' = Some v
prefix: list transition_item
item: transition_item
suffix, suffix': list transition_item
item': transition_item
Heq: tr = prefix ++ [item] ++ suffix'
∧ {|
    l := l;
    input := Some m;
    destination := s';
    output := om'
  |} = item'
Heqv: input item = Some m'
∧ ¬ trace_has_message (field_selector output)
      m' prefix
Hnv: v ∉ equivocating_validators s
Hom: sender m = Some v
is: state (preloaded_with_all_messages_vlsm Free)
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
Hinit: initial_state_prop is
Hwitness: v ∈ equivocating_validators s
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m tr)
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := om'
    |}])
Heqsuffix: suffix = suffix' ++ [item']
Hs: finite_trace_last is tr = s
tr = prefix ++ item :: suffix'
    by destruct Heq as [-> _].
Qed.

Given a non-empty trace with the trace_witnessing_equivocation_property, there are two disjoint possibilities concerning its last transition.

(1) either it preserves the set of equivocating_validators and, in that case, the trace without the last transition has the trace_witnessing_equivocation_property as well; or

(2) The set of equivocating_validators of its destination is obtained by adding the sender of the message received in the transition to the set of equivocating_validators of its source, and, in that case, that message is not sent by any trace witnessing the source of the transition.

Lemma equivocating_validators_witness_last_char
  (is : composite_state IM)
  (tr : list (composite_transition_item IM))
  (l : composite_label IM)
  (om : option message)
  (s' : composite_state IM)
  (om' : option message)
  (item  := {| l := l; input := om; destination := s'; output := om' |})
  (Htr_item : finite_constrained_trace_init_to Free is s' (tr ++ [item]))
  (Hwitness : trace_witnessing_equivocation_prop is (tr ++ [item]))
  (s := finite_trace_last is tr)
  : equivocating_validators s ≡@{Cv} equivocating_validators s'
    /\ trace_witnessing_equivocation_prop is tr
    \/
    (exists m, om = Some m /\
     exists v, sender m = Some v /\
     v ∉ equivocating_validators s /\
     equivocating_validators s' ≡@{Cv} {[ v ]} ∪ (equivocating_validators s) /\
     forall (is : composite_state IM) (tr : list transition_item),
        finite_constrained_trace_init_to Free is s tr ->
        trace_witnessing_equivocation_prop is tr ->
        ~ trace_has_message (field_selector output) m tr).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr_item: finite_constrained_trace_init_to Free is s'
  (tr ++ [item])
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s:= finite_trace_last is tr: state (composite_type IM)
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr)))
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr_item: finite_constrained_trace_init_to Free is s'
  (tr ++ [item])
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s:= finite_trace_last is tr: state (composite_type IM)
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr)))
  destruct Htr_item as [Htr Hinit].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is s'
  (tr ++ [item])
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s:= finite_trace_last is tr: state (composite_type IM)
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr)))
  apply finite_valid_trace_from_to_app_split in Htr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr) s' [item]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s:= finite_trace_last is tr: state (composite_type IM)
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr)))
  destruct Htr as [Htr Hitem].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr) s' [item]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s:= finite_trace_last is tr: state (composite_type IM)
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr)))
  inversion_clear Hitem.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s:= finite_trace_last is tr: state (composite_type IM)
Htl: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s' s'
  []
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr))) clear Htl.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
s:= finite_trace_last is tr: state (composite_type IM)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr))) subst s.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
equivocating_validators (finite_trace_last is tr)
≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v
             ∉ equivocating_validators
                 (finite_trace_last is tr))
            ∧ equivocating_validators s'
              ≡ {[v]}
                ∪ equivocating_validators
                    (finite_trace_last is tr)
              ∧ (∀ (is0 : composite_state IM) (tr0 : 
                                               list
                                                 transition_item),
                   finite_constrained_trace_init_to
                     Free is0
                     (finite_trace_last is tr) tr0
                   → trace_witnessing_equivocation_prop
                       is0 tr0
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr0)))
  apply equivocating_validators_witness_monotonicity with (s := (finite_trace_last is tr))
    in Hwitness as Hincl
  ; [| by split].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
Hincl: equivocating_validators
  (finite_trace_last is tr)
⊆ equivocating_validators (destination item)
equivocating_validators (finite_trace_last is tr)
≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v
             ∉ equivocating_validators
                 (finite_trace_last is tr))
            ∧ equivocating_validators s'
              ≡ {[v]}
                ∪ equivocating_validators
                    (finite_trace_last is tr)
              ∧ (∀ (is0 : composite_state IM) (tr0 : 
                                               list
                                                 transition_item),
                   finite_constrained_trace_init_to
                     Free is0
                     (finite_trace_last is tr) tr0
                   → trace_witnessing_equivocation_prop
                       is0 tr0
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr0)))
  remember (finite_trace_last is tr) as s.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr)))
  destruct (om ≫= sender) as [v |] eqn: Heq_v.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: om ≫= sender = Some v
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr)))
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
Heq_v: om ≫= sender = None
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) 
                   (tr : 
                    list transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                      is tr
                     → ¬ 
                     trace_has_message
                      (field_selector output) m tr)))
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: om ≫= sender = Some v
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr))) destruct om as [m |]; [| by inversion Heq_v].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: Some m ≫= sender = Some v
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m0 : message,
     Some m = Some m0
     ∧ (∃ v : validator,
          sender m0 = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m0
                           tr))) simpl in Heq_v.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m0 : message,
     Some m = Some m0
     ∧ (∃ v : validator,
          sender m0 = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m0
                           tr)))
    destruct (decide (set_eq (elements (equivocating_validators s)) (elements (equivocating_validators s')))).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
s0: set_eq (elements (equivocating_validators s))
  (elements (equivocating_validators s'))
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m0 : message,
     Some m = Some m0
     ∧ (∃ v : validator,
          sender m0 = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m0
                           tr)))
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m0 : message,
     Some m = Some m0
     ∧ (∃ v : validator,
          sender m0 = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) 
                   (tr : 
                    list transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                      is tr
                     → ¬ 
                     trace_has_message
                      (field_selector output) m0 tr)))
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
s0: set_eq (elements (equivocating_validators s))
  (elements (equivocating_validators s'))
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m0 : message,
     Some m = Some m0
     ∧ (∃ v : validator,
          sender m0 = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m0
                           tr))) apply set_eq_fin_set in s0; left; split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
s0: equivocating_validators s
≡ equivocating_validators s'
trace_witnessing_equivocation_prop is tr
      by apply
        (input_valid_transition_reflects_trace_witnessing_equivocation_prop
          _ _ _ (conj Htr Hinit) _ Hwitness);
      subst; intros ? ?; apply s0.
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m0 : message,
     Some m = Some m0
     ∧ (∃ v : validator,
          sender m0 = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m0
                           tr))) right.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
∃ m0 : message,
  Some m = Some m0
  ∧ (∃ v : validator,
       sender m0 = Some v
       ∧ (v ∉ equivocating_validators s)
         ∧ equivocating_validators s'
           ≡ {[v]} ∪ equivocating_validators s
           ∧ (∀ (is : composite_state IM) (tr : list
                                                 transition_item),
                finite_constrained_trace_init_to Free
                  is s tr
                → trace_witnessing_equivocation_prop
                    is tr
                  → ¬ trace_has_message
                        (field_selector output) m0 tr)) exists m; split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
∃ v : validator,
  sender m = Some v
  ∧ (v ∉ equivocating_validators s)
    ∧ equivocating_validators s'
      ≡ {[v]} ∪ equivocating_validators s
      ∧ (∀ (is : composite_state IM) (tr : list
                                             transition_item),
           finite_constrained_trace_init_to Free is s
             tr
           → trace_witnessing_equivocation_prop is tr
             → ¬ trace_has_message
                   (field_selector output) m tr) exists v; split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr)
      specialize (equivocating_validators_step_update _ _ _ _ _ Ht) as Honly_v.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : 
                 state
                   (preloaded_with_all_messages_vlsm
                      Free)) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr)
      simpl in Honly_v.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr)
      assert (Hv : exists v, v ∈ equivocating_validators s' /\ v ∉ equivocating_validators s).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
∃ v : validator,
  v ∈ equivocating_validators s'
  ∧ v ∉ equivocating_validators s
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hv: ∃ v : validator,
  v ∈ equivocating_validators s'
  ∧ v ∉ equivocating_validators s
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) 
       (tr : list transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message 
               (field_selector output) m tr)
      {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
∃ v : validator,
  v ∈ equivocating_validators s'
  ∧ v ∉ equivocating_validators s
        setoid_rewrite <- elem_of_elements.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
∃ v : validator,
  v ∈ elements (equivocating_validators s')
  ∧ v ∉ elements (equivocating_validators s)
        apply Exists_exists.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Exists
  (λ x : validator,
     x ∉ elements (equivocating_validators s))
  (elements (equivocating_validators s'))
        apply neg_Forall_Exists_neg; [intro; apply elem_of_list_dec |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
¬ Forall
    (λ x : validator,
       x ∈ elements (equivocating_validators s))
    (elements (equivocating_validators s'))
        intro all.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
all: Forall
  (λ x : validator,
     x ∈ elements (equivocating_validators s))
  (elements (equivocating_validators s'))
False elim n.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
all: Forall
  (λ x : validator,
     x ∈ elements (equivocating_validators s))
  (elements (equivocating_validators s'))
set_eq (elements (equivocating_validators s))
  (elements (equivocating_validators s'))
        split; [| by rewrite Forall_forall in all].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
all: Forall
  (λ x : validator,
     x ∈ elements (equivocating_validators s))
  (elements (equivocating_validators s'))
elements (equivocating_validators s)
⊆ elements (equivocating_validators s')
        by unfold set_eq, subseteq, list_subseteq; setoid_rewrite elem_of_elements.
      }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hv: ∃ v : validator,
  v ∈ equivocating_validators s'
  ∧ v ∉ equivocating_validators s
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr)
      destruct Hv as [v' [Heqv Hneqv]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
v': validator
Heqv: v' ∈ equivocating_validators s'
Hneqv: v' ∉ equivocating_validators s
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr)
      apply Honly_v in Heqv as Heq_v'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
v': validator
Heqv: v' ∈ equivocating_validators s'
Hneqv: v' ∉ equivocating_validators s
Heq_v': v'
∈ equivocating_validators
    (finite_trace_last is tr)
∨ (∃ m0 : message,
     Some m = Some m0
     ∧ sender m0 = Some v'
       ∧ (∀ (is0 : composite_state IM) 
            (tr0 : list transition_item),
            finite_constrained_trace_init_to
              Free is0
              (finite_trace_last is tr) tr0
            → trace_witnessing_equivocation_prop
                is0 tr0
              → ¬ trace_has_message
                    (field_selector output)
                    m0 tr0))
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr)
      destruct Heq_v' as [| [_m [Heq_m [Heq_v' Hweqv]]]]; [by subst |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
v': validator
Heqv: v' ∈ equivocating_validators s'
Hneqv: v' ∉ equivocating_validators s
_m: message
Heq_m: Some m = Some _m
Heq_v': sender _m = Some v'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) _m tr0
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr)
      inversion Heq_m.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
v': validator
Heqv: v' ∈ equivocating_validators s'
Hneqv: v' ∉ equivocating_validators s
_m: message
Heq_m: Some m = Some _m
Heq_v': sender _m = Some v'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) _m tr0
H14: m = _m
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               _m tr) subst _m.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
v': validator
Heqv: v' ∈ equivocating_validators s'
Hneqv: v' ∉ equivocating_validators s
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
Heq_v': sender m = Some v'
Heq_m: Some m = Some m
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr) clear Heq_m.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
v': validator
Heqv: v' ∈ equivocating_validators s'
Hneqv: v' ∉ equivocating_validators s
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
Heq_v': sender m = Some v'
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr)
      assert (v' = v) by congruence.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
v': validator
Heqv: v' ∈ equivocating_validators s'
Hneqv: v' ∉ equivocating_validators s
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
Heq_v': sender m = Some v'
H13: v' = v
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr) subst v'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hneqv: v ∉ equivocating_validators s
Heqv: v ∈ equivocating_validators s'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
Heq_v': sender m = Some v
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr) clear Heq_v'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hneqv: v ∉ equivocating_validators s
Heqv: v ∈ equivocating_validators s'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
(v ∉ equivocating_validators s)
∧ equivocating_validators s'
  ≡ {[v]} ∪ equivocating_validators s
  ∧ (∀ (is : composite_state IM) (tr : list
                                         transition_item),
       finite_constrained_trace_init_to Free is s tr
       → trace_witnessing_equivocation_prop is tr
         → ¬ trace_has_message (field_selector output)
               m tr)
      split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hneqv: v ∉ equivocating_validators s
Heqv: v ∈ equivocating_validators s'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
∧ (∀ (is : composite_state IM) (tr : list
                                       transition_item),
     finite_constrained_trace_init_to Free is s tr
     → trace_witnessing_equivocation_prop is tr
       → ¬ trace_has_message (field_selector output) m
             tr) split; [| by subst].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hneqv: v ∉ equivocating_validators s
Heqv: v ∈ equivocating_validators s'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
      intro v'; split; intro Hv'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hneqv: v ∉ equivocating_validators s
Heqv: v ∈ equivocating_validators s'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
v': validator
Hv': v' ∈ equivocating_validators s'
v' ∈ {[v]} ∪ equivocating_validators s
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hneqv: v ∉ equivocating_validators s
Heqv: v ∈ equivocating_validators s'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
v': validator
Hv': v' ∈ {[v]} ∪ equivocating_validators s
v' ∈ equivocating_validators s'
      *message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hneqv: v ∉ equivocating_validators s
Heqv: v ∈ equivocating_validators s'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
v': validator
Hv': v' ∈ equivocating_validators s'
v' ∈ {[v]} ∪ equivocating_validators s apply elem_of_union.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hneqv: v ∉ equivocating_validators s
Heqv: v ∈ equivocating_validators s'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
v': validator
Hv': v' ∈ equivocating_validators s'
v' ∈ {[v]} ∨ v' ∈ equivocating_validators s
        destruct (decide (v' ∈ elements (equivocating_validators s)))
          as [Hveqv | Hveqv]; rewrite elem_of_elements in Hveqv;
        [by right | left].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hneqv: v ∉ equivocating_validators s
Heqv: v ∈ equivocating_validators s'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
v': validator
Hv': v' ∈ equivocating_validators s'
Hveqv: v' ∉ equivocating_validators s
v' ∈ {[v]}
        apply elem_of_singleton.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hneqv: v ∉ equivocating_validators s
Heqv: v ∈ equivocating_validators s'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
v': validator
Hv': v' ∈ equivocating_validators s'
Hveqv: v' ∉ equivocating_validators s
v' = v
        by apply Honly_v in Hv';
          destruct Hv' as [| [_m [Heq_m [Heq_v' _]]]]; [by subst |]; congruence.
      *message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
m: message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := Some m;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, Some m) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
v: validator
Heq_v: sender m = Some v
n: ¬ set_eq (elements (equivocating_validators s))
    (elements (equivocating_validators s'))
Honly_v: ∀ v : validator,
  v ∈ equivocating_validators s'
  → v
    ∈ equivocating_validators
        (finite_trace_last is tr)
    ∨ (∃ m0 : message,
         Some m = Some m0
         ∧ sender m0 = Some v
           ∧ (∀ (is0 : composite_state IM) 
                (tr0 : 
                 list transition_item),
                finite_constrained_trace_init_to
                  Free is0
                  (finite_trace_last is tr)
                  tr0
                → trace_witnessing_equivocation_prop
                    is0 tr0
                  → ¬ trace_has_message
                      (field_selector output)
                      m0 tr0))
Hneqv: v ∉ equivocating_validators s
Heqv: v ∈ equivocating_validators s'
Hweqv: ∀ (is0 : composite_state IM) 
  (tr0 : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr) tr0
  → trace_witnessing_equivocation_prop is0 tr0
    → ¬ trace_has_message
          (field_selector output) m tr0
v': validator
Hv': v' ∈ {[v]} ∪ equivocating_validators s
v' ∈ equivocating_validators s' by apply elem_of_union in Hv' as [Heq_v' | Hs'0]
        ; [by apply elem_of_singleton in Heq_v'; subst v' | by apply Hincl].
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
Heq_v: om ≫= sender = None
equivocating_validators s ≡ equivocating_validators s'
∧ trace_witnessing_equivocation_prop is tr
∨ (∃ m : message,
     om = Some m
     ∧ (∃ v : validator,
          sender m = Some v
          ∧ (v ∉ equivocating_validators s)
            ∧ equivocating_validators s'
              ≡ {[v]} ∪ equivocating_validators s
              ∧ (∀ (is : composite_state IM) (tr : 
                                              list
                                                transition_item),
                   finite_constrained_trace_init_to
                     Free is s tr
                   → trace_witnessing_equivocation_prop
                       is tr
                     → ¬ trace_has_message
                           (field_selector output) m
                           tr))) left; split.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
Heq_v: om ≫= sender = None
equivocating_validators s ≡ equivocating_validators s'
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
Heq_v: om ≫= sender = None
trace_witnessing_equivocation_prop is tr
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
Heq_v: om ≫= sender = None
equivocating_validators s ≡ equivocating_validators s' subst; intro v; split; [by apply Hincl |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
Hincl: equivocating_validators
  (finite_trace_last is tr)
⊆ equivocating_validators (destination item)
Heq_v: om ≫= sender = None
v: validator
v ∈ equivocating_validators s'
→ v
  ∈ equivocating_validators (finite_trace_last is tr)
      intros Hvs'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
Hincl: equivocating_validators
  (finite_trace_last is tr)
⊆ equivocating_validators (destination item)
Heq_v: om ≫= sender = None
v: validator
Hvs': v ∈ equivocating_validators s'
v ∈ equivocating_validators (finite_trace_last is tr)
      by eapply input_valid_transition_receiving_no_sender_reflects_equivocating_validators.
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
Heq_v: om ≫= sender = None
trace_witnessing_equivocation_prop is tr eapply input_valid_transition_reflects_trace_witnessing_equivocation_prop; [done | done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: composite_state IM
tr: list (composite_transition_item IM)
l: composite_label IM
om: option message
s': composite_state IM
om': option message
item:= {|
  l := l;
  input := om;
  destination := s';
  output := om'
|}: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr ++ [item])
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (finite_trace_last is tr, om) (
  s', om')
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr
Hincl: equivocating_validators s
⊆ equivocating_validators (destination item)
Heq_v: om ≫= sender = None
equivocating_validators (destination item)
⊆ equivocating_validators (finite_trace_last is tr)
      by eapply input_valid_transition_receiving_no_sender_reflects_equivocating_validators.
Qed.

Strongly witnessed equivocation

A stronger trace_witnessing_equivocation_property requires that any prefix of a trace is witnessing equivocation for its corresponding final state.

Definition strong_trace_witnessing_equivocation_prop is tr :=
    forall prefix suffix, prefix ++ suffix = tr ->
      trace_witnessing_equivocation_prop is prefix.

An advantage of the strong_trace_witnessing_equivocation_property is that it guarantees monotonicity of equivocating_validators along the trace.

Lemma strong_witness_equivocating_validators_prefix_monotonicity
  (is s : composite_state IM)
  (tr : list (composite_transition_item IM))
  (Htr : finite_constrained_trace_init_to Free is s tr)
  (Hwitness : strong_trace_witnessing_equivocation_prop is tr)
  prefix suffix
  (Heqtr : prefix ++ suffix = tr)
  (ps := finite_trace_last is prefix)
  : equivocating_validators ps ⊆ equivocating_validators s.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
Hwitness: strong_trace_witnessing_equivocation_prop
  is tr
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = tr
ps:= finite_trace_last is prefix: state (composite_type IM)
equivocating_validators ps ⊆ equivocating_validators s
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
Hwitness: strong_trace_witnessing_equivocation_prop
  is tr
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = tr
ps:= finite_trace_last is prefix: state (composite_type IM)
equivocating_validators ps ⊆ equivocating_validators s
  revert prefix suffix Heqtr ps.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is, s: composite_state IM
tr: list (composite_transition_item IM)
Htr: finite_constrained_trace_init_to Free is s tr
Hwitness: strong_trace_witnessing_equivocation_prop
  is tr
∀ prefix suffix : list (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last is prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
  induction Htr using finite_valid_trace_init_to_rev_ind; intros.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si: state (preloaded_with_all_messages_vlsm Free)
Hsi: initial_state_prop si
Hwitness: strong_trace_witnessing_equivocation_prop
  si []
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = []
ps:= finite_trace_last si prefix: state (composite_type IM)
equivocating_validators ps
⊆ equivocating_validators si
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
Hwitness: strong_trace_witnessing_equivocation_prop
  si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: strong_trace_witnessing_equivocation_prop si
  tr
→ ∀ prefix
     suffix : list
                (composite_transition_item IM),
    prefix ++ suffix = tr
    → let ps := finite_trace_last si prefix in
      equivocating_validators ps
      ⊆ equivocating_validators s
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix =
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}]
ps:= finite_trace_last si prefix: state (composite_type IM)
equivocating_validators ps
⊆ equivocating_validators sf
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si: state (preloaded_with_all_messages_vlsm Free)
Hsi: initial_state_prop si
Hwitness: strong_trace_witnessing_equivocation_prop
  si []
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = []
ps:= finite_trace_last si prefix: state (composite_type IM)
equivocating_validators ps
⊆ equivocating_validators si by apply app_eq_nil in Heqtr as []; subst.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
Hwitness: strong_trace_witnessing_equivocation_prop
  si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: strong_trace_witnessing_equivocation_prop si
  tr
→ ∀ prefix
     suffix : list
                (composite_transition_item IM),
    prefix ++ suffix = tr
    → let ps := finite_trace_last si prefix in
      equivocating_validators ps
      ⊆ equivocating_validators s
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix =
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}]
ps:= finite_trace_last si prefix: state (composite_type IM)
equivocating_validators ps
⊆ equivocating_validators sf remember {| input := iom |} as item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
IHHtr: strong_trace_witnessing_equivocation_prop si
  tr
→ ∀ prefix
     suffix : list
                (composite_transition_item IM),
    prefix ++ suffix = tr
    → let ps := finite_trace_last si prefix in
      equivocating_validators ps
      ⊆ equivocating_validators s
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
equivocating_validators ps
⊆ equivocating_validators sf
    spec IHHtr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
IHHtr: strong_trace_witnessing_equivocation_prop si
  tr
→ ∀ prefix
     suffix : list
                (composite_transition_item IM),
    prefix ++ suffix = tr
    → let ps := finite_trace_last si prefix in
      equivocating_validators ps
      ⊆ equivocating_validators s
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
strong_trace_witnessing_equivocation_prop si tr
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
equivocating_validators ps
⊆ equivocating_validators sf
    {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
IHHtr: strong_trace_witnessing_equivocation_prop si
  tr
→ ∀ prefix
     suffix : list
                (composite_transition_item IM),
    prefix ++ suffix = tr
    → let ps := finite_trace_last si prefix in
      equivocating_validators ps
      ⊆ equivocating_validators s
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
strong_trace_witnessing_equivocation_prop si tr
      intros pre suf Heq.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
IHHtr: strong_trace_witnessing_equivocation_prop si
  tr
→ ∀ prefix
     suffix : list
                (composite_transition_item IM),
    prefix ++ suffix = tr
    → let ps := finite_trace_last si prefix in
      equivocating_validators ps
      ⊆ equivocating_validators s
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
pre, suf: list transition_item
Heq: pre ++ suf = tr
trace_witnessing_equivocation_prop si pre
      specialize (Hwitness pre (suf ++ [item])).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
pre, suf: list transition_item
Hwitness: pre ++ suf ++ [item] = tr ++ [item]
→ trace_witnessing_equivocation_prop si pre
IHHtr: strong_trace_witnessing_equivocation_prop si
  tr
→ ∀ prefix
     suffix : list
                (composite_transition_item IM),
    prefix ++ suffix = tr
    → let ps := finite_trace_last si prefix in
      equivocating_validators ps
      ⊆ equivocating_validators s
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
Heq: pre ++ suf = tr
trace_witnessing_equivocation_prop si pre
      apply Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
pre, suf: list transition_item
Hwitness: pre ++ suf ++ [item] = tr ++ [item]
→ trace_witnessing_equivocation_prop si pre
IHHtr: strong_trace_witnessing_equivocation_prop si
  tr
→ ∀ prefix
     suffix : list
                (composite_transition_item IM),
    prefix ++ suffix = tr
    → let ps := finite_trace_last si prefix in
      equivocating_validators ps
      ⊆ equivocating_validators s
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
Heq: pre ++ suf = tr
pre ++ suf ++ [item] = tr ++ [item]
      by subst; apply app_assoc.
    }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ suffix = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
equivocating_validators ps
⊆ equivocating_validators sf
    destruct_list_last suffix suffix' _item Heqsuffix.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ [] = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
Heqsuffix: suffix = []
equivocating_validators ps
⊆ equivocating_validators sf
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix, suffix': list (composite_transition_item IM)
_item: composite_transition_item IM
Heqtr: prefix ++ suffix' ++ [_item] = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [_item]
equivocating_validators ps
⊆ equivocating_validators sf
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix ++ [] = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
Heqsuffix: suffix = []
equivocating_validators ps
⊆ equivocating_validators sf rewrite app_nil_r in Heqtr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix: list (composite_transition_item IM)
Heqtr: prefix = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
Heqsuffix: suffix = []
equivocating_validators ps
⊆ equivocating_validators sf subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
Hwitness: strong_trace_witnessing_equivocation_prop
  si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
ps:= finite_trace_last si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}]): state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
equivocating_validators ps
⊆ equivocating_validators sf subst ps.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
Hwitness: strong_trace_witnessing_equivocation_prop
  si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
equivocating_validators
  (finite_trace_last si
     (tr ++
      [{|
         l := l;
         input := iom;
         destination := sf;
         output := oom
       |}])) ⊆ equivocating_validators sf
      by rewrite finite_trace_last_is_last.
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix, suffix': list (composite_transition_item IM)
_item: composite_transition_item IM
Heqtr: prefix ++ suffix' ++ [_item] = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [_item]
equivocating_validators ps
⊆ equivocating_validators sf rewrite app_assoc in Heqtr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix, suffix': list (composite_transition_item IM)
_item: composite_transition_item IM
Heqtr: (prefix ++ suffix') ++ [_item] = tr ++ [item]
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [_item]
equivocating_validators ps
⊆ equivocating_validators sf apply app_inj_tail in Heqtr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix, suffix': list (composite_transition_item IM)
_item: composite_transition_item IM
Heqtr: prefix ++ suffix' = tr ∧ _item = item
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [_item]
equivocating_validators ps
⊆ equivocating_validators sf
      destruct Heqtr as [Heqtr Heq_item].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix, suffix': list (composite_transition_item IM)
_item: composite_transition_item IM
Heqtr: prefix ++ suffix' = tr
Heq_item: _item = item
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [_item]
equivocating_validators ps
⊆ equivocating_validators sf subst _item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix, suffix': list (composite_transition_item IM)
Heqtr: prefix ++ suffix' = tr
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: ∀ prefix
   suffix : list
              (composite_transition_item IM),
  prefix ++ suffix = tr
  → let ps := finite_trace_last si prefix in
    equivocating_validators ps
    ⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [item]
equivocating_validators ps
⊆ equivocating_validators sf
      specialize (IHHtr _ _ Heqtr).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix, suffix': list (composite_transition_item IM)
Heqtr: prefix ++ suffix' = tr
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: let ps := finite_trace_last si prefix in
equivocating_validators ps
⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [item]
equivocating_validators ps
⊆ equivocating_validators sf
      transitivity (equivocating_validators s)
      ; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: strong_trace_witnessing_equivocation_prop
  si (tr ++ [item])
prefix, suffix, suffix': list (composite_transition_item IM)
Heqtr: prefix ++ suffix' = tr
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: let ps := finite_trace_last si prefix in
equivocating_validators ps
⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [item]
equivocating_validators s ⊆ equivocating_validators sf
      specialize (Hwitness (tr ++ [item]) []).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: (tr ++ [item]) ++ [] = tr ++ [item]
→ trace_witnessing_equivocation_prop si
    (tr ++ [item])
prefix, suffix, suffix': list (composite_transition_item IM)
Heqtr: prefix ++ suffix' = tr
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: let ps := finite_trace_last si prefix in
equivocating_validators ps
⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [item]
equivocating_validators s ⊆ equivocating_validators sf
      spec Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: (tr ++ [item]) ++ [] = tr ++ [item]
→ trace_witnessing_equivocation_prop si
    (tr ++ [item])
prefix, suffix, suffix': list (composite_transition_item IM)
Heqtr: prefix ++ suffix' = tr
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: let ps := finite_trace_last si prefix in
equivocating_validators ps
⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [item]
(tr ++ [item]) ++ [] = tr ++ [item]
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
prefix, suffix, suffix': list (composite_transition_item IM)
Heqtr: prefix ++ suffix' = tr
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: let ps := finite_trace_last si prefix in
equivocating_validators ps
⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [item]
Hwitness: trace_witnessing_equivocation_prop si
  (tr ++ [item])
equivocating_validators s ⊆ equivocating_validators sf {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Hwitness: (tr ++ [item]) ++ [] = tr ++ [item]
→ trace_witnessing_equivocation_prop si
    (tr ++ [item])
prefix, suffix, suffix': list (composite_transition_item IM)
Heqtr: prefix ++ suffix' = tr
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: let ps := finite_trace_last si prefix in
equivocating_validators ps
⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [item]
(tr ++ [item]) ++ [] = tr ++ [item] apply app_nil_r. }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
prefix, suffix, suffix': list (composite_transition_item IM)
Heqtr: prefix ++ suffix' = tr
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: let ps := finite_trace_last si prefix in
equivocating_validators ps
⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [item]
Hwitness: trace_witnessing_equivocation_prop si
  (tr ++ [item])
equivocating_validators s ⊆ equivocating_validators sf
      replace sf with (destination item) by (subst; done).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
si, s: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) si s
  tr
sf: state (preloaded_with_all_messages_vlsm Free)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm Free)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Free) l
  (s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
prefix, suffix, suffix': list (composite_transition_item IM)
Heqtr: prefix ++ suffix' = tr
ps:= finite_trace_last si prefix: state (composite_type IM)
IHHtr: let ps := finite_trace_last si prefix in
equivocating_validators ps
⊆ equivocating_validators s
Heqsuffix: suffix = suffix' ++ [item]
Hwitness: trace_witnessing_equivocation_prop si
  (tr ++ [item])
equivocating_validators s
⊆ equivocating_validators (destination item)
      by apply (equivocating_validators_witness_monotonicity _ _ _ Htr _ Hwitness).
Qed.

The next two lemmas show that the strong_trace_witnessing_equivocation_property is preserved by transitions in both the cases yielded by Lemma equivocating_validators_witness_last_char as part of the induction step in the proof of Lemma preloaded_has_strong_trace_witnessing_equivocation_prop.

Lemma strong_trace_witnessing_equivocation_prop_extend_eq
  s
  is tr'
  (Htr' : finite_constrained_trace_init_to Free is s tr')
  is' tr''
  (Htr'' : finite_constrained_trace_init_to Free is' s tr'')
  (Hprefix : strong_trace_witnessing_equivocation_prop is' tr'')
  item
  (Hwitness : trace_witnessing_equivocation_prop is (tr' ++ [item]))
  (Heq : equivocating_validators s ≡@{Cv} equivocating_validators (destination item))
  : strong_trace_witnessing_equivocation_prop is' (tr'' ++ [item]).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
strong_trace_witnessing_equivocation_prop is'
  (tr'' ++ [item])
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
strong_trace_witnessing_equivocation_prop is'
  (tr'' ++ [item])
  intros prefix suffix Heq_tr''_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
prefix, suffix: list transition_item
Heq_tr''_item: prefix ++ suffix = tr'' ++ [item]
trace_witnessing_equivocation_prop is' prefix
  destruct_list_last suffix suffix' sitem Hsuffix_eq.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
prefix, suffix: list transition_item
Heq_tr''_item: prefix ++ [] = tr'' ++ [item]
Hsuffix_eq: suffix = []
trace_witnessing_equivocation_prop is' prefix
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
prefix, suffix, suffix': list transition_item
sitem: transition_item
Heq_tr''_item: prefix ++ suffix' ++ [sitem] =
tr'' ++ [item]
Hsuffix_eq: suffix = suffix' ++ [sitem]
trace_witnessing_equivocation_prop is' prefix
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
prefix, suffix: list transition_item
Heq_tr''_item: prefix ++ [] = tr'' ++ [item]
Hsuffix_eq: suffix = []
trace_witnessing_equivocation_prop is' prefix rewrite app_nil_r in Heq_tr''_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
prefix, suffix: list transition_item
Heq_tr''_item: prefix = tr'' ++ [item]
Hsuffix_eq: suffix = []
trace_witnessing_equivocation_prop is' prefix
    subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
trace_witnessing_equivocation_prop is'
  (tr'' ++ [item])
    intro v.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
v
∈ equivocating_validators
    (finite_trace_last is' (tr'' ++ [item]))
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr'' ++ [item])) rewrite finite_trace_last_is_last.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
v ∈ equivocating_validators (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr'' ++ [item]))
    specialize (Hprefix tr'' []).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: tr'' ++ [] = tr''
→ trace_witnessing_equivocation_prop is'
    tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
v ∈ equivocating_validators (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr'' ++ [item]))
    spec Hprefix; [by apply app_nil_r |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
v ∈ equivocating_validators (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr'' ++ [item]))
    red in Htr''; apply valid_trace_get_last in Htr'' as Hlst'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
v ∈ equivocating_validators (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr'' ++ [item]))
    split.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
v ∈ equivocating_validators (destination item)
→ ∃ m : message,
    sender m = Some v
    ∧ equivocation_in_trace PreFree m (tr'' ++ [item])
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
(∃ m : message,
   sender m = Some v
   ∧ equivocation_in_trace PreFree m (tr'' ++ [item]))
→ v ∈ equivocating_validators (destination item)
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
v ∈ equivocating_validators (destination item)
→ ∃ m : message,
    sender m = Some v
    ∧ equivocation_in_trace PreFree m (tr'' ++ [item]) intros Hv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
Hv: v ∈ equivocating_validators (destination item)
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr'' ++ [item]) apply Heq in Hv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
Hv: v ∈ equivocating_validators s
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr'' ++ [item])
      rewrite <- Hlst' in Hv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
Hv: v
∈ equivocating_validators
    (finite_trace_last is' tr'')
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr'' ++ [item])
      apply Hprefix in Hv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
Hv: ∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m tr''
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr'' ++ [item])
      destruct Hv as [m [Hmsg Heqv]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace PreFree m tr''
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr'' ++ [item])
      exists m.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace PreFree m tr''
sender m = Some v
∧ equivocation_in_trace PreFree m (tr'' ++ [item]) split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace PreFree m tr''
equivocation_in_trace PreFree m (tr'' ++ [item])
      by apply equivocation_in_trace_prefix.
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
(∃ m : message,
   sender m = Some v
   ∧ equivocation_in_trace PreFree m (tr'' ++ [item]))
→ v ∈ equivocating_validators (destination item) intros [m [Hmsg Heqv]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace PreFree m
  (tr'' ++ [item])
v ∈ equivocating_validators (destination item)
      apply equivocation_in_trace_last_char in Heqv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace
  (preloaded_with_all_messages_vlsm Free) m
  tr''
∨ input item = Some m
  ∧ ¬ trace_has_message 
        (field_selector output) m tr''
v ∈ equivocating_validators (destination item)
      destruct Heqv as [Heqv | Heqv].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace
  (preloaded_with_all_messages_vlsm Free) m
  tr''
v ∈ equivocating_validators (destination item)
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: input item = Some m
∧ ¬ trace_has_message (field_selector output) m
      tr''
v ∈ equivocating_validators (destination item)
      *message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace
  (preloaded_with_all_messages_vlsm Free) m
  tr''
v ∈ equivocating_validators (destination item) apply Heq.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace
  (preloaded_with_all_messages_vlsm Free) m
  tr''
v ∈ equivocating_validators s rewrite <- Hlst'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace
  (preloaded_with_all_messages_vlsm Free) m
  tr''
v
∈ equivocating_validators (finite_trace_last is' tr'')
        apply Hprefix.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: equivocation_in_trace
  (preloaded_with_all_messages_vlsm Free) m
  tr''
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m tr''
        by exists m.
      *message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heqv: input item = Some m
∧ ¬ trace_has_message (field_selector output) m
      tr''
v ∈ equivocating_validators (destination item) destruct Heqv as [Heq_om Heqv].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
v ∈ equivocating_validators (destination item)
        assert (Heqv' : ~ trace_has_message (field_selector output) m tr').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
¬ trace_has_message (field_selector output) m tr'
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': ¬ trace_has_message (field_selector output) m
    tr'
v ∈ equivocating_validators (destination item)
        {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
¬ trace_has_message (field_selector output) m tr' intro Heqv'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': trace_has_message (field_selector output) m
  tr'
False elim Heqv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': trace_has_message (field_selector output) m
  tr'
trace_has_message (field_selector output) m tr''
          red in Htr'; apply valid_trace_last_pstate in Htr' as Htr'_lst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': trace_has_message (field_selector output) m
  tr'
Htr'_lst: valid_state_prop
  (preloaded_with_all_messages_vlsm Free) s
trace_has_message (field_selector output) m tr''
          destruct
            (has_been_sent_consistency Free
              _ Htr'_lst m)
            as [Hconsistency _].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': trace_has_message (field_selector output) m
  tr'
Htr'_lst: valid_state_prop
  (preloaded_with_all_messages_vlsm Free) s
Hconsistency: selected_message_exists_in_some_preloaded_traces
  Free (field_selector output) s m
→ selected_message_exists_in_all_preloaded_traces
    Free (field_selector output) s m
trace_has_message (field_selector output) m tr''
          spec Hconsistency; [by exists is, tr', Htr' |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': trace_has_message (field_selector output) m
  tr'
Htr'_lst: valid_state_prop
  (preloaded_with_all_messages_vlsm Free) s
Hconsistency: selected_message_exists_in_all_preloaded_traces
  Free (field_selector output) s m
trace_has_message (field_selector output) m tr''
          by specialize (Hconsistency is' tr'' Htr'').
        }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
v: validator
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': ¬ trace_has_message (field_selector output) m
    tr'
v ∈ equivocating_validators (destination item)
        specialize (Hwitness v).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
v: validator
Hwitness: v
∈ equivocating_validators
    (finite_trace_last is (tr' ++ [item]))
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr' ++ [item]))
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': ¬ trace_has_message (field_selector output) m
    tr'
v ∈ equivocating_validators (destination item)
        rewrite finite_trace_last_is_last in Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr' ++ [item]))
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': ¬ trace_has_message (field_selector output) m
    tr'
v ∈ equivocating_validators (destination item)
        simpl in Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr' ++ [item]))
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': ¬ trace_has_message (field_selector output) m
    tr'
v ∈ equivocating_validators (destination item)
        apply Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  s tr''
item: transition_item
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr' ++ [item]))
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
Hprefix: trace_witnessing_equivocation_prop is' tr''
Hlst': finite_trace_last is' tr'' = s
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': ¬ trace_has_message (field_selector output) m
    tr'
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr' ++ [item])
        subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  (finite_trace_last is' tr'') tr''
Htr': finite_constrained_trace_init_to Free is
  (finite_trace_last is' tr'') tr'
item: transition_item
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr' ++ [item]))
Heq: equivocating_validators
  (finite_trace_last is' tr'')
≡ equivocating_validators (destination item)
Hprefix: trace_witnessing_equivocation_prop is' tr''
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': ¬ trace_has_message (field_selector output) m
    tr'
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr' ++ [item]) exists m.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  (finite_trace_last is' tr'') tr''
Htr': finite_constrained_trace_init_to Free is
  (finite_trace_last is' tr'') tr'
item: transition_item
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr' ++ [item]))
Heq: equivocating_validators
  (finite_trace_last is' tr'')
≡ equivocating_validators (destination item)
Hprefix: trace_witnessing_equivocation_prop is' tr''
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': ¬ trace_has_message (field_selector output) m
    tr'
sender m = Some v
∧ equivocation_in_trace PreFree m (tr' ++ [item]) split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is'
  (finite_trace_last is' tr'') tr''
Htr': finite_constrained_trace_init_to Free is
  (finite_trace_last is' tr'') tr'
item: transition_item
v: validator
Hwitness: v
∈ equivocating_validators
    (destination item)
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace PreFree m
         (tr' ++ [item]))
Heq: equivocating_validators
  (finite_trace_last is' tr'')
≡ equivocating_validators (destination item)
Hprefix: trace_witnessing_equivocation_prop is' tr''
m: message
Hmsg: sender m = Some v
Heq_om: input item = Some m
Heqv: ¬ trace_has_message (field_selector output) m
    tr''
Heqv': ¬ trace_has_message (field_selector output) m
    tr'
equivocation_in_trace PreFree m (tr' ++ [item])
        by eexists tr', _, [].
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
prefix, suffix, suffix': list transition_item
sitem: transition_item
Heq_tr''_item: prefix ++ suffix' ++ [sitem] =
tr'' ++ [item]
Hsuffix_eq: suffix = suffix' ++ [sitem]
trace_witnessing_equivocation_prop is' prefix rewrite app_assoc in Heq_tr''_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
prefix, suffix, suffix': list transition_item
sitem: transition_item
Heq_tr''_item: (prefix ++ suffix') ++ [sitem] =
tr'' ++ [item]
Hsuffix_eq: suffix = suffix' ++ [sitem]
trace_witnessing_equivocation_prop is' prefix apply app_inj_tail in Heq_tr''_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
prefix, suffix, suffix': list transition_item
sitem: transition_item
Heq_tr''_item: prefix ++ suffix' = tr''
∧ sitem = item
Hsuffix_eq: suffix = suffix' ++ [sitem]
trace_witnessing_equivocation_prop is' prefix
    destruct Heq_tr''_item as [Heq_tr'' Heq_item].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr': list transition_item
Htr': finite_constrained_trace_init_to Free is s tr'
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hprefix: strong_trace_witnessing_equivocation_prop
  is' tr''
item: transition_item
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Heq: equivocating_validators s
≡ equivocating_validators (destination item)
prefix, suffix, suffix': list transition_item
sitem: transition_item
Heq_tr'': prefix ++ suffix' = tr''
Heq_item: sitem = item
Hsuffix_eq: suffix = suffix' ++ [sitem]
trace_witnessing_equivocation_prop is' prefix
    by apply (Hprefix _ _ Heq_tr'').
Qed.

Lemma strong_trace_witnessing_equivocation_prop_extend_neq
  s
  is tr
  (Htr : finite_constrained_trace_init_to Free is s tr)
  (Hprefix : strong_trace_witnessing_equivocation_prop is tr)
  item
  msg
  (Hmsg : input item = Some msg)
  (Hwneq : ¬ trace_has_message (field_selector output) msg tr)
  v
  (Hsender : sender msg = Some v)
  (Hneq : equivocating_validators (destination item) ≡@{Cv} {[ v ]} ∪ (equivocating_validators s))
  : strong_trace_witnessing_equivocation_prop is (tr ++ [item]).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
strong_trace_witnessing_equivocation_prop is
  (tr ++ [item])
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
strong_trace_witnessing_equivocation_prop is
  (tr ++ [item])
  intros prefix suffix Heq_tr''_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
prefix, suffix: list transition_item
Heq_tr''_item: prefix ++ suffix = tr ++ [item]
trace_witnessing_equivocation_prop is prefix
  destruct_list_last suffix suffix' sitem Hsuffix_eq.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
prefix, suffix: list transition_item
Heq_tr''_item: prefix ++ [] = tr ++ [item]
Hsuffix_eq: suffix = []
trace_witnessing_equivocation_prop is prefix
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
prefix, suffix, suffix': list transition_item
sitem: transition_item
Heq_tr''_item: prefix ++ suffix' ++ [sitem] =
tr ++ [item]
Hsuffix_eq: suffix = suffix' ++ [sitem]
trace_witnessing_equivocation_prop is prefix
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
prefix, suffix: list transition_item
Heq_tr''_item: prefix ++ [] = tr ++ [item]
Hsuffix_eq: suffix = []
trace_witnessing_equivocation_prop is prefix rewrite app_nil_r in Heq_tr''_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
prefix, suffix: list transition_item
Heq_tr''_item: prefix = tr ++ [item]
Hsuffix_eq: suffix = []
trace_witnessing_equivocation_prop is prefix
    subst prefix suffix.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
trace_witnessing_equivocation_prop is (tr ++ [item])
    intro v'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
v'
∈ equivocating_validators
    (finite_trace_last is (tr ++ [item]))
↔ (∃ m : message,
     sender m = Some v'
     ∧ equivocation_in_trace PreFree m (tr ++ [item])) rewrite finite_trace_last_is_last.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
v' ∈ equivocating_validators (destination item)
↔ (∃ m : message,
     sender m = Some v'
     ∧ equivocation_in_trace PreFree m (tr ++ [item])) simpl.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
v' ∈ equivocating_validators (destination item)
↔ (∃ m : message,
     sender m = Some v'
     ∧ equivocation_in_trace PreFree m (tr ++ [item]))
    specialize (Hprefix tr []).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: tr ++ [] = tr
→ trace_witnessing_equivocation_prop is tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
v' ∈ equivocating_validators (destination item)
↔ (∃ m : message,
     sender m = Some v'
     ∧ equivocation_in_trace PreFree m (tr ++ [item]))
    spec Hprefix; [by apply app_nil_r |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
v' ∈ equivocating_validators (destination item)
↔ (∃ m : message,
     sender m = Some v'
     ∧ equivocation_in_trace PreFree m (tr ++ [item]))
    red in Htr; apply valid_trace_get_last in Htr as Hlst'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
v' ∈ equivocating_validators (destination item)
↔ (∃ m : message,
     sender m = Some v'
     ∧ equivocation_in_trace PreFree m (tr ++ [item]))
    split.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
v' ∈ equivocating_validators (destination item)
→ ∃ m : message,
    sender m = Some v'
    ∧ equivocation_in_trace PreFree m (tr ++ [item])
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
(∃ m : message,
   sender m = Some v'
   ∧ equivocation_in_trace PreFree m (tr ++ [item]))
→ v' ∈ equivocating_validators (destination item)
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
v' ∈ equivocating_validators (destination item)
→ ∃ m : message,
    sender m = Some v'
    ∧ equivocation_in_trace PreFree m (tr ++ [item]) intros Hv'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
Hv': v' ∈ equivocating_validators (destination item)
∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m (tr ++ [item]) apply Hneq in Hv'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
Hv': v' ∈ {[v]} ∪ equivocating_validators s
∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
      apply elem_of_union in Hv'; rewrite elem_of_singleton in Hv'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
Hv': v' = v ∨ v' ∈ equivocating_validators s
∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
      rewrite <- Hlst' in Hv'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
Hv': v' = v
∨ v'
  ∈ equivocating_validators
      (finite_trace_last is tr)
∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
      destruct Hv' as [Heq_v | Hv'].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
Heq_v: v' = v
∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
Hv': v'
∈ equivocating_validators
    (finite_trace_last is tr)
∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
      *message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
Heq_v: v' = v
∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m (tr ++ [item]) subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]}
  ∪ equivocating_validators
      (finite_trace_last is tr)
Hprefix: trace_witnessing_equivocation_prop is tr
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
        exists msg.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]}
  ∪ equivocating_validators
      (finite_trace_last is tr)
Hprefix: trace_witnessing_equivocation_prop is tr
sender msg = Some v
∧ equivocation_in_trace PreFree msg (tr ++ [item]) split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr) tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]}
  ∪ equivocating_validators
      (finite_trace_last is tr)
Hprefix: trace_witnessing_equivocation_prop is tr
equivocation_in_trace PreFree msg (tr ++ [item])
        by eexists tr, _, [].
      *message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
Hv': v'
∈ equivocating_validators
    (finite_trace_last is tr)
∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m (tr ++ [item]) apply Hprefix in Hv'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
Hv': ∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m tr
∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
        destruct Hv' as [m [? Heqv]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: equivocation_in_trace PreFree m tr
∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m (tr ++ [item])
        exists m.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: equivocation_in_trace PreFree m tr
sender m = Some v'
∧ equivocation_in_trace PreFree m (tr ++ [item]) split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: equivocation_in_trace PreFree m tr
equivocation_in_trace PreFree m (tr ++ [item])
        by apply equivocation_in_trace_prefix.
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
(∃ m : message,
   sender m = Some v'
   ∧ equivocation_in_trace PreFree m (tr ++ [item]))
→ v' ∈ equivocating_validators (destination item) intros [m [? Heqv]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: equivocation_in_trace PreFree m (tr ++ [item])
v' ∈ equivocating_validators (destination item)
      apply equivocation_in_trace_last_char in Heqv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: equivocation_in_trace PreFree m tr
∨ input item = Some m
  ∧ ¬ trace_has_message 
        (field_selector output) m tr
v' ∈ equivocating_validators (destination item)
      apply Hneq, elem_of_union; rewrite elem_of_singleton.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: equivocation_in_trace PreFree m tr
∨ input item = Some m
  ∧ ¬ trace_has_message 
        (field_selector output) m tr
v' = v ∨ v' ∈ equivocating_validators s
      destruct Heqv as [Heqv | Heqv].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: equivocation_in_trace PreFree m tr
v' = v ∨ v' ∈ equivocating_validators s
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: input item = Some m
∧ ¬ trace_has_message (field_selector output) m
      tr
v' = v ∨ v' ∈ equivocating_validators s
      *message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: equivocation_in_trace PreFree m tr
v' = v ∨ v' ∈ equivocating_validators s rewrite <- Hlst'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: equivocation_in_trace PreFree m tr
v' = v
∨ v'
  ∈ equivocating_validators (finite_trace_last is tr)
        right.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: equivocation_in_trace PreFree m tr
v' ∈ equivocating_validators (finite_trace_last is tr)
        apply Hprefix.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: equivocation_in_trace PreFree m tr
∃ m : message,
  sender m = Some v'
  ∧ equivocation_in_trace PreFree m tr
        by exists m.
      *message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: input item = Some m
∧ ¬ trace_has_message (field_selector output) m
      tr
v' = v ∨ v' ∈ equivocating_validators s left.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: input item = Some m
∧ ¬ trace_has_message (field_selector output) m
      tr
v' = v simpl in Heqv.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is s
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
v': validator
Hprefix: trace_witnessing_equivocation_prop is tr
Hlst': finite_trace_last is tr = s
m: message
H13: sender m = Some v'
Heqv: input item = Some m
∧ ¬ trace_has_message (field_selector output) m
      tr
v' = v
        by destruct Heqv as [Heq_om Heqv]; congruence.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
prefix, suffix, suffix': list transition_item
sitem: transition_item
Heq_tr''_item: prefix ++ suffix' ++ [sitem] =
tr ++ [item]
Hsuffix_eq: suffix = suffix' ++ [sitem]
trace_witnessing_equivocation_prop is prefix rewrite app_assoc in Heq_tr''_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
prefix, suffix, suffix': list transition_item
sitem: transition_item
Heq_tr''_item: (prefix ++ suffix') ++ [sitem] =
tr ++ [item]
Hsuffix_eq: suffix = suffix' ++ [sitem]
trace_witnessing_equivocation_prop is prefix apply app_inj_tail in Heq_tr''_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
prefix, suffix, suffix': list transition_item
sitem: transition_item
Heq_tr''_item: prefix ++ suffix' = tr ∧ sitem = item
Hsuffix_eq: suffix = suffix' ++ [sitem]
trace_witnessing_equivocation_prop is prefix
    destruct Heq_tr''_item as [Heq_tr'' Heq_item].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hprefix: strong_trace_witnessing_equivocation_prop is
  tr
item: transition_item
msg: message
Hmsg: input item = Some msg
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr
v: validator
Hsender: sender msg = Some v
Hneq: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
prefix, suffix, suffix': list transition_item
sitem: transition_item
Heq_tr'': prefix ++ suffix' = tr
Heq_item: sitem = item
Hsuffix_eq: suffix = suffix' ++ [sitem]
trace_witnessing_equivocation_prop is prefix
    by apply (Hprefix _ _ Heq_tr'').
Qed.

Proving that any state s has the strong_trace_witnessing_equivocation_property proceeds via a more technical double induction over both:

(1) the length of a trace witnessing the equivocation of s; and (2) the size of the set of equivocators of s.

For the induction step we assume that the witnessing trace leading to s is of the form tr ++ [item. By Lemma equivocating_validators_witness_last_char we know that either tr is also a witnessing trace, in which case we can use the induction hypothesis via property (1), or the set of equivocators for the last state of tr is strictly included in that of s, allowing us to use the induction hypothesis via property (2).

The conclusion then follows by the two helper lemmas above.

Lemma preloaded_has_strong_trace_witnessing_equivocation_prop s
  (Hs : constrained_state_prop Free s)
  : exists is' tr',
    finite_constrained_trace_init_to Free is' s tr' /\
    strong_trace_witnessing_equivocation_prop is' tr'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
∃ (is' : state (preloaded_with_all_messages_vlsm Free)) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
∃ (is' : state (preloaded_with_all_messages_vlsm Free)) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  apply is_equivocating_tracewise_witness in Hs.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: state (preloaded_with_all_messages_vlsm Free)
Hs: ∃ (is : state
          (preloaded_with_all_messages_vlsm Free)) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s tr
  ∧ trace_witnessing_equivocation_prop is tr
∃ (is' : state (preloaded_with_all_messages_vlsm Free)) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  destruct Hs as [is [tr [Htr Hwitness]]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hwitness: trace_witnessing_equivocation_prop is tr
∃ (is' : state (preloaded_with_all_messages_vlsm Free)) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  apply finite_valid_trace_init_to_last in Htr as Hlst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s, is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hwitness: trace_witnessing_equivocation_prop is tr
Hlst: finite_trace_last is tr = s
∃ (is' : state (preloaded_with_all_messages_vlsm Free)) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  subst s.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is
  (finite_trace_last is tr) tr
Hwitness: trace_witnessing_equivocation_prop is tr
∃ (is' : state (preloaded_with_all_messages_vlsm Free)) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is'
    (finite_trace_last is tr) tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  apply finite_valid_trace_init_to_forget_last in Htr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Free) is tr
Hwitness: trace_witnessing_equivocation_prop is tr
∃ (is' : state (preloaded_with_all_messages_vlsm Free)) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is'
    (finite_trace_last is tr) tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  remember (length tr) as n.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Free) is tr
Hwitness: trace_witnessing_equivocation_prop is tr
n: nat
Heqn: n = length tr
∃ (is' : state (preloaded_with_all_messages_vlsm Free)) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is'
    (finite_trace_last is tr) tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  remember (set_size (equivocating_validators (finite_trace_last is tr))) as m.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Free) is tr
Hwitness: trace_witnessing_equivocation_prop is tr
n: nat
Heqn: n = length tr
m: nat
Heqm: m =
set_size
  (equivocating_validators
     (finite_trace_last is tr))
∃ (is' : state (preloaded_with_all_messages_vlsm Free)) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is'
    (finite_trace_last is tr) tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  revert m n is tr Heqm Heqn Htr Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
∀ (m n : nat) (is : state
                      (preloaded_with_all_messages_vlsm
                         Free)) (tr : list
                                        transition_item),
  m =
  set_size
    (equivocating_validators (finite_trace_last is tr))
  → n = length tr
    → finite_valid_trace
        (preloaded_with_all_messages_vlsm Free) is tr
      → trace_witnessing_equivocation_prop is tr
        → ∃ (is' : state
                     (preloaded_with_all_messages_vlsm
                        Free)) (tr' : list
                                        transition_item),
            finite_constrained_trace_init_to Free is'
              (finite_trace_last is tr) tr'
            ∧ strong_trace_witnessing_equivocation_prop
                is' tr'
  pose
    (fun m n =>
    forall is tr,
    m = set_size (equivocating_validators (finite_trace_last is tr)) ->
    n = length tr ->
    finite_constrained_trace Free is tr ->
    trace_witnessing_equivocation_prop is tr ->
    let s := finite_trace_last is tr in
    exists (is' : state PreFree) (tr' : list transition_item),
      finite_constrained_trace_init_to Free is' s tr' /\
      (forall prefix suffix : list transition_item,
       prefix ++ suffix = tr' ->
       trace_witnessing_equivocation_prop is' prefix))
    as Pr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
∀ (m n : nat) (is : state
                      (preloaded_with_all_messages_vlsm
                         Free)) (tr : list
                                        transition_item),
  m =
  set_size
    (equivocating_validators (finite_trace_last is tr))
  → n = length tr
    → finite_valid_trace
        (preloaded_with_all_messages_vlsm Free) is tr
      → trace_witnessing_equivocation_prop is tr
        → ∃ (is' : state
                     (preloaded_with_all_messages_vlsm
                        Free)) (tr' : list
                                        transition_item),
            finite_constrained_trace_init_to Free is'
              (finite_trace_last is tr) tr'
            ∧ strong_trace_witnessing_equivocation_prop
                is' tr'
  apply (Wf_nat.lt_wf_double_ind Pr).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
∀ n m : nat,
  (∀ p q : nat, p < n → Pr p q)
  → (∀ p : nat, p < m → Pr n p) → Pr n m
  intros m n IHm IHn.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
Pr m n intros is tr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
tr: list transition_item
m =
set_size
  (equivocating_validators (finite_trace_last is tr))
→ n = length tr
  → finite_constrained_trace Free is tr
    → trace_witnessing_equivocation_prop is tr
      → let s := finite_trace_last is tr in
        ∃ (is' : state PreFree) (tr' : list
                                         transition_item),
          finite_constrained_trace_init_to Free is' s
            tr'
          ∧ (∀ prefix suffix : list transition_item,
               prefix ++ suffix = tr'
               → trace_witnessing_equivocation_prop
                   is' prefix)
  destruct_list_last tr tr' item Htr_eq.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
tr: list transition_item
Htr_eq: tr = []
m =
set_size
  (equivocating_validators (finite_trace_last is []))
→ n = length []
  → finite_constrained_trace Free is []
    → trace_witnessing_equivocation_prop is []
      → let s := finite_trace_last is [] in
        ∃ (is' : state PreFree) (tr' : list
                                         transition_item),
          finite_constrained_trace_init_to Free is' s
            tr'
          ∧ (∀ prefix suffix : list transition_item,
               prefix ++ suffix = tr'
               → trace_witnessing_equivocation_prop
                   is' prefix)
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
tr, tr': list transition_item
item: transition_item
Htr_eq: tr = tr' ++ [item]
m =
set_size
  (equivocating_validators
     (finite_trace_last is (tr' ++ [item])))
→ n = length (tr' ++ [item])
  → finite_constrained_trace Free is (tr' ++ [item])
    → trace_witnessing_equivocation_prop is
        (tr' ++ [item])
      → let s := finite_trace_last is (tr' ++ [item])
          in
        ∃ (is' : state PreFree) 
          (tr' : list transition_item),
          finite_constrained_trace_init_to Free is' s
            tr'
          ∧ (∀ prefix suffix : list transition_item,
               prefix ++ suffix = tr'
               → trace_witnessing_equivocation_prop
                   is' prefix)
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
tr: list transition_item
Htr_eq: tr = []
m =
set_size
  (equivocating_validators (finite_trace_last is []))
→ n = length []
  → finite_constrained_trace Free is []
    → trace_witnessing_equivocation_prop is []
      → let s := finite_trace_last is [] in
        ∃ (is' : state PreFree) (tr' : list
                                         transition_item),
          finite_constrained_trace_init_to Free is' s
            tr'
          ∧ (∀ prefix suffix : list transition_item,
               prefix ++ suffix = tr'
               → trace_witnessing_equivocation_prop
                   is' prefix) subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
m =
set_size
  (equivocating_validators (finite_trace_last is []))
→ n = length []
  → finite_constrained_trace Free is []
    → trace_witnessing_equivocation_prop is []
      → let s := finite_trace_last is [] in
        ∃ (is' : state PreFree) (tr' : list
                                         transition_item),
          finite_constrained_trace_init_to Free is' s
            tr'
          ∧ (∀ prefix suffix : list transition_item,
               prefix ++ suffix = tr'
               → trace_witnessing_equivocation_prop
                   is' prefix)
    intros _ _ Htr _.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
Htr: finite_constrained_trace Free is []
let s := finite_trace_last is [] in
∃ (is' : state PreFree) (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
    exists is, [].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
Htr: finite_constrained_trace Free is []
finite_constrained_trace_init_to Free is
  (finite_trace_last is []) []
∧ (∀ prefix suffix : list transition_item,
     prefix ++ suffix = []
     → trace_witnessing_equivocation_prop is prefix)
    split.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
Htr: finite_constrained_trace Free is []
finite_constrained_trace_init_to Free is
  (finite_trace_last is []) []
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
Htr: finite_constrained_trace Free is []
∀ prefix suffix : list transition_item,
  prefix ++ suffix = []
  → trace_witnessing_equivocation_prop is prefix
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
Htr: finite_constrained_trace Free is []
finite_constrained_trace_init_to Free is
  (finite_trace_last is []) [] by apply finite_valid_trace_init_add_last.
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
Htr: finite_constrained_trace Free is []
∀ prefix suffix : list transition_item,
  prefix ++ suffix = []
  → trace_witnessing_equivocation_prop is prefix intros prefix suffix Heq_tr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
Htr: finite_constrained_trace Free is []
prefix, suffix: list transition_item
Heq_tr: prefix ++ suffix = []
trace_witnessing_equivocation_prop is prefix
      apply app_eq_nil in Heq_tr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
Htr: finite_constrained_trace Free is []
prefix, suffix: list transition_item
Heq_tr: prefix = [] ∧ suffix = []
trace_witnessing_equivocation_prop is prefix destruct Heq_tr.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
Htr: finite_constrained_trace Free is []
prefix, suffix: list transition_item
H13: prefix = []
H14: suffix = []
trace_witnessing_equivocation_prop is prefix subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
Htr: finite_constrained_trace Free is []
trace_witnessing_equivocation_prop is []
      by apply initial_state_witnessing_equivocation_prop, Htr.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
tr, tr': list transition_item
item: transition_item
Htr_eq: tr = tr' ++ [item]
m =
set_size
  (equivocating_validators
     (finite_trace_last is (tr' ++ [item])))
→ n = length (tr' ++ [item])
  → finite_constrained_trace Free is (tr' ++ [item])
    → trace_witnessing_equivocation_prop is
        (tr' ++ [item])
      → let s := finite_trace_last is (tr' ++ [item])
          in
        ∃ (is' : state PreFree) (tr' : list
                                         transition_item),
          finite_constrained_trace_init_to Free is' s
            tr'
          ∧ (∀ prefix suffix : list transition_item,
               prefix ++ suffix = tr'
               → trace_witnessing_equivocation_prop
                   is' prefix) rewrite finite_trace_last_is_last.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
tr, tr': list transition_item
item: transition_item
Htr_eq: tr = tr' ++ [item]
m =
set_size (equivocating_validators (destination item))
→ n = length (tr' ++ [item])
  → finite_constrained_trace Free is (tr' ++ [item])
    → trace_witnessing_equivocation_prop is
        (tr' ++ [item])
      → let s := destination item in
        ∃ (is' : state PreFree) (tr' : list
                                         transition_item),
          finite_constrained_trace_init_to Free is' s
            tr'
          ∧ (∀ prefix suffix : list transition_item,
               prefix ++ suffix = tr'
               → trace_witnessing_equivocation_prop
                   is' prefix)
    intros ? Hn Htr'_item Hwitness.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
tr, tr': list transition_item
item: transition_item
Htr_eq: tr = tr' ++ [item]
H13: m =
set_size
  (equivocating_validators (destination item))
Hn: n = length (tr' ++ [item])
Htr'_item: finite_constrained_trace Free is
  (tr' ++ [item])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
let s := destination item in
∃ (is' : state PreFree) (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
    apply finite_valid_trace_init_add_last
      with (sf := destination item)
      in Htr'_item
    ; [| by apply finite_trace_last_is_last].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
tr, tr': list transition_item
item: transition_item
Htr_eq: tr = tr' ++ [item]
H13: m =
set_size
  (equivocating_validators (destination item))
Hn: n = length (tr' ++ [item])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is (destination item) 
  (tr' ++ [item])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
let s := destination item in
∃ (is' : state PreFree) (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
    destruct item as [l om s' om'].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : state (composite_type IM)) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → let s := finite_trace_last is tr in
            ∃ (is' : state PreFree) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' s tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: state (composite_type IM)
tr, tr': list transition_item
l: label (composite_type IM)
om: option message
s': state (composite_type IM)
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m =
set_size
  (equivocating_validators
     (destination
        {|
          l := l;
          input := om;
          destination := s';
          output := om'
        |}))
Hn: n =
length
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is
  (destination
     {|
       l := l;
       input := om;
       destination := s';
       output := om'
     |})
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
let s :=
  destination
    {|
      l := l;
      input := om;
      destination := s';
      output := om'
    |} in
∃ (is' : state PreFree) (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix) simpl in *.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: composite_state IM
tr, tr': list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n =
length
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
    destruct
      (equivocating_validators_witness_last_char _ _ _ _ _ _ Htr'_item Hwitness)
      as [[Heq Hwitness'] | [msg [Heq_om [v [Hsender [Hnv Hneq]]]]]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: composite_state IM
tr, tr': list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n =
length
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: composite_state IM
tr, tr': list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n =
length
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
msg: message
Heq_om: om = Some msg
v: validator
Hsender: sender msg = Some v
Hnv: v
∉ equivocating_validators
    (finite_trace_last is tr')
Hneq: equivocating_validators s'
≡ {[v]}
  ∪ equivocating_validators
      (finite_trace_last is tr')
∧ (∀ (is0 : composite_state IM) 
     (tr : list transition_item),
     finite_constrained_trace_init_to Free is0
       (finite_trace_last is tr') tr
     → trace_witnessing_equivocation_prop is0
         tr
       → ¬ trace_has_message
             (field_selector output) msg tr)
∃ (is' : composite_state IM) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: composite_state IM
tr, tr': list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n =
length
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix) specialize (IHn (length tr')).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
IHn: length tr' < n → Pr m (length tr')
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n =
length
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      rewrite app_length in Hn.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
IHn: length tr' < n → Pr m (length tr')
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n =
length tr' +
length
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix) simpl in Hn.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
IHn: length tr' < n → Pr m (length tr')
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      spec IHn; [lia |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: Pr m (length tr')
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      specialize (IHn is tr').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: m =
set_size
  (equivocating_validators
     (finite_trace_last is tr'))
→ length tr' = length tr'
  → finite_constrained_trace Free is tr'
    → trace_witnessing_equivocation_prop is tr'
      → ∃ (is' : composite_state IM) 
          (tr'0 : list transition_item),
          finite_constrained_trace_init_to Free
            is' (finite_trace_last is tr') tr'0
          ∧ (∀ prefix
                suffix : 
                list transition_item,
               prefix ++ suffix = tr'0
               → trace_witnessing_equivocation_prop
                   is' prefix)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      spec IHn; [by subst m; setoid_rewrite Heq |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: length tr' = length tr'
→ finite_constrained_trace Free is tr'
  → trace_witnessing_equivocation_prop is tr'
    → ∃ (is' : composite_state IM) 
        (tr'0 : list transition_item),
        finite_constrained_trace_init_to Free
          is' (finite_trace_last is tr') tr'0
        ∧ (∀ prefix
              suffix : 
              list transition_item,
             prefix ++ suffix = tr'0
             → trace_witnessing_equivocation_prop
                 is' prefix)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      specialize (IHn eq_refl).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: finite_constrained_trace Free is tr'
→ trace_witnessing_equivocation_prop is tr'
  → ∃ (is' : composite_state IM) 
      (tr'0 : list transition_item),
      finite_constrained_trace_init_to Free is'
        (finite_trace_last is tr') tr'0
      ∧ (∀ prefix suffix : list transition_item,
           prefix ++ suffix = tr'0
           → trace_witnessing_equivocation_prop
               is' prefix)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      destruct Htr'_item as [Htr'_item Hinit].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: finite_constrained_trace Free is tr'
→ trace_witnessing_equivocation_prop is tr'
  → ∃ (is' : composite_state IM) 
      (tr'0 : list transition_item),
      finite_constrained_trace_init_to Free is'
        (finite_trace_last is tr') tr'0
      ∧ (∀ prefix suffix : list transition_item,
           prefix ++ suffix = tr'0
           → trace_witnessing_equivocation_prop
               is' prefix)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      apply finite_valid_trace_from_to_app_split in Htr'_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s'
    [{|
       l := l;
       input := om;
       destination := s';
       output := om'
     |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: finite_constrained_trace Free is tr'
→ trace_witnessing_equivocation_prop is tr'
  → ∃ (is' : composite_state IM) 
      (tr'0 : list transition_item),
      finite_constrained_trace_init_to Free is'
        (finite_trace_last is tr') tr'0
      ∧ (∀ prefix suffix : list transition_item,
           prefix ++ suffix = tr'0
           → trace_witnessing_equivocation_prop
               is' prefix)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      destruct Htr'_item as [Htr' Hitem].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr') tr'
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: finite_constrained_trace Free is tr'
→ trace_witnessing_equivocation_prop is tr'
  → ∃ (is' : composite_state IM) 
      (tr'0 : list transition_item),
      finite_constrained_trace_init_to Free is'
        (finite_trace_last is tr') tr'0
      ∧ (∀ prefix suffix : list transition_item,
           prefix ++ suffix = tr'0
           → trace_witnessing_equivocation_prop
               is' prefix)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      spec IHn.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr') tr'
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: finite_constrained_trace Free is tr'
→ trace_witnessing_equivocation_prop is tr'
  → ∃ (is' : composite_state IM) 
      (tr'0 : list transition_item),
      finite_constrained_trace_init_to Free is'
        (finite_trace_last is tr') tr'0
      ∧ (∀ prefix suffix : list transition_item,
           prefix ++ suffix = tr'0
           → trace_witnessing_equivocation_prop
               is' prefix)
finite_constrained_trace Free is tr'
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr') tr'
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: trace_witnessing_equivocation_prop is tr'
→ ∃ (is' : composite_state IM) 
    (tr'0 : list transition_item),
    finite_constrained_trace_init_to Free is'
      (finite_trace_last is tr') tr'0
    ∧ (∀ prefix suffix : list transition_item,
         prefix ++ suffix = tr'0
         → trace_witnessing_equivocation_prop
             is' prefix)
∃ (is' : composite_state IM) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr') tr'
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: finite_constrained_trace Free is tr'
→ trace_witnessing_equivocation_prop is tr'
  → ∃ (is' : composite_state IM) 
      (tr'0 : list transition_item),
      finite_constrained_trace_init_to Free is'
        (finite_trace_last is tr') tr'0
      ∧ (∀ prefix suffix : list transition_item,
           prefix ++ suffix = tr'0
           → trace_witnessing_equivocation_prop
               is' prefix)
finite_constrained_trace Free is tr'
        split; [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr') tr'
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: finite_constrained_trace Free is tr'
→ trace_witnessing_equivocation_prop is tr'
  → ∃ (is' : composite_state IM) 
      (tr'0 : list transition_item),
      finite_constrained_trace_init_to Free is'
        (finite_trace_last is tr') tr'0
      ∧ (∀ prefix suffix : list transition_item,
           prefix ++ suffix = tr'0
           → trace_witnessing_equivocation_prop
               is' prefix)
finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Free) is tr'
        by apply finite_valid_trace_from_to_forget_last in Htr'.
      }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr') tr'
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: trace_witnessing_equivocation_prop is tr'
→ ∃ (is' : composite_state IM) 
    (tr'0 : list transition_item),
    finite_constrained_trace_init_to Free is'
      (finite_trace_last is tr') tr'0
    ∧ (∀ prefix suffix : list transition_item,
         prefix ++ suffix = tr'0
         → trace_witnessing_equivocation_prop
             is' prefix)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      specialize (IHn Hwitness').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr') tr'
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
IHn: ∃ (is' : composite_state IM) 
  (tr'0 : list transition_item),
  finite_constrained_trace_init_to Free is'
    (finite_trace_last is tr') tr'0
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'0
       → trace_witnessing_equivocation_prop is'
           prefix)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      destruct IHn as [is' [tr'' [[Htr'' Hinit'] Hprefix]]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr') tr'
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
is': composite_state IM
tr'': list transition_item
Htr'': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is'
  (finite_trace_last is tr') tr''
Hinit': initial_state_prop is'
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr''
  → trace_witnessing_equivocation_prop is'
      prefix
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      specialize
        (finite_valid_trace_from_to_app PreFree _ _ _ _ _ Htr'' Hitem)
        as Htr''_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr') tr'
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
is': composite_state IM
tr'': list transition_item
Htr'': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is'
  (finite_trace_last is tr') tr''
Hinit': initial_state_prop is'
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr''
  → trace_witnessing_equivocation_prop is'
      prefix
Htr''_item: finite_valid_trace_from_to PreFree is' s'
  (tr'' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      eexists is', _.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr') tr'
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
is': composite_state IM
tr'': list transition_item
Htr'': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is'
  (finite_trace_last is tr') tr''
Hinit': initial_state_prop is'
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr''
  → trace_witnessing_equivocation_prop is'
      prefix
Htr''_item: finite_valid_trace_from_to PreFree is' s'
  (tr'' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
finite_constrained_trace_init_to Free is' s' ?Goal0
∧ (∀ prefix suffix : list transition_item,
     prefix ++ suffix = ?Goal0
     → trace_witnessing_equivocation_prop is' prefix)
      split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
tr': list transition_item
is: composite_state IM
tr: list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n = length tr' + 1
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is
  (finite_trace_last is tr') tr'
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
Hinit: initial_state_prop is
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Heq: equivocating_validators
  (finite_trace_last is tr')
≡ equivocating_validators s'
Hwitness': trace_witnessing_equivocation_prop is tr'
is': composite_state IM
tr'': list transition_item
Htr'': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) is'
  (finite_trace_last is tr') tr''
Hinit': initial_state_prop is'
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr''
  → trace_witnessing_equivocation_prop is'
      prefix
Htr''_item: finite_valid_trace_from_to PreFree is' s'
  (tr'' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
∀ prefix suffix : list transition_item,
  prefix ++ suffix =
  tr'' ++
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}] → trace_witnessing_equivocation_prop is' prefix
      by apply (strong_trace_witnessing_equivocation_prop_extend_eq _ is tr' (conj Htr' Hinit))
      ; [by split | done..].
    +message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
m, n: nat
IHm: ∀ p q : nat, p < m → Pr p q
IHn: ∀ p : nat, p < n → Pr m p
is: composite_state IM
tr, tr': list transition_item
l: composite_label IM
om: option message
s': composite_state IM
om': option message
Htr_eq: tr =
tr' ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}]
H13: m = set_size (equivocating_validators s')
Hn: n =
length
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
msg: message
Heq_om: om = Some msg
v: validator
Hsender: sender msg = Some v
Hnv: v
∉ equivocating_validators
    (finite_trace_last is tr')
Hneq: equivocating_validators s'
≡ {[v]}
  ∪ equivocating_validators
      (finite_trace_last is tr')
∧ (∀ (is0 : composite_state IM) 
     (tr : list transition_item),
     finite_constrained_trace_init_to Free is0
       (finite_trace_last is tr') tr
     → trace_witnessing_equivocation_prop is0
         tr
       → ¬ trace_has_message
             (field_selector output) msg tr)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix) subst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
IHm: ∀ p q : nat,
  p < set_size (equivocating_validators s')
  → Pr p q
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Hnv: v
∉ equivocating_validators
    (finite_trace_last is tr')
Hneq: equivocating_validators s'
≡ {[v]}
  ∪ equivocating_validators
      (finite_trace_last is tr')
∧ (∀ (is0 : composite_state IM) 
     (tr : list transition_item),
     finite_constrained_trace_init_to Free is0
       (finite_trace_last is tr') tr
     → trace_witnessing_equivocation_prop is0
         tr
       → ¬ trace_has_message
             (field_selector output) msg tr)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix) destruct Hneq as [Hneq Hwneq].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
IHm: ∀ p q : nat,
  p < set_size (equivocating_validators s')
  → Pr p q
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Hnv: v
∉ equivocating_validators
    (finite_trace_last is tr')
Hneq: equivocating_validators s'
≡ {[v]}
  ∪ equivocating_validators
      (finite_trace_last is tr')
Hwneq: ∀ (is0 : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is0
    (finite_trace_last is tr') tr
  → trace_witnessing_equivocation_prop is0 tr
    → ¬ trace_has_message
          (field_selector output) msg tr
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      remember (finite_trace_last is tr') as s.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
IHm: ∀ p q : nat,
  p < set_size (equivocating_validators s')
  → Pr p q
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      specialize (is_equivocating_tracewise_witness s) as Hwitness'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
IHm: ∀ p q : nat,
  p < set_size (equivocating_validators s')
  → Pr p q
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
Hwitness': constrained_state_prop Free s
→ ∃ (is : state
            (preloaded_with_all_messages_vlsm
               Free)) (tr : 
                      list transition_item),
    finite_constrained_trace_init_to Free
      is s tr
    ∧ trace_witnessing_equivocation_prop
        is tr
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      spec Hwitness'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
IHm: ∀ p q : nat,
  p < set_size (equivocating_validators s')
  → Pr p q
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
Hwitness': constrained_state_prop Free s
→ ∃ (is : state
            (preloaded_with_all_messages_vlsm
               Free)) (tr : 
                      list transition_item),
    finite_constrained_trace_init_to Free
      is s tr
    ∧ trace_witnessing_equivocation_prop
        is tr
constrained_state_prop Free s
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
IHm: ∀ p q : nat,
  p < set_size (equivocating_validators s')
  → Pr p q
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
Hwitness': ∃ (is : state
          (preloaded_with_all_messages_vlsm
             Free)) (tr : 
                     list transition_item),
  finite_constrained_trace_init_to Free is
    s tr
  ∧ trace_witnessing_equivocation_prop is
      tr
∃ (is' : composite_state IM) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
IHm: ∀ p q : nat,
  p < set_size (equivocating_validators s')
  → Pr p q
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
Hwitness': constrained_state_prop Free s
→ ∃ (is : state
            (preloaded_with_all_messages_vlsm
               Free)) (tr : 
                      list transition_item),
    finite_constrained_trace_init_to Free
      is s tr
    ∧ trace_witnessing_equivocation_prop
        is tr
constrained_state_prop Free s apply proj1, finite_valid_trace_from_to_app_split, proj1
          , finite_valid_trace_from_to_last_pstate
          in Htr'_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
IHm: ∀ p q : nat,
  p < set_size (equivocating_validators s')
  → Pr p q
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: valid_state_prop
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr')
v: validator
Hsender: sender msg = Some v
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
Hwitness': constrained_state_prop Free s
→ ∃ (is : state
            (preloaded_with_all_messages_vlsm
               Free)) (tr : 
                      list transition_item),
    finite_constrained_trace_init_to Free
      is s tr
    ∧ trace_witnessing_equivocation_prop
        is tr
constrained_state_prop Free s
        by subst.
      }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
IHm: ∀ p q : nat,
  p < set_size (equivocating_validators s')
  → Pr p q
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
Hwitness': ∃ (is : state
          (preloaded_with_all_messages_vlsm
             Free)) (tr : 
                     list transition_item),
  finite_constrained_trace_init_to Free is
    s tr
  ∧ trace_witnessing_equivocation_prop is
      tr
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      destruct Hwitness' as [is' [tr''[Htr'' Hwitness']]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
IHm: ∀ p q : nat,
  p < set_size (equivocating_validators s')
  → Pr p q
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
s: state (composite_type IM)
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': state (preloaded_with_all_messages_vlsm Free)
tr'': list transition_item
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      specialize (IHm (set_size (equivocating_validators s)) (length tr'')).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: state (composite_type IM)
tr'': list transition_item
IHm: set_size (equivocating_validators s) <
set_size (equivocating_validators s')
→ Pr (set_size (equivocating_validators s))
    (length tr'')
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': state (preloaded_with_all_messages_vlsm Free)
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      spec IHm.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: state (composite_type IM)
tr'': list transition_item
IHm: set_size (equivocating_validators s) <
set_size (equivocating_validators s')
→ Pr (set_size (equivocating_validators s))
    (length tr'')
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': state (preloaded_with_all_messages_vlsm Free)
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
set_size (equivocating_validators s) <
set_size (equivocating_validators s')
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: state (composite_type IM)
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': state (preloaded_with_all_messages_vlsm Free)
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
IHm: Pr (set_size (equivocating_validators s))
  (length tr'')
∃ (is' : composite_state IM) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      {message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: state (composite_type IM)
tr'': list transition_item
IHm: set_size (equivocating_validators s) <
set_size (equivocating_validators s')
→ Pr (set_size (equivocating_validators s))
    (length tr'')
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': state (preloaded_with_all_messages_vlsm Free)
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
set_size (equivocating_validators s) <
set_size (equivocating_validators s')
        rewrite Hneq.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: state (composite_type IM)
tr'': list transition_item
IHm: set_size (equivocating_validators s) <
set_size (equivocating_validators s')
→ Pr (set_size (equivocating_validators s))
    (length tr'')
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': state (preloaded_with_all_messages_vlsm Free)
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
set_size (equivocating_validators s) <
set_size ({[v]} ∪ equivocating_validators s)
        setoid_rewrite size_union; [by rewrite size_singleton; unfold size; lia |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: state (composite_type IM)
tr'': list transition_item
IHm: set_size (equivocating_validators s) <
set_size (equivocating_validators s')
→ Pr (set_size (equivocating_validators s))
    (length tr'')
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': state (preloaded_with_all_messages_vlsm Free)
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
{[v]} ## equivocating_validators s
        by intro v'; rewrite elem_of_singleton; intros ->.
      }message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: state (composite_type IM)
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': state (preloaded_with_all_messages_vlsm Free)
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
IHm: Pr (set_size (equivocating_validators s))
  (length tr'')
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      specialize (IHm is' tr'').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: state (composite_type IM)
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': state (preloaded_with_all_messages_vlsm Free)
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
IHm: set_size (equivocating_validators s) =
set_size
  (equivocating_validators
     (finite_trace_last is' tr''))
→ length tr'' = length tr''
  → finite_constrained_trace Free is' tr''
    → trace_witnessing_equivocation_prop is'
        tr''
      → ∃ (is'0 : composite_state IM) 
          (tr' : list transition_item),
          finite_constrained_trace_init_to Free
            is'0 (finite_trace_last is' tr'')
            tr'
          ∧ (∀ prefix
                suffix : 
                list transition_item,
               prefix ++ suffix = tr'
               → trace_witnessing_equivocation_prop
                   is'0 prefix)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      apply finite_valid_trace_init_to_last in Htr'' as Htr''_lst.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: state (composite_type IM)
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': state (preloaded_with_all_messages_vlsm Free)
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
IHm: set_size (equivocating_validators s) =
set_size
  (equivocating_validators
     (finite_trace_last is' tr''))
→ length tr'' = length tr''
  → finite_constrained_trace Free is' tr''
    → trace_witnessing_equivocation_prop is'
        tr''
      → ∃ (is'0 : composite_state IM) 
          (tr' : list transition_item),
          finite_constrained_trace_init_to Free
            is'0 (finite_trace_last is' tr'')
            tr'
          ∧ (∀ prefix
                suffix : 
                list transition_item,
               prefix ++ suffix = tr'
               → trace_witnessing_equivocation_prop
                   is'0 prefix)
Htr''_lst: finite_trace_last is' tr'' = s
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      simpl in *.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
IHm: set_size (equivocating_validators s) =
set_size
  (equivocating_validators
     (finite_trace_last is' tr''))
→ length tr'' = length tr''
  → finite_constrained_trace Free is' tr''
    → trace_witnessing_equivocation_prop is'
        tr''
      → ∃ (is'0 : composite_state IM) 
          (tr' : list transition_item),
          finite_constrained_trace_init_to Free
            is'0 (finite_trace_last is' tr'')
            tr'
          ∧ (∀ prefix
                suffix : 
                list transition_item,
               prefix ++ suffix = tr'
               → trace_witnessing_equivocation_prop
                   is'0 prefix)
Htr''_lst: finite_trace_last is' tr'' = s
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      rewrite Htr''_lst in IHm.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
IHm: set_size (equivocating_validators s) =
set_size (equivocating_validators s)
→ length tr'' = length tr''
  → finite_constrained_trace Free is' tr''
    → trace_witnessing_equivocation_prop is'
        tr''
      → ∃ (is' : composite_state IM) 
          (tr' : list transition_item),
          finite_constrained_trace_init_to Free
            is' s tr'
          ∧ (∀ prefix
                suffix : 
                list transition_item,
               prefix ++ suffix = tr'
               → trace_witnessing_equivocation_prop
                   is' prefix)
Htr''_lst: finite_trace_last is' tr'' = s
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      specialize (IHm eq_refl eq_refl).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
IHm: finite_constrained_trace Free is' tr''
→ trace_witnessing_equivocation_prop is' tr''
  → ∃ (is' : composite_state IM) 
      (tr' : list transition_item),
      finite_constrained_trace_init_to Free is'
        s tr'
      ∧ (∀ prefix suffix : list transition_item,
           prefix ++ suffix = tr'
           → trace_witnessing_equivocation_prop
               is' prefix)
Htr''_lst: finite_trace_last is' tr'' = s
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      spec IHm; [by apply finite_valid_trace_init_to_forget_last in Htr'' |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
IHm: trace_witnessing_equivocation_prop is' tr''
→ ∃ (is' : composite_state IM) 
    (tr' : list transition_item),
    finite_constrained_trace_init_to Free is' s
      tr'
    ∧ (∀ prefix suffix : list transition_item,
         prefix ++ suffix = tr'
         → trace_witnessing_equivocation_prop
             is' prefix)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      specialize (IHm Hwitness').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
IHm: ∃ (is' : composite_state IM) 
  (tr' : list transition_item),
  finite_constrained_trace_init_to Free is' s
    tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is'
           prefix)
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      destruct IHm as [is'' [tr''' [[Htr''' Hinit'] Hprefix]]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free)
  is s'
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
tr''': list transition_item
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': initial_state_prop is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      apply proj1, finite_valid_trace_from_to_app_split, proj2 in Htr'_item as Hitem.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s'
    [{|
       l := l;
       input := Some msg;
       destination := s';
       output := om'
     |}]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
tr''': list transition_item
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': initial_state_prop is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      simpl in *.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s'
    [{|
       l := l;
       input := Some msg;
       destination := s';
       output := om'
     |}]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
tr''': list transition_item
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  (finite_trace_last is tr') s'
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      rewrite <- Heqs in Hitem.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s'
    [{|
       l := l;
       input := Some msg;
       destination := s';
       output := om'
     |}]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
tr''': list transition_item
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s s'
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      specialize
        (finite_valid_trace_from_to_app PreFree _ _ _ _ _ Htr''' Hitem)
        as Htr'''_item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s'
    [{|
       l := l;
       input := Some msg;
       destination := s';
       output := om'
     |}]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
tr''': list transition_item
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s s'
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
Htr'''_item: finite_valid_trace_from_to PreFree is''
  s'
  (tr''' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
∃ (is' : composite_state IM) (tr' : list
                                      transition_item),
  finite_constrained_trace_init_to Free is' s' tr'
  ∧ (∀ prefix suffix : list transition_item,
       prefix ++ suffix = tr'
       → trace_witnessing_equivocation_prop is' prefix)
      eexists is'', _.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s'
    [{|
       l := l;
       input := Some msg;
       destination := s';
       output := om'
     |}]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
tr''': list transition_item
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s s'
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
Htr'''_item: finite_valid_trace_from_to PreFree is''
  s'
  (tr''' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
finite_constrained_trace_init_to Free is'' s' ?Goal
∧ (∀ prefix suffix : list transition_item,
     prefix ++ suffix = ?Goal
     → trace_witnessing_equivocation_prop is'' prefix)
      split; [done |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s'
    [{|
       l := l;
       input := Some msg;
       destination := s';
       output := om'
     |}]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
tr''': list transition_item
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s s'
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
Htr'''_item: finite_valid_trace_from_to PreFree is''
  s'
  (tr''' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
∀ prefix suffix : list transition_item,
  prefix ++ suffix =
  tr''' ++
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
  → trace_witnessing_equivocation_prop is'' prefix
      specialize (Hprefix tr''' []) as Hwitness'''.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s'
    [{|
       l := l;
       input := Some msg;
       destination := s';
       output := om'
     |}]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
tr''': list transition_item
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s s'
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
Htr'''_item: finite_valid_trace_from_to PreFree is''
  s'
  (tr''' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Hwitness''': tr''' ++ [] = tr'''
→ trace_witnessing_equivocation_prop
    is'' tr'''
∀ prefix suffix : list transition_item,
  prefix ++ suffix =
  tr''' ++
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
  → trace_witnessing_equivocation_prop is'' prefix
      spec Hwitness'''; [by apply app_nil_r |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s'
    [{|
       l := l;
       input := Some msg;
       destination := s';
       output := om'
     |}]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
Hwneq: ∀ (is : composite_state IM) 
  (tr : list transition_item),
  finite_constrained_trace_init_to Free is s
    tr
  → trace_witnessing_equivocation_prop is tr
    → ¬ trace_has_message
          (field_selector output) msg tr
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
tr''': list transition_item
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s s'
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
Htr'''_item: finite_valid_trace_from_to PreFree is''
  s'
  (tr''' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Hwitness''': trace_witnessing_equivocation_prop is''
  tr'''
∀ prefix suffix : list transition_item,
  prefix ++ suffix =
  tr''' ++
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
  → trace_witnessing_equivocation_prop is'' prefix
      specialize (Hwneq _ _ (conj Htr''' Hinit') Hwitness''').message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
IHn: ∀ p : nat,
  p <
  length
    (tr' ++
     [{|
        l := l;
        input := Some msg;
        destination := s';
        output := om'
      |}])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s'
    [{|
       l := l;
       input := Some msg;
       destination := s';
       output := om'
     |}]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
tr''': list transition_item
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr'''
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s s'
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
Htr'''_item: finite_valid_trace_from_to PreFree is''
  s'
  (tr''' ++
   [{|
      l := l;
      input := Some msg;
      destination := s';
      output := om'
    |}])
Hwitness''': trace_witnessing_equivocation_prop is''
  tr'''
∀ prefix suffix : list transition_item,
  prefix ++ suffix =
  tr''' ++
  [{|
     l := l;
     input := Some msg;
     destination := s';
     output := om'
   |}]
  → trace_witnessing_equivocation_prop is'' prefix
      remember {| input := Some msg |} as item.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
item: transition_item
Heqitem: item =
{|
  l := l;
  input := Some msg;
  destination := s';
  output := om'
|}
IHn: ∀ p : nat,
  p < length (tr' ++ [item])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s' [item]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
tr''': list transition_item
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr'''
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s s'
  [item]
Htr'''_item: finite_valid_trace_from_to PreFree is''
  s' (tr''' ++ [item])
Hwitness''': trace_witnessing_equivocation_prop is''
  tr'''
∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr''' ++ [item]
  → trace_witnessing_equivocation_prop is'' prefix
      specialize (strong_trace_witnessing_equivocation_prop_extend_neq
        _ _ _ (conj Htr''' Hinit') Hprefix item msg) as Hextend.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
item: transition_item
Heqitem: item =
{|
  l := l;
  input := Some msg;
  destination := s';
  output := om'
|}
IHn: ∀ p : nat,
  p < length (tr' ++ [item])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s' [item]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
tr''': list transition_item
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr'''
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s s'
  [item]
Htr'''_item: finite_valid_trace_from_to PreFree is''
  s' (tr''' ++ [item])
Hwitness''': trace_witnessing_equivocation_prop is''
  tr'''
Hextend: input item = Some msg
→ ¬ trace_has_message
      (field_selector output) msg tr'''
  → ∀ v : validator,
      sender msg = Some v
      → equivocating_validators
          (destination item)
        ≡ {[v]} ∪ equivocating_validators s
        → strong_trace_witnessing_equivocation_prop
            is'' (tr''' ++ [item])
∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr''' ++ [item]
  → trace_witnessing_equivocation_prop is'' prefix
      spec Hextend; [by subst |].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
item: transition_item
Heqitem: item =
{|
  l := l;
  input := Some msg;
  destination := s';
  output := om'
|}
IHn: ∀ p : nat,
  p < length (tr' ++ [item])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s' [item]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
tr''': list transition_item
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr'''
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s s'
  [item]
Htr'''_item: finite_valid_trace_from_to PreFree is''
  s' (tr''' ++ [item])
Hwitness''': trace_witnessing_equivocation_prop is''
  tr'''
Hextend: ¬ trace_has_message (field_selector output)
    msg tr'''
→ ∀ v : validator,
    sender msg = Some v
    → equivocating_validators
        (destination item)
      ≡ {[v]} ∪ equivocating_validators s
      → strong_trace_witnessing_equivocation_prop
          is'' (tr''' ++ [item])
∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr''' ++ [item]
  → trace_witnessing_equivocation_prop is'' prefix
      specialize (Hextend Hwneq _ Hsender).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
Pr:= λ m n : nat,
  ∀ (is : composite_state IM) 
    (tr : list transition_item),
    m =
    set_size
      (equivocating_validators
         (finite_trace_last is tr))
    → n = length tr
      → finite_constrained_trace Free is tr
        → trace_witnessing_equivocation_prop is tr
          → ∃ (is' : composite_state IM) 
              (tr' : list transition_item),
              finite_constrained_trace_init_to
                Free is' 
                (finite_trace_last is tr) tr'
              ∧ (∀ prefix
                    suffix : 
                    list transition_item,
                   prefix ++ suffix = tr'
                   → trace_witnessing_equivocation_prop
                      is' prefix): nat → nat → Prop
s': composite_state IM
tr': list transition_item
l: composite_label IM
om': option message
msg: message
item: transition_item
Heqitem: item =
{|
  l := l;
  input := Some msg;
  destination := s';
  output := om'
|}
IHn: ∀ p : nat,
  p < length (tr' ++ [item])
  → Pr (set_size (equivocating_validators s')) p
s: composite_state IM
tr'': list transition_item
is: composite_state IM
Hwitness: trace_witnessing_equivocation_prop is
  (tr' ++ [item])
Htr'_item: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is (finite_trace_last is tr') tr'
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm Free)
    (finite_trace_last is tr') s' [item]
v: validator
Hsender: sender msg = Some v
Heqs: s = finite_trace_last is tr'
Hnv: v ∉ equivocating_validators s
Hneq: equivocating_validators s'
≡ {[v]} ∪ equivocating_validators s
tr''': list transition_item
Hwneq: ¬ trace_has_message (field_selector output)
    msg tr'''
is': composite_state IM
Htr'': finite_constrained_trace_init_to Free is' s
  tr''
Hwitness': trace_witnessing_equivocation_prop is'
  tr''
Htr''_lst: finite_trace_last is' tr'' = s
is'': composite_state IM
Htr''': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free)
  is'' s tr'''
Hinit': composite_initial_state_prop IM is''
Hprefix: ∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr'''
  → trace_witnessing_equivocation_prop is''
      prefix
Hitem: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Free) s s'
  [item]
Htr'''_item: finite_valid_trace_from_to PreFree is''
  s' (tr''' ++ [item])
Hwitness''': trace_witnessing_equivocation_prop is''
  tr'''
Hextend: equivocating_validators (destination item)
≡ {[v]} ∪ equivocating_validators s
→ strong_trace_witnessing_equivocation_prop
    is'' (tr''' ++ [item])
∀ prefix suffix : list transition_item,
  prefix ++ suffix = tr''' ++ [item]
  → trace_witnessing_equivocation_prop is'' prefix
      by apply Hextend; subst.
Qed.

A version of Lemma preloaded_has_strong_trace_witnessing_equivocation_prop guaranteeing that for any valid_state w.r.t. the Free composition there is a trace ending in that state which is valid w.r.t. the Free composition and it has the strong_trace_witnessing_equivocation_property.

Lemma free_has_strong_trace_witnessing_equivocation_prop s
  (Hs : valid_state_prop Free s)
  : exists is' tr',
    finite_valid_trace_init_to Free is' s tr' /\
    strong_trace_witnessing_equivocation_prop is' tr'.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: state Free
Hs: valid_state_prop Free s
∃ (is' : state Free) (tr' : list transition_item),
  finite_valid_trace_init_to Free is' s tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: state Free
Hs: valid_state_prop Free s
∃ (is' : state Free) (tr' : list transition_item),
  finite_valid_trace_init_to Free is' s tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  apply (VLSM_incl_valid_state (vlsm_incl_preloaded_with_all_messages_vlsm Free))
    in Hs as Hpre_s.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: state Free
Hs: valid_state_prop Free s
Hpre_s: valid_state_prop
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} s
∃ (is' : state Free) (tr' : list transition_item),
  finite_valid_trace_init_to Free is' s tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  apply preloaded_has_strong_trace_witnessing_equivocation_prop in Hpre_s.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: state Free
Hs: valid_state_prop Free s
Hpre_s: ∃ (is' : state
           (preloaded_with_all_messages_vlsm
              Free)) (tr' : 
                      list transition_item),
  finite_constrained_trace_init_to Free is' s
    tr'
  ∧ strong_trace_witnessing_equivocation_prop
      is' tr'
∃ (is' : state Free) (tr' : list transition_item),
  finite_valid_trace_init_to Free is' s tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  destruct Hpre_s as [is [tr [Htr Hwitness]]].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: state Free
Hs: valid_state_prop Free s
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_constrained_trace_init_to Free is s tr
Hwitness: strong_trace_witnessing_equivocation_prop
  is tr
∃ (is' : state Free) (tr' : list transition_item),
  finite_valid_trace_init_to Free is' s tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  apply (all_pre_traces_to_valid_state_are_valid_free IM) in Htr
  ; [| done].message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision2: EqDecision validator
H2: finite.Finite validator
Free:= free_composite_vlsm IM: VLSM message
PreFree:= preloaded_with_all_messages_vlsm Free: VLSM message
threshold: R
Cv: Type
Hm: Measurable.Measurable validator
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision3: EqDecision validator
H10: FinSet validator Cv
H11: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
H12: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability
Hsender_safety: sender_safety_alt_prop IM A sender
s: state Free
Hs: valid_state_prop Free s
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) is s tr
Hwitness: strong_trace_witnessing_equivocation_prop
  is tr
∃ (is' : state Free) (tr' : list transition_item),
  finite_valid_trace_init_to Free is' s tr'
  ∧ strong_trace_witnessing_equivocation_prop is' tr'
  by exists is, tr.
Qed.

End sec_witnessed_equivocation_properties.

End sec_witnessed_equivocation.

Witnessed equivocation and fixed-set equivocation

The main result of this module is that, under witnessed equivocation assumptions, any trace with the strong_trace_witnessing_equivocation_property which is valid for the free composition (guaranteed to exist by Lemma free_has_strong_trace_witnessing_equivocation_prop) is also valid for the composition constrained by the fixed_equivocation_constrained induced by the equivocating_validators of its final state.

Section sec_witnessed_equivocation_fixed_set.

Context
  {message : Type}
  `{FinSet index Ci}
  `{!finite.Finite index}
  (IM : index -> VLSM message)
  `{forall i, HasBeenSentCapability (IM i)}
  `{forall i, HasBeenReceivedCapability (IM i)}
  (threshold : R)
  `{finite.Finite validator}
  `{ReachableThreshold validator Cv threshold}
  (A : validator -> index)
  (sender : message -> option validator)
  (Free := free_composite_vlsm IM)
  `{RelDecision _ _ (is_equivocating_tracewise_no_has_been_sent IM A sender)}
  (Htracewise_BasicEquivocation : BasicEquivocation (composite_state IM) validator Cv threshold
    := equivocation_dec_tracewise IM threshold A sender)
  `{FinSet message Cm}
  (message_dependencies : message -> Cm)
  `{!Irreflexive (msg_dep_happens_before message_dependencies)}
  `{forall i, MessageDependencies (IM i) message_dependencies}
  (Hfull : forall i, message_dependencies_full_node_condition_prop (IM i) message_dependencies)
  (no_initial_messages_in_IM : no_initial_messages_in_IM_prop IM)
  (can_emit_signed : channel_authentication_prop IM A sender)
  (Hsender_safety : sender_safety_alt_prop IM A sender :=
    channel_authentication_sender_safety IM A sender can_emit_signed)
  (Free_has_sender :=
    free_composite_no_initial_valid_messages_have_sender IM A sender
      can_emit_signed no_initial_messages_in_IM)
  (equivocating_validators :=
    equivocating_validators (BasicEquivocation := Htracewise_BasicEquivocation))
  .

Existing Instance Htracewise_BasicEquivocation.

Given the fact that the set of equivocating_validators can be empty, and the definition of the fixed_equivocation_constraint requires a non-empty set (to allow the composition of equivocators to exist), we default the constraint to the composite_no_equivocation one when there are no equivocating_validators.

Definition equivocating_validators_fixed_equivocation_constraint
  (s : composite_state IM)
  :=
  fixed_equivocation_constraint IM (Ci := Ci) (fin_sets.set_map A (equivocating_validators s)).

Lemma equivocators_can_emit_free m
  (Hmsg : valid_message_prop Free m)
  v
  (Hsender : sender m = Some v)
  sf
  (Hequivocating_v : v ∈ equivocating_validators sf)
  l s
  (Hv : composite_valid IM l (s, Some m))
  : can_emit
    (equivocators_composition_for_directly_observed IM (Ci := Ci) (fin_sets.set_map A (equivocating_validators sf)) s)
    m.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
Hmsg: valid_message_prop Free m
v: validator
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
Proof.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
Hmsg: valid_message_prop Free m
v: validator
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
  apply emitted_messages_are_valid_iff in Hmsg
    as [(_v & [_im Him] & Heqim) | Hiom]
  ; [by elim (no_initial_messages_in_IM _v _im) |].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
Hiom: can_emit Free m
v: validator
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
  apply (VLSM_incl_can_emit (vlsm_incl_preloaded_with_all_messages_vlsm (free_composite_vlsm IM)))
    in Hiom.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
Hiom: can_emit
  {|
    vlsm_type := free_composite_vlsm IM;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm
        (free_composite_vlsm IM)
  |} m
v: validator
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
  apply can_emit_free_composite_project in Hiom as [_v Hiom].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
_v: index
Hiom: can_emit
  (preloaded_with_all_messages_vlsm (IM _v)) m
v: validator
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
  specialize (Hsender_safety _ _ Hsender _ Hiom) as Heq_v.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
_v: index
Hiom: can_emit
  (preloaded_with_all_messages_vlsm (IM _v)) m
v: validator
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
Heq_v: A v = _v
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m simpl in Heq_v.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
_v: index
Hiom: can_emit
  (preloaded_with_all_messages_vlsm (IM _v)) m
v: validator
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
Heq_v: A v = _v
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
  subst _v.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_with_all_messages_vlsm (IM (A v)))
  m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
  eapply message_dependencies_are_sufficient in Hiom.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
  unfold preloaded_free_equivocating_vlsm_composition, free_equivocating_vlsm_composition.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
  specialize
    (@lift_to_composite_generalized_preloaded_VLSM_embedding
      message (sub_index (elements (C := Ci) (fin_sets.set_map A (equivocating_validators sf)))) _
        (sub_IM IM (elements(fin_sets.set_map A (equivocating_validators sf))))
      (fun msg : message => msg ∈ message_dependencies m)
      (composite_has_been_directly_observed IM s))
    as Hproj.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
Hproj: (∀ m0 : message,
   (λ msg : message,
      msg ∈ message_dependencies m) m0
   → composite_has_been_directly_observed IM s
       m0)
→ ∀ j : sub_index
          (elements
             (set_map A
                (equivocating_validators sf))),
    VLSM_embedding
      (preloaded_vlsm
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf)))
            j)
         (λ msg : message,
            msg ∈ message_dependencies m))
      (preloaded_vlsm
         (free_composite_vlsm
            (sub_IM IM
               (elements
                  (set_map A
                     (equivocating_validators
                      sf)))))
         (composite_has_been_directly_observed
            IM s))
      (lift_to_composite_label
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
      (lift_to_composite_state'
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
  spec Hproj.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
Hproj: (∀ m0 : message,
   (λ msg : message,
      msg ∈ message_dependencies m) m0
   → composite_has_been_directly_observed IM s
       m0)
→ ∀ j : sub_index
          (elements
             (set_map A
                (equivocating_validators sf))),
    VLSM_embedding
      (preloaded_vlsm
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf)))
            j)
         (λ msg : message,
            msg ∈ message_dependencies m))
      (preloaded_vlsm
         (free_composite_vlsm
            (sub_IM IM
               (elements
                  (set_map A
                     (equivocating_validators
                      sf)))))
         (composite_has_been_directly_observed
            IM s))
      (lift_to_composite_label
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
      (lift_to_composite_state'
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
∀ m0 : message,
  m0 ∈ message_dependencies m
  → composite_has_been_directly_observed IM s m0
message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
Hproj: ∀ j : sub_index
        (elements
           (set_map A
              (equivocating_validators sf))),
  VLSM_embedding
    (preloaded_vlsm
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf)))
          j)
       (λ msg : message,
          msg ∈ message_dependencies m))
    (preloaded_vlsm
       (free_composite_vlsm
          (sub_IM IM
             (elements
                (set_map A
                   (equivocating_validators sf)))))
       (composite_has_been_directly_observed
          IM s))
    (lift_to_composite_label
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf))))
       j)
    (lift_to_composite_state'
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf))))
       j)
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
  {message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
Hproj: (∀ m0 : message,
   (λ msg : message,
      msg ∈ message_dependencies m) m0
   → composite_has_been_directly_observed IM s
       m0)
→ ∀ j : sub_index
          (elements
             (set_map A
                (equivocating_validators sf))),
    VLSM_embedding
      (preloaded_vlsm
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf)))
            j)
         (λ msg : message,
            msg ∈ message_dependencies m))
      (preloaded_vlsm
         (free_composite_vlsm
            (sub_IM IM
               (elements
                  (set_map A
                     (equivocating_validators
                      sf)))))
         (composite_has_been_directly_observed
            IM s))
      (lift_to_composite_label
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
      (lift_to_composite_state'
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
∀ m0 : message,
  m0 ∈ message_dependencies m
  → composite_has_been_directly_observed IM s m0
    intros dm Hdm.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
Hproj: (∀ m0 : message,
   (λ msg : message,
      msg ∈ message_dependencies m) m0
   → composite_has_been_directly_observed IM s
       m0)
→ ∀ j : sub_index
          (elements
             (set_map A
                (equivocating_validators sf))),
    VLSM_embedding
      (preloaded_vlsm
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf)))
            j)
         (λ msg : message,
            msg ∈ message_dependencies m))
      (preloaded_vlsm
         (free_composite_vlsm
            (sub_IM IM
               (elements
                  (set_map A
                     (equivocating_validators
                      sf)))))
         (composite_has_been_directly_observed
            IM s))
      (lift_to_composite_label
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
      (lift_to_composite_state'
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
dm: message
Hdm: dm ∈ message_dependencies m
composite_has_been_directly_observed IM s dm
    destruct l as (i, li).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
i: index
li: label (IM i)
s: composite_state IM
Hv: composite_valid IM (existT i li) (s, Some m)
Hproj: (∀ m0 : message,
   (λ msg : message,
      msg ∈ message_dependencies m) m0
   → composite_has_been_directly_observed IM s
       m0)
→ ∀ j : sub_index
          (elements
             (set_map A
                (equivocating_validators sf))),
    VLSM_embedding
      (preloaded_vlsm
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf)))
            j)
         (λ msg : message,
            msg ∈ message_dependencies m))
      (preloaded_vlsm
         (free_composite_vlsm
            (sub_IM IM
               (elements
                  (set_map A
                     (equivocating_validators
                      sf)))))
         (composite_has_been_directly_observed
            IM s))
      (lift_to_composite_label
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
      (lift_to_composite_state'
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
dm: message
Hdm: dm ∈ message_dependencies m
composite_has_been_directly_observed IM s dm simpl in Hv.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
i: index
li: label (IM i)
s: composite_state IM
Hv: valid li (s i, Some m)
Hproj: (∀ m0 : message,
   (λ msg : message,
      msg ∈ message_dependencies m) m0
   → composite_has_been_directly_observed IM s
       m0)
→ ∀ j : sub_index
          (elements
             (set_map A
                (equivocating_validators sf))),
    VLSM_embedding
      (preloaded_vlsm
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf)))
            j)
         (λ msg : message,
            msg ∈ message_dependencies m))
      (preloaded_vlsm
         (free_composite_vlsm
            (sub_IM IM
               (elements
                  (set_map A
                     (equivocating_validators
                      sf)))))
         (composite_has_been_directly_observed
            IM s))
      (lift_to_composite_label
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
      (lift_to_composite_state'
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
dm: message
Hdm: dm ∈ message_dependencies m
composite_has_been_directly_observed IM s dm
    apply (Hfull _ _ _ _ Hv) in Hdm.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
i: index
li: label (IM i)
s: composite_state IM
Hv: valid li (s i, Some m)
Hproj: (∀ m0 : message,
   (λ msg : message,
      msg ∈ message_dependencies m) m0
   → composite_has_been_directly_observed IM s
       m0)
→ ∀ j : sub_index
          (elements
             (set_map A
                (equivocating_validators sf))),
    VLSM_embedding
      (preloaded_vlsm
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf)))
            j)
         (λ msg : message,
            msg ∈ message_dependencies m))
      (preloaded_vlsm
         (free_composite_vlsm
            (sub_IM IM
               (elements
                  (set_map A
                     (equivocating_validators
                      sf)))))
         (composite_has_been_directly_observed
            IM s))
      (lift_to_composite_label
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
      (lift_to_composite_state'
         (sub_IM IM
            (elements
               (set_map A
                  (equivocating_validators sf))))
         j)
dm: message
Hdm: has_been_directly_observed (IM i) (s i) dm
composite_has_been_directly_observed IM s dm
    by exists i.
  }message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
Hproj: ∀ j : sub_index
        (elements
           (set_map A
              (equivocating_validators sf))),
  VLSM_embedding
    (preloaded_vlsm
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf)))
          j)
       (λ msg : message,
          msg ∈ message_dependencies m))
    (preloaded_vlsm
       (free_composite_vlsm
          (sub_IM IM
             (elements
                (set_map A
                   (equivocating_validators sf)))))
       (composite_has_been_directly_observed
          IM s))
    (lift_to_composite_label
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf))))
       j)
    (lift_to_composite_state'
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf))))
       j)
can_emit
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s) m
  eapply VLSM_embedding_can_emit; [| done].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
Hproj: ∀ j : sub_index
        (elements
           (set_map A
              (equivocating_validators sf))),
  VLSM_embedding
    (preloaded_vlsm
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf)))
          j)
       (λ msg : message,
          msg ∈ message_dependencies m))
    (preloaded_vlsm
       (free_composite_vlsm
          (sub_IM IM
             (elements
                (set_map A
                   (equivocating_validators sf)))))
       (composite_has_been_directly_observed
          IM s))
    (lift_to_composite_label
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf))))
       j)
    (lift_to_composite_state'
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf))))
       j)
VLSM_embedding
  (preloaded_vlsm (IM (A v))
     (λ msg : message, msg ∈ message_dependencies m))
  (equivocators_composition_for_directly_observed IM
     (set_map A (equivocating_validators sf)) s)
  ?label_project ?state_project
  unshelve eapply (Hproj (dexist (A v) _)).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
m: message
v: validator
Hiom: can_emit
  (preloaded_vlsm (IM (A v))
     (λ msg : message,
        msg ∈ message_dependencies m)) m
Hsender: sender m = Some v
sf: composite_state IM
Hequivocating_v: v ∈ equivocating_validators sf
l: composite_label IM
s: composite_state IM
Hv: composite_valid IM l (s, Some m)
Hproj: ∀ j : sub_index
        (elements
           (set_map A
              (equivocating_validators sf))),
  VLSM_embedding
    (preloaded_vlsm
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf)))
          j)
       (λ msg : message,
          msg ∈ message_dependencies m))
    (preloaded_vlsm
       (free_composite_vlsm
          (sub_IM IM
             (elements
                (set_map A
                   (equivocating_validators sf)))))
       (composite_has_been_directly_observed
          IM s))
    (lift_to_composite_label
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf))))
       j)
    (lift_to_composite_state'
       (sub_IM IM
          (elements
             (set_map A
                (equivocating_validators sf))))
       j)
sub_index_prop
  (elements (set_map A (equivocating_validators sf)))
  (A v)
  by apply elem_of_elements, elem_of_map_2.
Qed.

Main result of the section

Any Free valid trace with the strong_trace_witnessing_equivocation_property is also valid w.r.t. the composition using the equivocating_validators_fixed_equivocation_constraint induced by its final state.

The proof proceeds by induction on the valid trace property. Lemmas equivocating_validators_witness_monotonicity and fixed_equivocation_vlsm_composition_index_incl are used to restate the induction hypothesis in terms of the final state after the last transition.

Lemma strong_witness_has_fixed_equivocation is s tr
  (Htr : finite_valid_trace_init_to (free_composite_vlsm IM) is s tr)
  (Heqv : strong_trace_witnessing_equivocation_prop (Cv := Cv) IM threshold A sender is tr)
  : finite_valid_trace_init_to (fixed_equivocation_vlsm_composition IM (Ci := Ci)
      (fin_sets.set_map A (equivocating_validators s))) is s tr.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
is, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) is s tr
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender is tr
finite_valid_trace_init_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators s))) is s tr
Proof.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
is, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) is s tr
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender is tr
finite_valid_trace_init_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators s))) is s tr
  split; [| by apply Htr].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
is, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) is s tr
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender is tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators s))) is s tr
  induction Htr using finite_valid_trace_init_to_rev_ind.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si: state (free_composite_vlsm IM)
Hsi: initial_state_prop si
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si []
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators si))) si si
  []
message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si tr
→ finite_valid_trace_from_to
    (fixed_equivocation_vlsm_composition IM
       (set_map A (equivocating_validators s)))
    si s tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
  -message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si: state (free_composite_vlsm IM)
Hsi: initial_state_prop si
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si []
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators si))) si si
  [] eapply (finite_valid_trace_from_to_empty (fixed_equivocation_vlsm_composition IM
      (Ci := Ci) (fin_sets.set_map A (equivocating_validators si)))).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si: state (free_composite_vlsm IM)
Hsi: initial_state_prop si
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si []
valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators si))) si
    by apply initial_state_is_valid.
  -message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si tr
→ finite_valid_trace_from_to
    (fixed_equivocation_vlsm_composition IM
       (set_map A (equivocating_validators s)))
    si s tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}]) spec IHHtr.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si tr
→ finite_valid_trace_from_to
    (fixed_equivocation_vlsm_composition IM
       (set_map A (equivocating_validators s)))
    si s tr
strong_trace_witnessing_equivocation_prop IM threshold
  A sender si tr
message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators s)))
  si s tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    {message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si tr
→ finite_valid_trace_from_to
    (fixed_equivocation_vlsm_composition IM
       (set_map A (equivocating_validators s)))
    si s tr
strong_trace_witnessing_equivocation_prop IM threshold
  A sender si tr intros prefix.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si tr
→ finite_valid_trace_from_to
    (fixed_equivocation_vlsm_composition IM
       (set_map A (equivocating_validators s)))
    si s tr
prefix: list transition_item
∀ suffix : list transition_item,
  prefix ++ suffix = tr
  → trace_witnessing_equivocation_prop IM threshold A
      sender si prefix intros.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si tr
→ finite_valid_trace_from_to
    (fixed_equivocation_vlsm_composition IM
       (set_map A (equivocating_validators s)))
    si s tr
prefix, suffix: list transition_item
H30: prefix ++ suffix = tr
trace_witnessing_equivocation_prop IM threshold A
  sender si prefix
      apply (Heqv prefix (suffix ++  [{| l := l; input := iom; destination := sf; output := oom |}])).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si tr
→ finite_valid_trace_from_to
    (fixed_equivocation_vlsm_composition IM
       (set_map A (equivocating_validators s)))
    si s tr
prefix, suffix: list transition_item
H30: prefix ++ suffix = tr
prefix ++
suffix ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}] =
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}]
      by subst; apply app_assoc.
    }message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators s)))
  si s tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    apply (VLSM_incl_finite_valid_trace_init_to (vlsm_incl_preloaded_with_all_messages_vlsm Free))
      in Htr as Hpre_tr.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators s)))
  si s tr
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    assert
      (Htr_sf : finite_valid_trace_from_to
        (fixed_equivocation_vlsm_composition IM (Ci := Ci) (fin_sets.set_map A (equivocating_validators sf))) si s tr).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators s)))
  si s tr
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) si s tr
message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators s)))
  si s tr
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    {message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators s)))
  si s tr
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) si s tr revert IHHtr.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators s))) si s tr
→ finite_valid_trace_from_to
    (fixed_equivocation_vlsm_composition IM
       (set_map A (equivocating_validators sf))) si s
    tr
      apply VLSM_incl_finite_valid_trace_from_to,
               fixed_equivocation_vlsm_composition_index_incl.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
elements (set_map A (equivocating_validators s))
⊆ elements (set_map A (equivocating_validators sf))
      apply elements_subseteq, set_map_subset.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
equivocating_validators s ⊆ equivocating_validators sf
      remember {| destination := sf |} as item.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si 
  (tr ++ [item])
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
equivocating_validators s ⊆ equivocating_validators sf
      replace sf with (destination item) by (subst; done).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si 
  (tr ++ [item])
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
equivocating_validators s
⊆ equivocating_validators (destination item)
      eapply equivocating_validators_witness_monotonicity; [done |].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
item: transition_item
Heqitem: item =
{|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si 
  (tr ++ [item])
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
trace_witnessing_equivocation_prop IM threshold A
  sender si (tr ++ [item])
      by apply Heqv with (suffix := []), app_nil_r.
    }message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators s)))
  si s tr
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    clear IHHtr.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    apply (extend_right_finite_trace_from_to _ Htr_sf).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Ht: input_valid_transition 
  (free_composite_vlsm IM) l (
  s, iom) (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, iom) (sf, oom)
    destruct Ht as [(Hs & Hiom & Hv) Ht].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) iom
Hv: valid l (s, iom)
Ht: transition l (s, iom) = (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, iom) (sf, oom)
    apply finite_valid_trace_from_to_last_pstate in Htr_sf as Hs'.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) iom
Hv: valid l (s, iom)
Ht: transition l (s, iom) = (sf, oom)
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, iom) (sf, oom)
    specialize
      (Heqv
        (tr ++ [{| l := l; input := iom; destination := sf; output := oom |}])
        []).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) iom
Hv: valid l (s, iom)
Ht: transition l (s, iom) = (sf, oom)
Heqv: (tr ++
 [{|
    l := l;
    input := iom;
    destination := sf;
    output := oom
  |}]) ++ [] =
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}]
→ trace_witnessing_equivocation_prop IM
    threshold A sender si
    (tr ++
     [{|
        l := l;
        input := iom;
        destination := sf;
        output := oom
      |}])
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, iom) (sf, oom)
    spec Heqv; [by apply app_nil_r |].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
iom, oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) iom
Hv: valid l (s, iom)
Ht: transition l (s, iom) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
Heqv: trace_witnessing_equivocation_prop IM threshold
  A sender si
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, iom) (sf, oom)
    destruct iom as [im |]; [| by repeat split; auto using option_valid_message_None].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
Heqv: trace_witnessing_equivocation_prop IM threshold
  A sender si
  (tr ++
   [{|
      l := l;
      input := Some im;
      destination := sf;
      output := oom
    |}])
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    apply Free_has_sender in Hiom as _Hsender.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
Heqv: trace_witnessing_equivocation_prop IM threshold
  A sender si
  (tr ++
   [{|
      l := l;
      input := Some im;
      destination := sf;
      output := oom
    |}])
_Hsender: sender im ≠ None
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    destruct (sender im) as [v |] eqn: Hsender; [| by congruence].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
Heqv: trace_witnessing_equivocation_prop IM threshold
  A sender si
  (tr ++
   [{|
      l := l;
      input := Some im;
      destination := sf;
      output := oom
    |}])
v: validator
Hsender: sender im = Some v
_Hsender: Some v ≠ None
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    clear _Hsender.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
Heqv: trace_witnessing_equivocation_prop IM threshold
  A sender si
  (tr ++
   [{|
      l := l;
      input := Some im;
      destination := sf;
      output := oom
    |}])
v: validator
Hsender: sender im = Some v
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    specialize (Heqv v).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v
∈ Equivocation.equivocating_validators
    (finite_trace_last si
       (tr ++
        [{|
           l := l;
           input := Some im;
           destination := sf;
           output := oom
         |}]))
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    rewrite finite_trace_last_is_last in Heqv.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v
∈ Equivocation.equivocating_validators
    (destination
       {|
         l := l;
         input := Some im;
         destination := sf;
         output := oom
       |})
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    simpl in Heqv.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    assert (Hpre_s : constrained_state_prop Free s).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
constrained_state_prop Free s
message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    {message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
constrained_state_prop Free s by apply proj1, finite_valid_trace_from_to_last_pstate in Hpre_tr. }message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    destruct (decide (composite_has_been_directly_observed IM s im)).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
c: composite_has_been_directly_observed IM s im
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    {message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
c: composite_has_been_directly_observed IM s im
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom) repeat split
      ; [done | apply option_valid_message_Some | done | | done].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
c: composite_has_been_directly_observed IM s im
valid_message_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) im
message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
c: composite_has_been_directly_observed IM s im
fixed_equivocation_constraint IM
  (set_map A (equivocating_validators sf)) l
  (s, Some im)
      -message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
c: composite_has_been_directly_observed IM s im
valid_message_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) im by apply (composite_directly_observed_valid IM _ s).
      -message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
c: composite_has_been_directly_observed IM s im
fixed_equivocation_constraint IM
  (set_map A (equivocating_validators sf)) l
  (s, Some im) by left.
    }message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    assert (Hequivocating_v : v ∈ equivocating_validators sf).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
v ∈ equivocating_validators sf
message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Hequivocating_v: v ∈ equivocating_validators sf
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    {message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
v ∈ equivocating_validators sf apply Heqv.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
∃ m : message,
  sender m = Some v
  ∧ equivocation_in_trace
      (preloaded_with_all_messages_vlsm
         (free_composite_vlsm IM)) m
      (tr ++
       [{|
          l := l;
          input := Some im;
          destination := sf;
          output := oom
        |}]) exists im.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
sender im = Some v
∧ equivocation_in_trace
    (preloaded_with_all_messages_vlsm
       (free_composite_vlsm IM)) im
    (tr ++
     [{|
        l := l;
        input := Some im;
        destination := sf;
        output := oom
      |}]) split; [done |].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
equivocation_in_trace
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM)) im
  (tr ++
   [{|
      l := l;
      input := Some im;
      destination := sf;
      output := oom
    |}])
      eexists tr, _, [].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
tr ++
[{|
   l := l;
   input := Some im;
   destination := sf;
   output := oom
 |}] = tr ++ [?Goal0]
∧ input ?Goal0 = Some im
  ∧ ¬ trace_has_message (field_selector output) im tr
      split; [done |].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
input
  {|
    l := l;
    input := Some im;
    destination := sf;
    output := oom
  |} = Some im
∧ ¬ trace_has_message (field_selector output) im tr
      split; [done |].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
¬ trace_has_message (field_selector output) im tr
      intros Him_output.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Him_output: trace_has_message (field_selector output)
  im tr
False
      elim n.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Him_output: trace_has_message (field_selector output)
  im tr
composite_has_been_directly_observed IM s im
      apply composite_has_been_directly_observed_sent_received_iff.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Him_output: trace_has_message (field_selector output)
  im tr
composite_has_been_sent IM s im
∨ composite_has_been_received IM s im
      left.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Him_output: trace_has_message (field_selector output)
  im tr
composite_has_been_sent IM s im
      specialize (proper_sent Free _ Hpre_s im) as Hsent_s.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Him_output: trace_has_message (field_selector output)
  im tr
Hsent_s: has_been_sent_prop Free 
  (has_been_sent Free) s im
composite_has_been_sent IM s im
      apply proj2 in Hsent_s.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Him_output: trace_has_message (field_selector output)
  im tr
Hsent_s: selected_message_exists_in_all_preloaded_traces
  Free (field_selector output) s im
→ has_been_sent Free s im
composite_has_been_sent IM s im apply Hsent_s.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Him_output: trace_has_message (field_selector output)
  im tr
Hsent_s: selected_message_exists_in_all_preloaded_traces
  Free (field_selector output) s im
→ has_been_sent Free s im
selected_message_exists_in_all_preloaded_traces Free
  (field_selector output) s im clear Hsent_s.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Him_output: trace_has_message (field_selector output)
  im tr
selected_message_exists_in_all_preloaded_traces Free
  (field_selector output) s im
      apply (has_been_sent_consistency Free _ Hpre_s im).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Him_output: trace_has_message (field_selector output)
  im tr
selected_message_exists_in_some_preloaded_traces Free
  (field_selector output) s im
      by exists si, tr, Hpre_tr.
    }message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Hequivocating_v: v ∈ equivocating_validators sf
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    specialize (equivocators_can_emit_free _ Hiom _ Hsender _ Hequivocating_v  _ _ Hv) as Hemit_im.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Hequivocating_v: v ∈ equivocating_validators sf
Hemit_im: can_emit
  (equivocators_composition_for_directly_observed
     IM
     (set_map A
        (equivocating_validators sf)) s) im
input_valid_transition
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) l
  (s, Some im) (sf, oom)
    repeat split; [done | | done | by right | done].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Hequivocating_v: v ∈ equivocating_validators sf
Hemit_im: can_emit
  (equivocators_composition_for_directly_observed
     IM
     (set_map A
        (equivocating_validators sf)) s) im
option_valid_message_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  (Some im)
    apply emitted_messages_are_valid.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Hequivocating_v: v ∈ equivocating_validators sf
Hemit_im: can_emit
  (equivocators_composition_for_directly_observed
     IM
     (set_map A
        (equivocating_validators sf)) s) im
can_emit
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) im
    specialize
      (EquivPreloadedBase_Fixed_weak_embedding IM _ _ Hs') as Hproj.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Hequivocating_v: v ∈ equivocating_validators sf
Hemit_im: can_emit
  (equivocators_composition_for_directly_observed
     IM
     (set_map A
        (equivocating_validators sf)) s) im
Hproj: (∀ (i : index) (m : message),
   i ∈ set_map A (equivocating_validators sf)
   → ¬ initial_message_prop m)
→ VLSM_weak_embedding
    (equivocators_composition_for_sent IM
       (set_map A (equivocating_validators sf))
       s)
    (fixed_equivocation_vlsm_composition IM
       (set_map A (equivocating_validators sf)))
    (lift_sub_label IM
       (elements
          (set_map A
             (equivocating_validators sf))))
    (lift_sub_state_to IM
       (elements
          (set_map A
             (equivocating_validators sf))) s)
can_emit
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) im
    spec Hproj; [by intros; apply no_initial_messages_in_IM |].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Hequivocating_v: v ∈ equivocating_validators sf
Hemit_im: can_emit
  (equivocators_composition_for_directly_observed
     IM
     (set_map A
        (equivocating_validators sf)) s) im
Hproj: VLSM_weak_embedding
  (equivocators_composition_for_sent IM
     (set_map A (equivocating_validators sf))
     s)
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  (lift_sub_label IM
     (elements
        (set_map A
           (equivocating_validators sf))))
  (lift_sub_state_to IM
     (elements
        (set_map A
           (equivocating_validators sf))) s)
can_emit
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) im
    apply (VLSM_weak_embedding_can_emit Hproj).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
si, s: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) si s tr
sf: state (free_composite_vlsm IM)
im: message
oom: option message
l: label (free_composite_vlsm IM)
Hs: valid_state_prop (free_composite_vlsm IM) s
Hiom: option_valid_message_prop
  (free_composite_vlsm IM) 
  (Some im)
Hv: valid l (s, Some im)
Ht: transition l (s, Some im) = (sf, oom)
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := Free;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm Free
  |} si s tr
Htr_sf: finite_valid_trace_from_to
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  si s tr
Hs': valid_state_prop
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf))) s
v: validator
Heqv: v ∈ Equivocation.equivocating_validators sf
↔ (∃ m : message,
     sender m = Some v
     ∧ equivocation_in_trace
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM)) m
         (tr ++
          [{|
             l := l;
             input := Some im;
             destination := sf;
             output := oom
           |}]))
Hsender: sender im = Some v
Hpre_s: constrained_state_prop Free s
n: ¬ composite_has_been_directly_observed IM s im
Hequivocating_v: v ∈ equivocating_validators sf
Hemit_im: can_emit
  (equivocators_composition_for_directly_observed
     IM
     (set_map A
        (equivocating_validators sf)) s) im
Hproj: VLSM_weak_embedding
  (equivocators_composition_for_sent IM
     (set_map A (equivocating_validators sf))
     s)
  (fixed_equivocation_vlsm_composition IM
     (set_map A (equivocating_validators sf)))
  (lift_sub_label IM
     (elements
        (set_map A
           (equivocating_validators sf))))
  (lift_sub_state_to IM
     (elements
        (set_map A
           (equivocating_validators sf))) s)
can_emit
  (equivocators_composition_for_sent IM
     (set_map A (equivocating_validators sf)) s) im
    by apply (VLSM_incl_can_emit (Equivocators_Fixed_Strong_incl IM _  _ Hs')).
Qed.

As a corollary of the above, every valid state for the free composition is also a valid state for the composition with the equivocating_validators_fixed_equivocation_constraint induced by it.

Lemma equivocating_validators_fixed_equivocation_characterization
  (Hke : WitnessedEquivocationCapability IM threshold A sender (Cv := Cv))
  : forall s,
    valid_state_prop Free s ->
    valid_state_prop
      (composite_vlsm IM (equivocating_validators_fixed_equivocation_constraint s)) s.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability IM threshold A
  sender
∀ s : state Free,
  valid_state_prop Free s
  → valid_state_prop
      (composite_vlsm IM
         (equivocating_validators_fixed_equivocation_constraint
            s)) s
Proof.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability IM threshold A
  sender
∀ s : state Free,
  valid_state_prop Free s
  → valid_state_prop
      (composite_vlsm IM
         (equivocating_validators_fixed_equivocation_constraint
            s)) s
  intros s Hs.message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability IM threshold A
  sender
s: state Free
Hs: valid_state_prop Free s
valid_state_prop
  (composite_vlsm IM
     (equivocating_validators_fixed_equivocation_constraint
        s)) s
  destruct
    (free_has_strong_trace_witnessing_equivocation_prop IM threshold A sender _ s Hs)
    as [is [tr [Htr Heqv]]].message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability IM threshold A
  sender
s: state Free
Hs: valid_state_prop Free s
is: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) is s tr
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender is tr
valid_state_prop
  (composite_vlsm IM
     (equivocating_validators_fixed_equivocation_constraint
        s)) s
  cut (finite_valid_trace_from_to (composite_vlsm IM
    (equivocating_validators_fixed_equivocation_constraint s)) is s tr).message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability IM threshold A
  sender
s: state Free
Hs: valid_state_prop Free s
is: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) is s tr
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender is tr
finite_valid_trace_from_to
  (composite_vlsm IM
     (equivocating_validators_fixed_equivocation_constraint
        s)) is s tr
→ valid_state_prop
    (composite_vlsm IM
       (equivocating_validators_fixed_equivocation_constraint
          s)) s
message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability IM threshold A
  sender
s: state Free
Hs: valid_state_prop Free s
is: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) is s tr
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender is tr
finite_valid_trace_from_to
  (composite_vlsm IM
     (equivocating_validators_fixed_equivocation_constraint
        s)) is s tr
  {message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability IM threshold A
  sender
s: state Free
Hs: valid_state_prop Free s
is: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) is s tr
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender is tr
finite_valid_trace_from_to
  (composite_vlsm IM
     (equivocating_validators_fixed_equivocation_constraint
        s)) is s tr
→ valid_state_prop
    (composite_vlsm IM
       (equivocating_validators_fixed_equivocation_constraint
          s)) s by intro Htr'; apply finite_valid_trace_from_to_last_pstate in Htr'. }message, index, Ci: Type
H: ElemOf index Ci
H0: Empty Ci
H1: Singleton index Ci
H2: Union Ci
H3: Intersection Ci
H4: Difference Ci
H5: Elements index Ci
EqDecision0: EqDecision index
H6: FinSet index Ci
H7: finite.Finite index
IM: index → VLSM message
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
threshold: R
validator: Type
EqDecision1: EqDecision validator
H10: finite.Finite validator
Cv: Type
Hm: Measurable.Measurable validator
H11: ElemOf validator Cv
H12: Empty Cv
H13: Singleton validator Cv
H14: Union Cv
H15: Intersection Cv
H16: Difference Cv
H17: Elements validator Cv
EqDecision2: EqDecision validator
H18: FinSet validator Cv
H19: ReachableThreshold validator Cv threshold
A: validator → index
sender: message → option validator
Free:= free_composite_vlsm IM: VLSM message
H20: RelDecision
  (is_equivocating_tracewise_no_has_been_sent IM
     A sender)
Htracewise_BasicEquivocation:= equivocation_dec_tracewise
  IM threshold A sender: BasicEquivocation
  (composite_state IM)
  validator Cv
  threshold
Cm: Type
H21: ElemOf message Cm
H22: Empty Cm
H23: Singleton message Cm
H24: Union Cm
H25: Intersection Cm
H26: Difference Cm
H27: Elements message Cm
EqDecision3: EqDecision message
H28: FinSet message Cm
message_dependencies: message → Cm
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H29: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
can_emit_signed: channel_authentication_prop IM A
  sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender can_emit_signed: sender_safety_alt_prop IM A sender
Free_has_sender:= free_composite_no_initial_valid_messages_have_sender
  IM A sender can_emit_signed
  no_initial_messages_in_IM: ∀ m : message,
  valid_message_prop
    (free_composite_vlsm IM) m
  → sender m ≠ None
equivocating_validators:= Equivocation.equivocating_validators: composite_state IM → Cv
Hke: WitnessedEquivocationCapability IM threshold A
  sender
s: state Free
Hs: valid_state_prop Free s
is: state (free_composite_vlsm IM)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (free_composite_vlsm IM) is s tr
Heqv: strong_trace_witnessing_equivocation_prop IM
  threshold A sender is tr
finite_valid_trace_from_to
  (composite_vlsm IM
     (equivocating_validators_fixed_equivocation_constraint
        s)) is s tr
  by apply strong_witness_has_fixed_equivocation.
Qed.

End sec_witnessed_equivocation_fixed_set.