From VLSM.Lib Require Import Itauto.[Loading ML file ring_plugin.cmxs (using legacy method) ... done]
[Loading ML file zify_plugin.cmxs (using legacy method) ... done]
[Loading ML file micromega_plugin.cmxs (using legacy method) ... done]
[Loading ML file btauto_plugin.cmxs (using legacy method) ... done]
[Loading ML file coq-itauto.plugin ... done]
From stdpp Require Import prelude.
From VLSM.Lib Require Import Preamble ListExtras FinSetExtras.
From VLSM.Core Require Import VLSM VLSMProjections Composition ProjectionTraces.
From VLSM.Core Require Import SubProjectionTraces Equivocation EquivocationProjections.

Core: VLSM Message Dependencies

An abstract framework for the full-node condition. Assumes that each message has an associated set of message_dependencies.

Given a message_dependencies function, we can define a (direct) message dependency relation msg_dep_rel as follows: message m1 is a (direct) dependency of message m2 if m1 belongs to the message_dependencies of m2.

The transitive closure of such a relation is a happens-before relation which we denote by msg_dep_happens_before.

Definition msg_dep_rel
  `{FinSet message Cm} `(message_dependencies : message -> Cm) : relation message :=
  fun m1 m2 => m1 ∈ message_dependencies m2.

Definition msg_dep_happens_before
  `{FinSet message Cm} `(message_dependencies : message -> Cm) : relation message :=
  tc (msg_dep_rel message_dependencies).

The (local) full node condition for a given message_dependencies function requires that a state (receiving the message) has previously directly observed all of m's dependencies.

Definition message_dependencies_full_node_condition
  `(X : VLSM message)
  `{FinSet message Cm}
  (message_dependencies : message -> Cm)
  `{HasBeenSentCapability message X}
  `{HasBeenReceivedCapability message X}
  (s : state X)
  (m : message)
  : Prop :=
  forall dm, dm ∈ message_dependencies m -> has_been_directly_observed X s dm.

MessageDependencies characterize a message_dependencies function through two properties:

Necessity: All dependent messages for a message mm are required to be

directly observed by origin state of a transition emitting the message m.

Sufficiency: A message can be produced by the machine preloaded with its

dependencies.

Additionally, we require that the induced msg_dep_happens_before relation is irreflexive (i.e., a message cannot recursively observe itself).

MessageDependencies, together with message_dependencies_full_node_condition_prop, constitute the strict full node assumption.

Class MessageDependencies
  `(X : VLSM message)
  `{FinSet message Cm}
  (message_dependencies : message -> Cm)
  `{!HasBeenSentCapability X}
  `{!HasBeenReceivedCapability X}
  `{!Irreflexive (msg_dep_happens_before message_dependencies)}
  : Prop :=
{
  message_dependencies_are_necessary (m : message)
    `(can_produce (preloaded_with_all_messages_vlsm X) s' m)
    : message_dependencies_full_node_condition X message_dependencies s' m;
  message_dependencies_are_sufficient (m : message)
    `(can_emit (preloaded_with_all_messages_vlsm X) m)
    : can_emit (preloaded_vlsm X (fun msg => msg ∈ message_dependencies m)) m
}.

(*
  Given the VLSM for which it's defined, the other arguments (message,
  message_dependencies function, [HasBeenSentCapability] and
  [HasBeenReceivedCapability]) can be inferred from that.
*)
#[global] Hint Mode MessageDependencies - ! - - - - - - - - - - - - - - : typeclass_instances.

Section sec_message_dependencies.

Context
  `(X : VLSM message)
  `{FinSet message Cm}
  (message_dependencies : message -> Cm)
  `{!HasBeenSentCapability X}
  `{!HasBeenReceivedCapability X}
  `{!Irreflexive (msg_dep_happens_before message_dependencies)}
  `{!MessageDependencies X message_dependencies}
  .

A VLSM has the message_dependencies_full_node_condition_prop if the validity of receiving a message in a state implies the message_dependencies_full_node_condition for that state and message

Definition message_dependencies_full_node_condition_prop : Prop :=
  forall l s m,
  valid X l (s, Some m) ->
  message_dependencies_full_node_condition X message_dependencies s m.

Unrolling one the msg_dep_happens_before relation one step.

Lemma msg_dep_happens_before_iff_one x z
  : msg_dep_happens_before message_dependencies x z <->
    msg_dep_rel message_dependencies x z \/
    exists y, msg_dep_happens_before message_dependencies x y /\ msg_dep_rel message_dependencies y z.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
x, z: message
msg_dep_happens_before message_dependencies x z
↔ msg_dep_rel message_dependencies x z
  ∨ (∃ y : message,
       msg_dep_happens_before message_dependencies x y
       ∧ msg_dep_rel message_dependencies y z)
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
x, z: message
msg_dep_happens_before message_dependencies x z
↔ msg_dep_rel message_dependencies x z
  ∨ (∃ y : message,
       msg_dep_happens_before message_dependencies x y
       ∧ msg_dep_rel message_dependencies y z) by apply tc_r_iff. Qed.

If the msg_dep_relation reflects a predicate P, then msg_dep_happens_before will also reflect it.

Lemma msg_dep_happens_before_reflect
  (P : message -> Prop)
  (Hreflects : forall dm m, msg_dep_rel message_dependencies dm m -> P m -> P dm)
  : forall dm m, msg_dep_happens_before message_dependencies dm m -> P m -> P dm.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
∀ dm m : message,
  msg_dep_happens_before message_dependencies dm m
  → P m → P dm
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
∀ dm m : message,
  msg_dep_happens_before message_dependencies dm m
  → P m → P dm by apply tc_reflect. Qed.

In the absence of initial messages, and if msg_dep_relation reflects the preloaded message property, then it also reflects the valid_message_property.

Lemma msg_dep_reflects_validity
  (no_initial_messages_in_X : forall m, ~ initial_message_prop X m)
  (P : message -> Prop)
  (Hreflects : forall dm m, msg_dep_rel message_dependencies dm m -> P m -> P dm)
  : forall dm m, msg_dep_rel message_dependencies dm m ->
    valid_message_prop (preloaded_vlsm X P) m ->
    valid_message_prop (preloaded_vlsm X P) dm.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → valid_message_prop (preloaded_vlsm X P) m
    → valid_message_prop (preloaded_vlsm X P) dm
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → valid_message_prop (preloaded_vlsm X P) m
    → valid_message_prop (preloaded_vlsm X P) dm
  intros dm m Hdm.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
valid_message_prop (preloaded_vlsm X P) m
→ valid_message_prop (preloaded_vlsm X P) dm
  rewrite emitted_messages_are_valid_iff, can_emit_iff.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
initial_message_prop m
∨ (∃ s : state (preloaded_vlsm X P),
     can_produce (preloaded_vlsm X P) s m)
→ valid_message_prop (preloaded_vlsm X P) dm
  intros [Hinit | [s Hproduce]].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hinit: initial_message_prop m
valid_message_prop (preloaded_vlsm X P) dm
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state (preloaded_vlsm X P)
Hproduce: can_produce (preloaded_vlsm X P) s m
valid_message_prop (preloaded_vlsm X P) dm
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hinit: initial_message_prop m
valid_message_prop (preloaded_vlsm X P) dm rewrite emitted_messages_are_valid_iff; left; right.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hinit: initial_message_prop m
P dm
    apply Hreflects with m; [done |].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hinit: initial_message_prop m
P m
    destruct Hinit as [Hinit | Hp]; [| done].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hinit: initial_message_prop m
P m
    by contradict Hinit; apply no_initial_messages_in_X.
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state (preloaded_vlsm X P)
Hproduce: can_produce (preloaded_vlsm X P) s m
valid_message_prop (preloaded_vlsm X P) dm apply (directly_observed_valid (preloaded_vlsm X P) s).message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state (preloaded_vlsm X P)
Hproduce: can_produce (preloaded_vlsm X P) s m
valid_state_prop (preloaded_vlsm X P) s
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state (preloaded_vlsm X P)
Hproduce: can_produce (preloaded_vlsm X P) s m
has_been_directly_observed (preloaded_vlsm X P) s dm
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state (preloaded_vlsm X P)
Hproduce: can_produce (preloaded_vlsm X P) s m
valid_state_prop (preloaded_vlsm X P) s by exists (Some m); apply can_produce_valid.
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state (preloaded_vlsm X P)
Hproduce: can_produce (preloaded_vlsm X P) s m
has_been_directly_observed (preloaded_vlsm X P) s dm destruct X as [T M].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
T: VLSMType message
M: VLSMMachine T
HasBeenSentCapability0: HasBeenSentCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
HasBeenReceivedCapability0: HasBeenReceivedCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies
  {|
    vlsm_type := T;
    vlsm_machine := M
  |} message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state
  (preloaded_vlsm
     {| vlsm_type := T; vlsm_machine := M |} P)
Hproduce: can_produce
  (preloaded_vlsm
     {|
       vlsm_type := T; vlsm_machine := M
     |} P) s m
has_been_directly_observed
  (preloaded_vlsm
     {| vlsm_type := T; vlsm_machine := M |} P) s dm
      eapply VLSM_incl_has_been_directly_observed
        with HasBeenSentCapability0 HasBeenReceivedCapability0; cycle 2.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
T: VLSMType message
M: VLSMMachine T
HasBeenSentCapability0: HasBeenSentCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
HasBeenReceivedCapability0: HasBeenReceivedCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies
  {|
    vlsm_type := T;
    vlsm_machine := M
  |} message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state
  (preloaded_vlsm
     {| vlsm_type := T; vlsm_machine := M |} P)
Hproduce: can_produce
  (preloaded_vlsm
     {|
       vlsm_type := T; vlsm_machine := M
     |} P) s m
has_been_directly_observed
  {| vlsm_type := T; vlsm_machine := M |} s dm
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
T: VLSMType message
M: VLSMMachine T
HasBeenSentCapability0: HasBeenSentCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
HasBeenReceivedCapability0: HasBeenReceivedCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies
  {|
    vlsm_type := T;
    vlsm_machine := M
  |} message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state
  (preloaded_vlsm
     {| vlsm_type := T; vlsm_machine := M |} P)
Hproduce: can_produce
  (preloaded_vlsm
     {|
       vlsm_type := T; vlsm_machine := M
     |} P) s m
VLSM_incl
  (preloaded_with_all_messages_vlsm
     {| vlsm_type := T; vlsm_machine := M |})
  (preloaded_with_all_messages_vlsm
     {|
       vlsm_type := T;
       vlsm_machine :=
         preloaded_vlsm_machine
           {| vlsm_type := T; vlsm_machine := M |} P
     |})
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
T: VLSMType message
M: VLSMMachine T
HasBeenSentCapability0: HasBeenSentCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
HasBeenReceivedCapability0: HasBeenReceivedCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies
  {|
    vlsm_type := T;
    vlsm_machine := M
  |} message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state
  (preloaded_vlsm
     {| vlsm_type := T; vlsm_machine := M |} P)
Hproduce: can_produce
  (preloaded_vlsm
     {|
       vlsm_type := T; vlsm_machine := M
     |} P) s m
constrained_state_prop
  {| vlsm_type := T; vlsm_machine := M |} s
      *message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
T: VLSMType message
M: VLSMMachine T
HasBeenSentCapability0: HasBeenSentCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
HasBeenReceivedCapability0: HasBeenReceivedCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies
  {|
    vlsm_type := T;
    vlsm_machine := M
  |} message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state
  (preloaded_vlsm
     {| vlsm_type := T; vlsm_machine := M |} P)
Hproduce: can_produce
  (preloaded_vlsm
     {|
       vlsm_type := T; vlsm_machine := M
     |} P) s m
has_been_directly_observed
  {| vlsm_type := T; vlsm_machine := M |} s dm eapply @message_dependencies_are_necessary; [done | | done].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
T: VLSMType message
M: VLSMMachine T
HasBeenSentCapability0: HasBeenSentCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
HasBeenReceivedCapability0: HasBeenReceivedCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies
  {|
    vlsm_type := T;
    vlsm_machine := M
  |} message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state
  (preloaded_vlsm
     {| vlsm_type := T; vlsm_machine := M |} P)
Hproduce: can_produce
  (preloaded_vlsm
     {|
       vlsm_type := T; vlsm_machine := M
     |} P) s m
can_produce
  (preloaded_with_all_messages_vlsm
     {| vlsm_type := T; vlsm_machine := M |}) s m
        by apply (VLSM_incl_can_produce
          (preloaded_vlsm_incl_preloaded_with_all_messages (mk_vlsm M) P)).
      *message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
T: VLSMType message
M: VLSMMachine T
HasBeenSentCapability0: HasBeenSentCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
HasBeenReceivedCapability0: HasBeenReceivedCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies
  {|
    vlsm_type := T;
    vlsm_machine := M
  |} message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state
  (preloaded_vlsm
     {| vlsm_type := T; vlsm_machine := M |} P)
Hproduce: can_produce
  (preloaded_vlsm
     {|
       vlsm_type := T; vlsm_machine := M
     |} P) s m
VLSM_incl
  (preloaded_with_all_messages_vlsm
     {| vlsm_type := T; vlsm_machine := M |})
  (preloaded_with_all_messages_vlsm
     {|
       vlsm_type := T;
       vlsm_machine :=
         preloaded_vlsm_machine
           {| vlsm_type := T; vlsm_machine := M |} P
     |}) by apply basic_VLSM_incl_preloaded; cbv.
      *message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
T: VLSMType message
M: VLSMMachine T
HasBeenSentCapability0: HasBeenSentCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
HasBeenReceivedCapability0: HasBeenReceivedCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies
  {|
    vlsm_type := T;
    vlsm_machine := M
  |} message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state
  (preloaded_vlsm
     {| vlsm_type := T; vlsm_machine := M |} P)
Hproduce: can_produce
  (preloaded_vlsm
     {|
       vlsm_type := T; vlsm_machine := M
     |} P) s m
constrained_state_prop
  {| vlsm_type := T; vlsm_machine := M |} s apply (VLSM_incl_valid_state
          (preloaded_vlsm_incl_preloaded_with_all_messages (mk_vlsm M) P)).message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
T: VLSMType message
M: VLSMMachine T
HasBeenSentCapability0: HasBeenSentCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
HasBeenReceivedCapability0: HasBeenReceivedCapability
  {|
    vlsm_type := T;
    vlsm_machine := M
  |}
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies
  {|
    vlsm_type := T;
    vlsm_machine := M
  |} message_dependencies
no_initial_messages_in_X: ∀ m : message,
  ¬ initial_message_prop m
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
s: state
  (preloaded_vlsm
     {| vlsm_type := T; vlsm_machine := M |} P)
Hproduce: can_produce
  (preloaded_vlsm
     {|
       vlsm_type := T; vlsm_machine := M
     |} P) s m
valid_state_prop
  {|
    vlsm_type :=
      preloaded_vlsm
        {| vlsm_type := T; vlsm_machine := M |} P;
    vlsm_machine :=
      preloaded_vlsm
        {| vlsm_type := T; vlsm_machine := M |} P
  |} s
        by eexists; eapply can_produce_valid.
Qed.

Under MessageDependencies assumptions, if a message has_been_sent in a state s, then any of its direct dependencies has_been_directly_observed.

Lemma msg_dep_has_been_sent
  s
  (Hs : constrained_state_prop X s)
  m
  (Hsent : has_been_sent X s m)
  : forall dm, msg_dep_rel message_dependencies dm m -> has_been_directly_observed X s dm.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
m: message
Hsent: has_been_sent X s m
∀ dm : message,
  msg_dep_rel message_dependencies dm m
  → has_been_directly_observed X s dm
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
m: message
Hsent: has_been_sent X s m
∀ dm : message,
  msg_dep_rel message_dependencies dm m
  → has_been_directly_observed X s dm
  revert m Hsent; induction Hs using valid_state_prop_ind; intro m.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
s: state (preloaded_with_all_messages_vlsm X)
Hs: initial_state_prop s
m: message
has_been_sent X s m
→ ∀ dm : message,
    msg_dep_rel message_dependencies dm m
    → has_been_directly_observed X s dm
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om, om': option message
s: state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, om) (s', om')
IHHs: ∀ m : message,
  has_been_sent X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
m: message
has_been_sent X s' m
→ ∀ dm : message,
    msg_dep_rel message_dependencies dm m
    → has_been_directly_observed X s' dm
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
s: state (preloaded_with_all_messages_vlsm X)
Hs: initial_state_prop s
m: message
has_been_sent X s m
→ ∀ dm : message,
    msg_dep_rel message_dependencies dm m
    → has_been_directly_observed X s dm intro Hbs; contradict Hbs.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
s: state (preloaded_with_all_messages_vlsm X)
Hs: initial_state_prop s
m: message
¬ has_been_sent X s m
    by apply has_been_sent_no_inits.
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om, om': option message
s: state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, om) (s', om')
IHHs: ∀ m : message,
  has_been_sent X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
m: message
has_been_sent X s' m
→ ∀ dm : message,
    msg_dep_rel message_dependencies dm m
    → has_been_directly_observed X s' dm rewrite has_been_sent_step_update by done; intros [-> | Hrcv] dm Hdm.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om: option message
s: state (preloaded_with_all_messages_vlsm X)
m: message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, om) (s', Some m)
IHHs: ∀ m : message,
  has_been_sent X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
dm: message
Hdm: msg_dep_rel message_dependencies dm m
has_been_directly_observed X s' dm
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om, om': option message
s: state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, om) (s', om')
IHHs: ∀ m : message,
  has_been_sent X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
m: message
Hrcv: has_been_sent X s m
dm: message
Hdm: msg_dep_rel message_dependencies dm m
has_been_directly_observed X s' dm
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om: option message
s: state (preloaded_with_all_messages_vlsm X)
m: message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, om) (s', Some m)
IHHs: ∀ m : message,
  has_been_sent X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
dm: message
Hdm: msg_dep_rel message_dependencies dm m
has_been_directly_observed X s' dm by eapply message_dependencies_are_necessary; [eexists _, _ |].
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om, om': option message
s: state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, om) (s', om')
IHHs: ∀ m : message,
  has_been_sent X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
m: message
Hrcv: has_been_sent X s m
dm: message
Hdm: msg_dep_rel message_dependencies dm m
has_been_directly_observed X s' dm by eapply has_been_directly_observed_step_update; [done |]; right; eapply IHHs.
Qed.

Lemma constrained_transition_preserves_message_dependencies_full_node_condition
  `(input_constrained_transition X lX (s, im) (s', om)) :
  forall m, message_dependencies_full_node_condition X message_dependencies s m ->
    message_dependencies_full_node_condition X message_dependencies s' m.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
lX: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
input_constrained_transition0: input_constrained_transition
  X lX (s, im)
  (s', om)
∀ m : message,
  message_dependencies_full_node_condition X
    message_dependencies s m
  → message_dependencies_full_node_condition X
      message_dependencies s' m
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
lX: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
input_constrained_transition0: input_constrained_transition
  X lX (s, im)
  (s', om)
∀ m : message,
  message_dependencies_full_node_condition X
    message_dependencies s m
  → message_dependencies_full_node_condition X
      message_dependencies s' m
  intros m Hm dm Hdm.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
lX: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
input_constrained_transition0: input_constrained_transition
  X lX (s, im)
  (s', om)
m: message
Hm: message_dependencies_full_node_condition X
  message_dependencies s m
dm: message
Hdm: dm ∈ message_dependencies m
has_been_directly_observed X s' dm
  eapply has_been_directly_observed_step_update; [done |].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
lX: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
input_constrained_transition0: input_constrained_transition
  X lX (s, im)
  (s', om)
m: message
Hm: message_dependencies_full_node_condition X
  message_dependencies s m
dm: message
Hdm: dm ∈ message_dependencies m
(im = Some dm ∨ om = Some dm)
∨ has_been_directly_observed X s dm
  by right; apply Hm.
Qed.

If the validity predicate has the message_dependencies_full_node_condition_property, then if a message has_been_received in a state s, any of its direct dependencies has_been_directly_observed.

Lemma full_node_has_been_received
  (Hfull : message_dependencies_full_node_condition_prop)
  s
  (Hs : constrained_state_prop X s)
  m
  (Hreceived : has_been_received X s m)
  : forall dm, msg_dep_rel message_dependencies dm m -> has_been_directly_observed X s dm.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
m: message
Hreceived: has_been_received X s m
∀ dm : message,
  msg_dep_rel message_dependencies dm m
  → has_been_directly_observed X s dm
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
m: message
Hreceived: has_been_received X s m
∀ dm : message,
  msg_dep_rel message_dependencies dm m
  → has_been_directly_observed X s dm
  revert m Hreceived; induction Hs using valid_state_prop_ind; intro m.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: initial_state_prop s
m: message
has_been_received X s m
→ ∀ dm : message,
    msg_dep_rel message_dependencies dm m
    → has_been_directly_observed X s dm
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om, om': option message
s: state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, om) (s', om')
IHHs: ∀ m : message,
  has_been_received X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
m: message
has_been_received X s' m
→ ∀ dm : message,
    msg_dep_rel message_dependencies dm m
    → has_been_directly_observed X s' dm
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: initial_state_prop s
m: message
has_been_received X s m
→ ∀ dm : message,
    msg_dep_rel message_dependencies dm m
    → has_been_directly_observed X s dm intro Hbr; contradict Hbr.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: initial_state_prop s
m: message
¬ has_been_received X s m
    by apply has_been_received_no_inits.
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om, om': option message
s: state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, om) (s', om')
IHHs: ∀ m : message,
  has_been_received X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
m: message
has_been_received X s' m
→ ∀ dm : message,
    msg_dep_rel message_dependencies dm m
    → has_been_directly_observed X s' dm rewrite has_been_received_step_update by done; intros [-> | Hrcv] dm Hdm
    ; rewrite has_been_directly_observed_step_update by done; right.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om': option message
s: state (preloaded_with_all_messages_vlsm X)
m: message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (s, Some m) (s', om')
IHHs: ∀ m : message,
  has_been_received X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
dm: message
Hdm: msg_dep_rel message_dependencies dm m
has_been_directly_observed X s dm
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om, om': option message
s: state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, om) (s', om')
IHHs: ∀ m : message,
  has_been_received X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
m: message
Hrcv: has_been_received X s m
dm: message
Hdm: msg_dep_rel message_dependencies dm m
has_been_directly_observed X s dm
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om': option message
s: state (preloaded_with_all_messages_vlsm X)
m: message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (s, Some m) (s', om')
IHHs: ∀ m : message,
  has_been_received X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
dm: message
Hdm: msg_dep_rel message_dependencies dm m
has_been_directly_observed X s dm by eapply Hfull; [apply Ht |].
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s': state (preloaded_with_all_messages_vlsm X)
l: label (preloaded_with_all_messages_vlsm X)
om, om': option message
s: state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, om) (s', om')
IHHs: ∀ m : message,
  has_been_received X s m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → has_been_directly_observed X s dm
m: message
Hrcv: has_been_received X s m
dm: message
Hdm: msg_dep_rel message_dependencies dm m
has_been_directly_observed X s dm by eapply IHHs.
Qed.

By combining Lemmas msg_dep_has_been_sent and full_node_has_been_received, the msg_dep_relation reflects the has_been_directly_observed predicate.

Lemma msg_dep_full_node_reflects_has_been_directly_observed
  (Hfull : message_dependencies_full_node_condition_prop)
  s
  (Hs : constrained_state_prop X s)
  : forall dm m, msg_dep_rel message_dependencies dm m ->
    has_been_directly_observed X s m -> has_been_directly_observed X s dm.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → has_been_directly_observed X s m
    → has_been_directly_observed X s dm
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → has_been_directly_observed X s m
    → has_been_directly_observed X s dm
  intros dm m Hdm [Hsent | Hreceived].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hsent: has_been_sent X s m
has_been_directly_observed X s dm
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hreceived: has_been_received X s m
has_been_directly_observed X s dm
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hsent: has_been_sent X s m
has_been_directly_observed X s dm by eapply msg_dep_has_been_sent.
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hreceived: has_been_received X s m
has_been_directly_observed X s dm by eapply full_node_has_been_received.
Qed.

Under full-node assumptions, the msg_dep_happens_before relation reflects the has_been_directly_observed predicate.

Lemma msg_dep_full_node_happens_before_reflects_has_been_directly_observed
  (Hfull : message_dependencies_full_node_condition_prop)
  s
  (Hs : constrained_state_prop X s)
  : forall dm m, msg_dep_happens_before message_dependencies dm m ->
    has_been_directly_observed X s m -> has_been_directly_observed X s dm.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
∀ dm m : message,
  msg_dep_happens_before message_dependencies dm m
  → has_been_directly_observed X s m
    → has_been_directly_observed X s dm
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
∀ dm m : message,
  msg_dep_happens_before message_dependencies dm m
  → has_been_directly_observed X s m
    → has_been_directly_observed X s dm
  intros dm m Hdm Hobs.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
dm, m: message
Hdm: msg_dep_happens_before message_dependencies dm m
Hobs: has_been_directly_observed X s m
has_been_directly_observed X s dm
  eapply msg_dep_happens_before_reflect; [| done ..].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
dm, m: message
Hdm: msg_dep_happens_before message_dependencies dm m
Hobs: has_been_directly_observed X s m
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → has_been_directly_observed X s m
    → has_been_directly_observed X s dm
  by apply msg_dep_full_node_reflects_has_been_directly_observed.
Qed.

Under full-node assumptions, it is valid to receive a message in a state then any of its happens-before dependencies has_been_directly_observed in that state.

Lemma msg_dep_full_node_input_valid_happens_before_has_been_directly_observed
  (Hfull : message_dependencies_full_node_condition_prop)
  l s m
  (Hvalid : input_constrained X l (s, Some m))
  : forall dm, msg_dep_happens_before message_dependencies dm m ->
    has_been_directly_observed X s dm.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hvalid: input_constrained X l (s, Some m)
∀ dm : message,
  msg_dep_happens_before message_dependencies dm m
  → has_been_directly_observed X s dm
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hvalid: input_constrained X l (s, Some m)
∀ dm : message,
  msg_dep_happens_before message_dependencies dm m
  → has_been_directly_observed X s dm
  intro dm; rewrite msg_dep_happens_before_iff_one; intros [Hdm | (dm' & Hdm' & Hdm)].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hvalid: input_constrained X l (s, Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
has_been_directly_observed X s dm
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hvalid: input_constrained X l (s, Some m)
dm, dm': message
Hdm': msg_dep_happens_before message_dependencies dm
  dm'
Hdm: msg_dep_rel message_dependencies dm' m
has_been_directly_observed X s dm
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hvalid: input_constrained X l (s, Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
has_been_directly_observed X s dm by eapply Hfull; [apply Hvalid |].
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hvalid: input_constrained X l (s, Some m)
dm, dm': message
Hdm': msg_dep_happens_before message_dependencies dm
  dm'
Hdm: msg_dep_rel message_dependencies dm' m
has_been_directly_observed X s dm eapply msg_dep_happens_before_reflect; [| done |].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hvalid: input_constrained X l (s, Some m)
dm, dm': message
Hdm': msg_dep_happens_before message_dependencies dm
  dm'
Hdm: msg_dep_rel message_dependencies dm' m
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → has_been_directly_observed X s m
    → has_been_directly_observed X s dm
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hvalid: input_constrained X l (s, Some m)
dm, dm': message
Hdm': msg_dep_happens_before message_dependencies dm
  dm'
Hdm: msg_dep_rel message_dependencies dm' m
has_been_directly_observed X s dm'
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hvalid: input_constrained X l (s, Some m)
dm, dm': message
Hdm': msg_dep_happens_before message_dependencies dm
  dm'
Hdm: msg_dep_rel message_dependencies dm' m
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → has_been_directly_observed X s m
    → has_been_directly_observed X s dm by apply msg_dep_full_node_reflects_has_been_directly_observed; [apply Hfull | apply Hvalid].
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hvalid: input_constrained X l (s, Some m)
dm, dm': message
Hdm': msg_dep_happens_before message_dependencies dm
  dm'
Hdm: msg_dep_rel message_dependencies dm' m
has_been_directly_observed X s dm' by eapply Hfull; [apply Hvalid |].
Qed.

End sec_message_dependencies.

Equivocation Based on Message Dependencies

Inspired by the definitions of observability and local equivocation given for the ELMO protocol, we introduce abstract notions for local equivocation based on message dependencies.

Section sec_message_dependencies_equivocation.

Context
  {message : Type}
  (X : VLSM message)
  `{FinSet message Cm}
  (message_dependencies : message -> Cm)
  `(sender : message -> option validator)
  `{!HasBeenSentCapability X}
  `{!HasBeenReceivedCapability X}
  `{!Irreflexive (msg_dep_happens_before message_dependencies)}
  .

A message can be (indirectly) observed in a state if it either has been directly observed in the state (as sent or received), or it happens before (in the sense of the msg_dep_happens_before relation) a directly observed message.

Inductive HasBeenObserved (s : state X) (m : message) : Prop :=
| hbo_directly :
    has_been_directly_observed X s m ->
    HasBeenObserved s m
| hbo_indirectly :
    forall m',
      has_been_directly_observed X s m' ->
      msg_dep_happens_before message_dependencies m m' ->
      HasBeenObserved s m.

Lemma transition_preserves_HasBeenObserved :
  forall l s im s' om, input_constrained_transition X l (s, im) (s', om) ->
  forall msg, HasBeenObserved s msg -> HasBeenObserved s' msg.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
∀ (l : label (preloaded_with_all_messages_vlsm X)) 
  (s : state (preloaded_with_all_messages_vlsm X)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   X)) (om : option
                                               message),
  input_constrained_transition X l (s, im) (s', om)
  → ∀ msg : message,
      HasBeenObserved s msg → HasBeenObserved s' msg
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
∀ (l : label (preloaded_with_all_messages_vlsm X)) 
  (s : state (preloaded_with_all_messages_vlsm X)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   X)) (om : option
                                               message),
  input_constrained_transition X l (s, im) (s', om)
  → ∀ msg : message,
      HasBeenObserved s msg → HasBeenObserved s' msg
  intros * Ht msg Hbefore; inversion Hbefore as [Hobs | m Hobs Hdep].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
Hbefore: HasBeenObserved s msg
Hobs: has_been_directly_observed X s msg
HasBeenObserved s' msg
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
Hbefore: HasBeenObserved s msg
m: message
Hobs: has_been_directly_observed X s m
Hdep: msg_dep_happens_before message_dependencies msg
  m
HasBeenObserved s' msg
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
Hbefore: HasBeenObserved s msg
Hobs: has_been_directly_observed X s msg
HasBeenObserved s' msg by constructor; eapply has_been_directly_observed_step_update; [| right].
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
Hbefore: HasBeenObserved s msg
m: message
Hobs: has_been_directly_observed X s m
Hdep: msg_dep_happens_before message_dependencies msg
  m
HasBeenObserved s' msg by econstructor 2; [| done]; eapply has_been_directly_observed_step_update; [| right].
Qed.

Lemma HasBeenObserved_step_update :
  forall l s im s' om, input_constrained_transition X l (s, im) (s', om) ->
  forall msg,
    HasBeenObserved s' msg
      <->
    HasBeenObserved s msg \/
    (exists m, (im = Some m \/ om = Some m) /\
      (msg = m \/ msg_dep_happens_before message_dependencies msg m)).message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
∀ (l : label (preloaded_with_all_messages_vlsm X)) 
  (s : state (preloaded_with_all_messages_vlsm X)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   X)) (om : option
                                               message),
  input_constrained_transition X l (s, im) (s', om)
  → ∀ msg : message,
      HasBeenObserved s' msg
      ↔ HasBeenObserved s msg
        ∨ (∃ m : message,
             (im = Some m ∨ om = Some m)
             ∧ (msg = m
                ∨ msg_dep_happens_before
                    message_dependencies msg m))
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
∀ (l : label (preloaded_with_all_messages_vlsm X)) 
  (s : state (preloaded_with_all_messages_vlsm X)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   X)) (om : option
                                               message),
  input_constrained_transition X l (s, im) (s', om)
  → ∀ msg : message,
      HasBeenObserved s' msg
      ↔ HasBeenObserved s msg
        ∨ (∃ m : message,
             (im = Some m ∨ om = Some m)
             ∧ (msg = m
                ∨ msg_dep_happens_before
                    message_dependencies msg m))
  intros * Ht msg; split.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
HasBeenObserved s' msg
→ HasBeenObserved s msg
  ∨ (∃ m : message,
       (im = Some m ∨ om = Some m)
       ∧ (msg = m
          ∨ msg_dep_happens_before
              message_dependencies msg m))
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
HasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) → HasBeenObserved s' msg
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
HasBeenObserved s' msg
→ HasBeenObserved s msg
  ∨ (∃ m : message,
       (im = Some m ∨ om = Some m)
       ∧ (msg = m
          ∨ msg_dep_happens_before
              message_dependencies msg m)) inversion 1 as [Hobs' | m' Hobs' Hdep];
      (eapply has_been_directly_observed_step_update in Hobs'; [| done]);
      destruct Hobs' as [Hnow | Hbefore].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
H7: HasBeenObserved s' msg
Hnow: im = Some msg ∨ om = Some msg
HasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m))
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
H7: HasBeenObserved s' msg
Hbefore: has_been_directly_observed X s msg
HasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m))
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
H7: HasBeenObserved s' msg
m': message
Hdep: msg_dep_happens_before message_dependencies msg
  m'
Hnow: im = Some m' ∨ om = Some m'
HasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m))
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
H7: HasBeenObserved s' msg
m': message
Hdep: msg_dep_happens_before message_dependencies msg
  m'
Hbefore: has_been_directly_observed X s m'
HasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m))
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
H7: HasBeenObserved s' msg
Hnow: im = Some msg ∨ om = Some msg
HasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) by right; exists msg; split; [| left].
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
H7: HasBeenObserved s' msg
Hbefore: has_been_directly_observed X s msg
HasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) by left; constructor.
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
H7: HasBeenObserved s' msg
m': message
Hdep: msg_dep_happens_before message_dependencies msg
  m'
Hnow: im = Some m' ∨ om = Some m'
HasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) by right; exists m'; split; [| right].
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
H7: HasBeenObserved s' msg
m': message
Hdep: msg_dep_happens_before message_dependencies msg
  m'
Hbefore: has_been_directly_observed X s m'
HasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) by left; econstructor 2.
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
HasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) → HasBeenObserved s' msg intros [Hbefore | (m & Hnow & [<- | Hdep])].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
Hbefore: HasBeenObserved s msg
HasBeenObserved s' msg
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
Hnow: im = Some msg ∨ om = Some msg
HasBeenObserved s' msg
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg, m: message
Hnow: im = Some m ∨ om = Some m
Hdep: msg_dep_happens_before message_dependencies msg
  m
HasBeenObserved s' msg
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
Hbefore: HasBeenObserved s msg
HasBeenObserved s' msg by eapply transition_preserves_HasBeenObserved.
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg: message
Hnow: im = Some msg ∨ om = Some msg
HasBeenObserved s' msg by constructor; eapply has_been_directly_observed_step_update; [| left].
    +message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
Ht: input_constrained_transition X l (s, im) (s', om)
msg, m: message
Hnow: im = Some m ∨ om = Some m
Hdep: msg_dep_happens_before message_dependencies msg
  m
HasBeenObserved s' msg by econstructor 2; [| done]; eapply has_been_directly_observed_step_update; [| left].
Qed.

Message m1 is in relation ObservedBeforeSendTransition with message m2 if it HasBeenObserved in a state from which m2 can be emitted in the next step.

Note that we use HasBeenObserved instead of has_been_directly_observed, which extends direct observability in a state (sent or received on a trace leading to that state) with the transitive closure of the msg_dep_rel (to include any message depending on a directly observed one).

Inductive ObservedBeforeStateOrMessage
  : message -> state X -> option message -> Prop :=
| observed_before_state (m : message) (s : state X) (_oim : option message) :
    HasBeenObserved s m ->
    ObservedBeforeStateOrMessage m s _oim
| observed_is_message (m : message) (_s : state X) :
    ObservedBeforeStateOrMessage m _s (Some m)
| observed_before_message (m : message) (_s : state X) (im : message) :
    msg_dep_happens_before message_dependencies m im ->
    ObservedBeforeStateOrMessage m _s (Some im).

Record ObservedBeforeSendTransition
  (s : state X) (item : transition_item X) (m1 m2 : message) : Prop :=
{
  dobst_transition : input_constrained_transition_item X s item;
  dobst_output_m2 : output item = Some m2;
  dobst_observed_m1 : ObservedBeforeStateOrMessage m1 s (input item);
}.

Definition observed_before_send (m1 m2 : message) : Prop :=
  exists s item, ObservedBeforeSendTransition s item m1 m2.

Lemma observed_before_send_subsumes_msg_dep_rel
  `{!MessageDependencies X message_dependencies} :
  forall m, can_emit (preloaded_with_all_messages_vlsm X) m ->
  forall dm, msg_dep_rel message_dependencies dm m ->
    observed_before_send dm m.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
∀ m : message,
  can_emit (preloaded_with_all_messages_vlsm X) m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → observed_before_send dm m
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
∀ m : message,
  can_emit (preloaded_with_all_messages_vlsm X) m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → observed_before_send dm m
  intros m ([s im] & l & s' & Ht) dm Hdm.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
m: message
s: state (preloaded_with_all_messages_vlsm X)
im: option message
l: label (preloaded_with_all_messages_vlsm X)
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, im) (s', Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
observed_before_send dm m
  exists s, {| l := l; input := im; destination := s'; output := Some m |}.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
m: message
s: state (preloaded_with_all_messages_vlsm X)
im: option message
l: label (preloaded_with_all_messages_vlsm X)
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, im) (s', Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
ObservedBeforeSendTransition s
  {|
    l := l;
    input := im;
    destination := s';
    output := Some m
  |} dm m
  constructor; [done.. |].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
m: message
s: state (preloaded_with_all_messages_vlsm X)
im: option message
l: label (preloaded_with_all_messages_vlsm X)
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, im) (s', Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
ObservedBeforeStateOrMessage dm s
  (input
     {|
       l := l;
       input := im;
       destination := s';
       output := Some m
     |})
  eapply @message_dependencies_are_necessary in Hdm as Hobs; [| done | by eexists _, _].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
m: message
s: state (preloaded_with_all_messages_vlsm X)
im: option message
l: label (preloaded_with_all_messages_vlsm X)
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, im) (s', Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
Hobs: has_been_directly_observed X s' dm
ObservedBeforeStateOrMessage dm s
  (input
     {|
       l := l;
       input := im;
       destination := s';
       output := Some m
     |})
  eapply has_been_directly_observed_step_update in Hobs as [[| Hout] |]; [.. | done]; cycle 2.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
m: message
s: state (preloaded_with_all_messages_vlsm X)
im: option message
l: label (preloaded_with_all_messages_vlsm X)
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, im) (s', Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
H7: has_been_directly_observed X s dm
ObservedBeforeStateOrMessage dm s
  (input
     {|
       l := l;
       input := im;
       destination := s';
       output := Some m
     |})
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
m: message
s: state (preloaded_with_all_messages_vlsm X)
im: option message
l: label (preloaded_with_all_messages_vlsm X)
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, im) (s', Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
H7: im = Some dm
ObservedBeforeStateOrMessage dm s
  (input
     {|
       l := l;
       input := im;
       destination := s';
       output := Some m
     |})
message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
m: message
s: state (preloaded_with_all_messages_vlsm X)
im: option message
l: label (preloaded_with_all_messages_vlsm X)
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, im) (s', Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
Hout: Some m = Some dm
ObservedBeforeStateOrMessage dm s
  (input
     {|
       l := l;
       input := im;
       destination := s';
       output := Some m
     |})
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
m: message
s: state (preloaded_with_all_messages_vlsm X)
im: option message
l: label (preloaded_with_all_messages_vlsm X)
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, im) (s', Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
H7: has_been_directly_observed X s dm
ObservedBeforeStateOrMessage dm s
  (input
     {|
       l := l;
       input := im;
       destination := s';
       output := Some m
     |}) by do 2 constructor.
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
m: message
s: state (preloaded_with_all_messages_vlsm X)
im: option message
l: label (preloaded_with_all_messages_vlsm X)
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, im) (s', Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
H7: im = Some dm
ObservedBeforeStateOrMessage dm s
  (input
     {|
       l := l;
       input := im;
       destination := s';
       output := Some m
     |}) by subst; cbn; constructor.
  -message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
m: message
s: state (preloaded_with_all_messages_vlsm X)
im: option message
l: label (preloaded_with_all_messages_vlsm X)
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l (
  s, im) (s', Some m)
dm: message
Hdm: msg_dep_rel message_dependencies dm m
Hout: Some m = Some dm
ObservedBeforeStateOrMessage dm s
  (input
     {|
       l := l;
       input := im;
       destination := s';
       output := Some m
     |}) by contradict Hdm; inversion Hout; apply tc_reflect_irreflexive.
Qed.

A pair of messages constitutes a (local) evidence of equivocation for a validator v in a state s if both messages have v as a sender, have been (indirectly) observed in s (see HasBeenObserved), and are not comparable according to the msg_dep_happens_before relation.

Record MsgDepLocalEquivocationEvidence
  (s : state X) (v : validator) (m1 m2 : message) : Prop :=
{
  mdlee_sender1 : sender m1 = Some v;
  mdlee_sender2 : sender m2 = Some v;
  mdlee_observed1 : HasBeenObserved s m1;
  mdlee_observed2 : HasBeenObserved s m2;
  mdlee_incomparable : ~ comparable (msg_dep_happens_before message_dependencies) m1 m2;
}.

Definition msg_dep_is_locally_equivocating (s : state X) (v : validator) : Prop :=
  exists m1 m2, MsgDepLocalEquivocationEvidence s v m1 m2.

Under the full-node assumptions, we can give a simpler alternative to MsgDepLocalEquivocationEvidence which only requires that each message has_been_directly_observed directly in the state. This relies on Lemma msg_dep_full_node_happens_before_reflects_has_been_directly_observed.

Record FullNodeLocalEquivocationEvidence
  (s : state X) (v : validator) (m1 m2 : message) : Prop :=
{
  fnlee_sender1 : sender m1 = Some v;
  fnlee_sender2 : sender m2 = Some v;
  fnlee_observed1 : has_been_directly_observed X s m1;
  fnlee_observed2 : has_been_directly_observed X s m2;
  fnlee_incomparable : ~ comparable (msg_dep_happens_before message_dependencies) m1 m2;
}.

Definition full_node_is_locally_equivocating (s : state X) (v : validator) : Prop :=
  exists m1 m2, FullNodeLocalEquivocationEvidence s v m1 m2.

If the states and messages are more tightly coupled (e.g., there is a unique state from which a given message can be emitted), then the sent messages of a state would be totally ordered by msg_dep_rel.

Definition has_been_sent_msg_dep_comparable_prop : Prop :=
  forall (s : state X), constrained_state_prop X s ->
  forall (m1 m2 : message),
    has_been_sent X s m1 ->
    has_been_sent X s m2 ->
    comparable (msg_dep_rel message_dependencies) m1 m2.

We present yet another definition for local evidence of equivocation assuming both full-node and has_been_sent_msg_dep_comparable_prop.

Record FullNodeSentLocalEquivocationEvidence
  (s : state X) (v : validator) (m1 m2 : message) : Prop :=
{
  fnslee_sender1 : sender m1 = Some v;
  fnslee_sender2 : sender m2 = Some v;
  fnslee_observed1 : has_been_directly_observed X s m1;
  fnslee_observed2 : has_been_directly_observed X s m2;
  fnslee_incomparable : ~ comparable (msg_dep_rel message_dependencies) m1 m2;
}.

Definition full_node_is_sent_locally_equivocating
  (s : state X) (v : validator) : Prop :=
  exists m1 m2, FullNodeSentLocalEquivocationEvidence s v m1 m2.

Lemma full_node_is_sent_locally_equivocating_weaker s v :
  full_node_is_locally_equivocating s v ->
  full_node_is_sent_locally_equivocating s v.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
s: state X
v: validator
full_node_is_locally_equivocating s v
→ full_node_is_sent_locally_equivocating s v
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
s: state X
v: validator
full_node_is_locally_equivocating s v
→ full_node_is_sent_locally_equivocating s v
  intros (m1 & m2 & [Hsender1 Hsender2 Hobs1 Hobs2 Hncomp]).message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
s: state X
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: has_been_directly_observed X s m1
Hobs2: has_been_directly_observed X s m2
Hncomp: ¬ comparable
    (msg_dep_happens_before
       message_dependencies) m1 m2
full_node_is_sent_locally_equivocating s v
  exists m1, m2; constructor; [done.. |].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
s: state X
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: has_been_directly_observed X s m1
Hobs2: has_been_directly_observed X s m2
Hncomp: ¬ comparable
    (msg_dep_happens_before
       message_dependencies) m1 m2
¬ comparable (msg_dep_rel message_dependencies) m1 m2
  by contradict Hncomp; apply tc_comparable.
Qed.

Lemma full_node_is_locally_equivocating_stronger s v :
  full_node_is_locally_equivocating s v ->
  msg_dep_is_locally_equivocating s v.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
s: state X
v: validator
full_node_is_locally_equivocating s v
→ msg_dep_is_locally_equivocating s v
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
s: state X
v: validator
full_node_is_locally_equivocating s v
→ msg_dep_is_locally_equivocating s v
  intros (m1 & m2 & []).message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
s: state X
v: validator
m1, m2: message
fnlee_sender3: sender m1 = Some v
fnlee_sender4: sender m2 = Some v
fnlee_observed3: has_been_directly_observed X s m1
fnlee_observed4: has_been_directly_observed X s m2
fnlee_incomparable0: ¬ comparable
    (msg_dep_happens_before
       message_dependencies) m1
    m2
msg_dep_is_locally_equivocating s v
  by exists m1, m2; constructor; [| | constructor | constructor |].
Qed.

Under MessageDependencies and full-node assumptions, any message which HasBeenObserved in a state, has_been_directly_observed in that state, too.

Lemma full_node_HasBeenObserved_is_directly_observed
  `{!MessageDependencies X message_dependencies}
  (Hfull : message_dependencies_full_node_condition_prop X message_dependencies)
  : forall s, constrained_state_prop X s ->
    forall m, HasBeenObserved s m <-> has_been_directly_observed X s m.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
  X message_dependencies
∀ s : state (preloaded_with_all_messages_vlsm X),
  constrained_state_prop X s
  → ∀ m : message,
      HasBeenObserved s m
      ↔ has_been_directly_observed X s m
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
  X message_dependencies
∀ s : state (preloaded_with_all_messages_vlsm X),
  constrained_state_prop X s
  → ∀ m : message,
      HasBeenObserved s m
      ↔ has_been_directly_observed X s m
  intros s Hs m; split; [| by intros; constructor].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
  X message_dependencies
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
m: message
HasBeenObserved s m → has_been_directly_observed X s m
  intros [Hobs | m' Hobs Hhb]; [done |].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
  X message_dependencies
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
m, m': message
Hobs: has_been_directly_observed X s m'
Hhb: msg_dep_happens_before message_dependencies m m'
has_been_directly_observed X s m
  by eapply msg_dep_full_node_happens_before_reflects_has_been_directly_observed.
Qed.

Assuming MessageDependencies and full-node, the two notions of local equivocation defined above are equivalent.

Lemma full_node_is_locally_equivocating_iff
  `{!MessageDependencies X message_dependencies}
  (Hfull : message_dependencies_full_node_condition_prop X message_dependencies)
  : forall s, constrained_state_prop X s ->
    forall v,
      msg_dep_is_locally_equivocating s v
        <->
      full_node_is_locally_equivocating s v.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
  X message_dependencies
∀ s : state (preloaded_with_all_messages_vlsm X),
  constrained_state_prop X s
  → ∀ v : validator,
      msg_dep_is_locally_equivocating s v
      ↔ full_node_is_locally_equivocating s v
Proof.message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
  X message_dependencies
∀ s : state (preloaded_with_all_messages_vlsm X),
  constrained_state_prop X s
  → ∀ v : validator,
      msg_dep_is_locally_equivocating s v
      ↔ full_node_is_locally_equivocating s v
  intros s Hs v; split; [| apply full_node_is_locally_equivocating_stronger].message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
  X message_dependencies
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
v: validator
msg_dep_is_locally_equivocating s v
→ full_node_is_locally_equivocating s v
  intros (m1 & m2 & [Hsender1 Hsender2 Hobs1 Hobs2 Hncomp]).message: Type
X: VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
HasBeenSentCapability0: HasBeenSentCapability X
HasBeenReceivedCapability0: HasBeenReceivedCapability
  X
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
MessageDependencies0: MessageDependencies X
  message_dependencies
Hfull: message_dependencies_full_node_condition_prop
  X message_dependencies
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: HasBeenObserved s m1
Hobs2: HasBeenObserved s m2
Hncomp: ¬ comparable
    (msg_dep_happens_before
       message_dependencies) m1 m2
full_node_is_locally_equivocating s v
  by exists m1, m2; split; rewrite <- ?full_node_HasBeenObserved_is_directly_observed.
Qed.

End sec_message_dependencies_equivocation.

Section sec_composite_message_dependencies.

Context
  {message : Type}
  `(IM : index -> VLSM message)
  `{FinSet message Cm}
  (message_dependencies : message -> Cm)
  `{finite.Finite index}
  `{forall i, HasBeenSentCapability (IM i)}
  `{forall i, HasBeenReceivedCapability (IM i)}
  `{!Irreflexive (msg_dep_happens_before message_dependencies)}
  `{forall i, MessageDependencies (IM i) message_dependencies}
  .

If all of the components satisfy the MessageDependencies assumptions, then their free composition will also do so.

#[export] Instance composite_message_dependencies
  : MessageDependencies (free_composite_vlsm IM) message_dependencies.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
MessageDependencies (free_composite_vlsm IM)
  message_dependencies
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
MessageDependencies (free_composite_vlsm IM)
  message_dependencies
  split.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
∀ (m : message) (s' : state
                        (preloaded_with_all_messages_vlsm
                           (free_composite_vlsm IM))),
  can_produce
    (preloaded_with_all_messages_vlsm
       (free_composite_vlsm IM)) s' m
  → message_dependencies_full_node_condition
      (free_composite_vlsm IM) message_dependencies s'
      m
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
∀ m : message,
  can_emit
    (preloaded_with_all_messages_vlsm
       (free_composite_vlsm IM)) m
  → can_emit
      (preloaded_vlsm (free_composite_vlsm IM)
         (λ msg : message,
            msg ∈ message_dependencies m)) m
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
∀ (m : message) (s' : state
                        (preloaded_with_all_messages_vlsm
                           (free_composite_vlsm IM))),
  can_produce
    (preloaded_with_all_messages_vlsm
       (free_composite_vlsm IM)) s' m
  → message_dependencies_full_node_condition
      (free_composite_vlsm IM) message_dependencies s'
      m intros m s' ((s, iom) & [i li] & Ht) dm Hdm.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
s', s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
iom: option message
i: index
li: label (IM i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM)) 
  (existT i li) (s, iom) (
  s', Some m)
dm: message
Hdm: dm ∈ message_dependencies m
has_been_directly_observed (free_composite_vlsm IM) s'
  dm
    apply composite_has_been_directly_observed_free_iff.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
s', s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
iom: option message
i: index
li: label (IM i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM)) 
  (existT i li) (s, iom) (
  s', Some m)
dm: message
Hdm: dm ∈ message_dependencies m
composite_has_been_directly_observed IM s' dm
    apply input_valid_transition_preloaded_project_active_free in Ht; cbn in Ht.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
s', s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
iom: option message
i: index
li: label (IM i)
Ht: input_constrained_transition 
  (IM i) li (s i, iom) (
  s' i, Some m)
dm: message
Hdm: dm ∈ message_dependencies m
composite_has_been_directly_observed IM s' dm
    eapply composite_has_been_directly_observed_from_component.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
s', s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
iom: option message
i: index
li: label (IM i)
Ht: input_constrained_transition 
  (IM i) li (s i, iom) (
  s' i, Some m)
dm: message
Hdm: dm ∈ message_dependencies m
has_been_directly_observed (IM ?i) (s' ?i) dm
    by eapply message_dependencies_are_necessary; [eexists _, _; cbn |].
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
∀ m : message,
  can_emit
    (preloaded_with_all_messages_vlsm
       (free_composite_vlsm IM)) m
  → can_emit
      (preloaded_vlsm (free_composite_vlsm IM)
         (λ msg : message,
            msg ∈ message_dependencies m)) m intros m Hemit.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
Hemit: can_emit
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM)) m
can_emit
  (preloaded_vlsm (free_composite_vlsm IM)
     (λ msg : message, msg ∈ message_dependencies m))
  m
    apply can_emit_free_composite_project in Hemit as [j Hemitj].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
j: index
Hemitj: can_emit
  (preloaded_with_all_messages_vlsm (IM j)) m
can_emit
  (preloaded_vlsm (free_composite_vlsm IM)
     (λ msg : message, msg ∈ message_dependencies m))
  m
    eapply message_dependencies_are_sufficient in Hemitj.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
j: index
Hemitj: can_emit
  (preloaded_vlsm (IM j)
     (λ msg : message,
        msg ∈ message_dependencies m)) m
can_emit
  (preloaded_vlsm (free_composite_vlsm IM)
     (λ msg : message, msg ∈ message_dependencies m))
  m
    eapply VLSM_embedding_can_emit; [| done].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
j: index
Hemitj: can_emit
  (preloaded_vlsm (IM j)
     (λ msg : message,
        msg ∈ message_dependencies m)) m
VLSM_embedding
  (preloaded_vlsm (IM j)
     (λ msg : message, msg ∈ message_dependencies m))
  (preloaded_vlsm (free_composite_vlsm IM)
     (λ msg : message, msg ∈ message_dependencies m))
  ?label_project ?state_project
    by apply lift_to_composite_generalized_preloaded_VLSM_embedding.
Qed.

Lemma msg_dep_reflects_free_validity
  (no_initial_messages_in_IM : no_initial_messages_in_IM_prop IM)
  (X := free_composite_vlsm IM)
  : forall dm m, msg_dep_rel message_dependencies dm m ->
    valid_message_prop X m -> valid_message_prop X dm.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → valid_message_prop X m → valid_message_prop X dm
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → valid_message_prop X m → valid_message_prop X dm
  intros dm m Hdm.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
valid_message_prop X m → valid_message_prop X dm
  rewrite !emitted_messages_are_valid_iff.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
initial_message_prop m ∨ can_emit X m
→ initial_message_prop dm ∨ can_emit X dm
  intros [[i [[im Him] _]] | Hemit]
  ; [by contradict Him; apply no_initial_messages_in_IM |].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
initial_message_prop dm ∨ can_emit X dm
  right.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
can_emit X dm
  pose proof (vlsm_is_preloaded_with_False X) as XeqXFalse.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
can_emit X dm
  apply (VLSM_eq_can_emit XeqXFalse).message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
can_emit
  {|
    vlsm_type := X;
    vlsm_machine :=
      preloaded_vlsm X (λ _ : message, False)
  |} dm
  cut (valid_message_prop (preloaded_vlsm X (fun _ => False)) dm).message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
valid_message_prop
  (preloaded_vlsm X (λ _ : message, False)) dm
→ can_emit
    {|
      vlsm_type := X;
      vlsm_machine :=
        preloaded_vlsm X (λ _ : message, False)
    |} dm
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
valid_message_prop
  (preloaded_vlsm X (λ _ : message, False)) dm
  {message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
valid_message_prop
  (preloaded_vlsm X (λ _ : message, False)) dm
→ can_emit
    {|
      vlsm_type := X;
      vlsm_machine :=
        preloaded_vlsm X (λ _ : message, False)
    |} dm
    clear -no_initial_messages_in_IM.message, index: Type
IM: index → VLSM message
EqDecision1: EqDecision index
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm: message
valid_message_prop
  (preloaded_vlsm X (λ _ : message, False)) dm
→ can_emit
    {|
      vlsm_type := X;
      vlsm_machine :=
        preloaded_vlsm X (λ _ : message, False)
    |} dm
    rewrite emitted_messages_are_valid_iff.message, index: Type
IM: index → VLSM message
EqDecision1: EqDecision index
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm: message
initial_message_prop dm
∨ can_emit (preloaded_vlsm X (λ _ : message, False))
    dm
→ can_emit
    {|
      vlsm_type := X;
      vlsm_machine :=
        preloaded_vlsm X (λ _ : message, False)
    |} dm
    intros [[[i [[im Him] _]] | Hpreloaded] | Hemit]; try itauto.message, index: Type
IM: index → VLSM message
EqDecision1: EqDecision index
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm: message
i: index
im: message
Him: initial_message_prop im
can_emit
  {|
    vlsm_type := X;
    vlsm_machine :=
      preloaded_vlsm X (λ _ : message, False)
  |} dm
    by contradict Him; apply no_initial_messages_in_IM.
  }message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
valid_message_prop
  (preloaded_vlsm X (λ _ : message, False)) dm
  eapply msg_dep_reflects_validity.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
MessageDependencies X message_dependencies
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
∀ m : message, ¬ initial_message_prop m
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → False → False
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
msg_dep_rel message_dependencies dm ?m
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
valid_message_prop
  (preloaded_vlsm X (λ _ : message, False)) 
  ?m
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
MessageDependencies X message_dependencies by apply composite_message_dependencies.
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
∀ m : message, ¬ initial_message_prop m intros _ [i [[im Him] _]].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
i: index
im: message
Him: initial_message_prop im
False
    by contradict Him; apply no_initial_messages_in_IM.
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → False → False by itauto.
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
msg_dep_rel message_dependencies dm ?m done.
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
valid_message_prop
  (preloaded_vlsm X (λ _ : message, False)) m apply emitted_messages_are_valid_iff.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
dm, m: message
Hdm: msg_dep_rel message_dependencies dm m
Hemit: can_emit X m
XeqXFalse: VLSM_eq X
  (preloaded_vlsm X (λ _ : message, False))
initial_message_prop m
∨ can_emit (preloaded_vlsm X (λ _ : message, False)) m
    by apply (VLSM_eq_can_emit XeqXFalse) in Hemit; auto.
Qed.

Lemma msg_dep_reflects_happens_before_free_validity
  (no_initial_messages_in_IM : no_initial_messages_in_IM_prop IM)
  (X := free_composite_vlsm IM)
  : forall dm m, msg_dep_happens_before message_dependencies dm m ->
    valid_message_prop X m -> valid_message_prop X dm.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
∀ dm m : message,
  msg_dep_happens_before message_dependencies dm m
  → valid_message_prop X m → valid_message_prop X dm
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
∀ dm m : message,
  msg_dep_happens_before message_dependencies dm m
  → valid_message_prop X m → valid_message_prop X dm
  by apply msg_dep_happens_before_reflect, msg_dep_reflects_free_validity.
Qed.

Lemma msg_dep_happens_before_composite_no_initial_valid_messages_emitted_by_sender
  {validator : Type}
  (sender : message -> option validator)
  (A : validator -> index)
  (Hchannel : channel_authentication_prop  IM A sender)
  (no_initial_messages_in_IM : no_initial_messages_in_IM_prop IM)
  (X := free_composite_vlsm IM)
  : forall m, valid_message_prop X m ->
    forall dm, msg_dep_happens_before message_dependencies dm m ->
    exists v, sender dm = Some v /\
      can_emit (preloaded_with_all_messages_vlsm (IM (A v))) dm.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
validator: Type
sender: message → option validator
A: validator → index
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
∀ m : message,
  valid_message_prop X m
  → ∀ dm : message,
      msg_dep_happens_before message_dependencies dm m
      → ∃ v : validator,
          sender dm = Some v
          ∧ can_emit
              (preloaded_with_all_messages_vlsm
                 (IM (A v))) dm
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
validator: Type
sender: message → option validator
A: validator → index
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
∀ m : message,
  valid_message_prop X m
  → ∀ dm : message,
      msg_dep_happens_before message_dependencies dm m
      → ∃ v : validator,
          sender dm = Some v
          ∧ can_emit
              (preloaded_with_all_messages_vlsm
                 (IM (A v))) dm
  intros m Hm dm Hdm.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
validator: Type
sender: message → option validator
A: validator → index
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
m: message
Hm: valid_message_prop X m
dm: message
Hdm: msg_dep_happens_before message_dependencies dm m
∃ v : validator,
  sender dm = Some v
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v))) dm
  cut (valid_message_prop X dm).message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
validator: Type
sender: message → option validator
A: validator → index
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
m: message
Hm: valid_message_prop X m
dm: message
Hdm: msg_dep_happens_before message_dependencies dm m
valid_message_prop X dm
→ ∃ v : validator,
    sender dm = Some v
    ∧ can_emit
        (preloaded_with_all_messages_vlsm (IM (A v)))
        dm
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
validator: Type
sender: message → option validator
A: validator → index
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
m: message
Hm: valid_message_prop X m
dm: message
Hdm: msg_dep_happens_before message_dependencies dm m
valid_message_prop X dm
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
validator: Type
sender: message → option validator
A: validator → index
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
m: message
Hm: valid_message_prop X m
dm: message
Hdm: msg_dep_happens_before message_dependencies dm m
valid_message_prop X dm
→ ∃ v : validator,
    sender dm = Some v
    ∧ can_emit
        (preloaded_with_all_messages_vlsm (IM (A v)))
        dm by apply free_composite_no_initial_valid_messages_emitted_by_sender.
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
validator: Type
sender: message → option validator
A: validator → index
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
X:= free_composite_vlsm IM: VLSM message
m: message
Hm: valid_message_prop X m
dm: message
Hdm: msg_dep_happens_before message_dependencies dm m
valid_message_prop X dm by eapply msg_dep_reflects_happens_before_free_validity.
Qed.

End sec_composite_message_dependencies.

Global Equivocation Based on Message Dependencies

Inspired by the definitions of observability and global equivocation given for the ELMO protocol, we introduce abstract notions for global equivocation based on message dependencies.

Section sec_composite_message_dependencies_equivocation.

Context
  {message : Type}
  `(IM : index -> VLSM message)
  `{FinSet message Cm}
  (message_dependencies : message -> Cm)
  `(sender : message -> option validator)
  `{finite.Finite index}
  `{forall i, HasBeenSentCapability (IM i)}
  `{forall i, HasBeenReceivedCapability (IM i)}
  `{!Irreflexive (msg_dep_happens_before message_dependencies)}
  (Free := free_composite_vlsm IM)
  .

A message can be (indirectly) observed in a composite state if it either has been directly observed in the state (as sent or received), or it msg_dep_happens_before a directly observed message.

Inductive CompositeHasBeenObserved
  (s : composite_state IM) (m : message) : Prop :=
| chbo_directly :
    composite_has_been_directly_observed IM s m ->
    CompositeHasBeenObserved s m
| chbo_indirectly :
    forall m',
      composite_has_been_directly_observed IM s m' ->
      msg_dep_happens_before message_dependencies m m' ->
      CompositeHasBeenObserved s m.

Lemma composite_HasBeenObserved_lift : forall s m i,
  HasBeenObserved (IM i) message_dependencies (s i) m ->
  CompositeHasBeenObserved s m.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (s : ∀ x : index, state (IM x)) (m : message) (i : index),
  HasBeenObserved (IM i) message_dependencies (s i) m
  → CompositeHasBeenObserved s m
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (s : ∀ x : index, state (IM x)) (m : message) (i : index),
  HasBeenObserved (IM i) message_dependencies (s i) m
  → CompositeHasBeenObserved s m
  intros s m i [].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
s: ∀ x : index, state (IM x)
m: message
i: index
H10: has_been_directly_observed (IM i) (s i) m
CompositeHasBeenObserved s m
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
s: ∀ x : index, state (IM x)
m: message
i: index
m': message
H10: has_been_directly_observed (IM i) (s i) m'
H11: msg_dep_happens_before message_dependencies m m'
CompositeHasBeenObserved s m
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
s: ∀ x : index, state (IM x)
m: message
i: index
H10: has_been_directly_observed (IM i) (s i) m
CompositeHasBeenObserved s m by constructor 1; eexists.
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
s: ∀ x : index, state (IM x)
m: message
i: index
m': message
H10: has_been_directly_observed (IM i) (s i) m'
H11: msg_dep_happens_before message_dependencies m m'
CompositeHasBeenObserved s m by econstructor 2; [eexists |].
Qed.

Lemma composite_HasBeenObserved_iff : forall s m,
  CompositeHasBeenObserved s m
    <->
  exists i, HasBeenObserved (IM i) message_dependencies (s i) m.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (m : message),
  CompositeHasBeenObserved s m
  ↔ (∃ i : index,
       HasBeenObserved (IM i) message_dependencies
         (s i) m)
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (m : message),
  CompositeHasBeenObserved s m
  ↔ (∃ i : index,
       HasBeenObserved (IM i) message_dependencies
         (s i) m)
  split; [| by intros []; eapply composite_HasBeenObserved_lift].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
m: message
CompositeHasBeenObserved s m
→ ∃ i : index,
    HasBeenObserved (IM i) message_dependencies (s i)
      m
  by intros [[i Hobsi] | m' [i Hobsi] Hmm'];
    exists i; [by constructor 1 | by econstructor 2].
Qed.

Lemma transition_preserves_CompositeHasBeenObserved :
  forall l s im s' om, input_constrained_transition Free l (s, im) (s', om) ->
  forall msg, CompositeHasBeenObserved s msg -> CompositeHasBeenObserved s' msg.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (l : label (preloaded_with_all_messages_vlsm Free)) 
  (s : state (preloaded_with_all_messages_vlsm Free)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   Free)) (om : option
                                                 message),
  input_constrained_transition Free l (s, im) (s', om)
  → ∀ msg : message,
      CompositeHasBeenObserved s msg
      → CompositeHasBeenObserved s' msg
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (l : label (preloaded_with_all_messages_vlsm Free)) 
  (s : state (preloaded_with_all_messages_vlsm Free)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   Free)) (om : option
                                                 message),
  input_constrained_transition Free l (s, im) (s', om)
  → ∀ msg : message,
      CompositeHasBeenObserved s msg
      → CompositeHasBeenObserved s' msg
  destruct (free_composite_has_been_directly_observed_stepwise_props IM) as [].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
∀ (l : label (preloaded_with_all_messages_vlsm Free)) 
  (s : state (preloaded_with_all_messages_vlsm Free)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   Free)) (om : option
                                                 message),
  input_constrained_transition Free l (s, im) (s', om)
  → ∀ msg : message,
      CompositeHasBeenObserved s msg
      → CompositeHasBeenObserved s' msg
  intros * Ht msg Hbefore; inversion Hbefore as [Hobs | m Hobs Hdep].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
Hbefore: CompositeHasBeenObserved s msg
Hobs: composite_has_been_directly_observed IM s msg
CompositeHasBeenObserved s' msg
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
Hbefore: CompositeHasBeenObserved s msg
m: message
Hobs: composite_has_been_directly_observed IM s m
Hdep: msg_dep_happens_before message_dependencies msg
  m
CompositeHasBeenObserved s' msg
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
Hbefore: CompositeHasBeenObserved s msg
Hobs: composite_has_been_directly_observed IM s msg
CompositeHasBeenObserved s' msg by constructor; eapply oracle_step_update; [| right].
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
Hbefore: CompositeHasBeenObserved s msg
m: message
Hobs: composite_has_been_directly_observed IM s m
Hdep: msg_dep_happens_before message_dependencies msg
  m
CompositeHasBeenObserved s' msg by econstructor 2; [| done]; eapply oracle_step_update; [| right].
Qed.

Lemma CompositeHasBeenObserved_step_update :
  forall l s im s' om, input_constrained_transition Free l (s, im) (s', om) ->
  forall msg,
    CompositeHasBeenObserved s' msg
      <->
    CompositeHasBeenObserved s msg \/
    (exists m, (im = Some m \/ om = Some m) /\
      (msg = m \/ msg_dep_happens_before message_dependencies msg m)).message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (l : label (preloaded_with_all_messages_vlsm Free)) 
  (s : state (preloaded_with_all_messages_vlsm Free)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   Free)) (om : option
                                                 message),
  input_constrained_transition Free l (s, im) (s', om)
  → ∀ msg : message,
      CompositeHasBeenObserved s' msg
      ↔ CompositeHasBeenObserved s msg
        ∨ (∃ m : message,
             (im = Some m ∨ om = Some m)
             ∧ (msg = m
                ∨ msg_dep_happens_before
                    message_dependencies msg m))
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (l : label (preloaded_with_all_messages_vlsm Free)) 
  (s : state (preloaded_with_all_messages_vlsm Free)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   Free)) (om : option
                                                 message),
  input_constrained_transition Free l (s, im) (s', om)
  → ∀ msg : message,
      CompositeHasBeenObserved s' msg
      ↔ CompositeHasBeenObserved s msg
        ∨ (∃ m : message,
             (im = Some m ∨ om = Some m)
             ∧ (msg = m
                ∨ msg_dep_happens_before
                    message_dependencies msg m))
  destruct (free_composite_has_been_directly_observed_stepwise_props IM) as [].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
∀ (l : label (preloaded_with_all_messages_vlsm Free)) 
  (s : state (preloaded_with_all_messages_vlsm Free)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   Free)) (om : option
                                                 message),
  input_constrained_transition Free l (s, im) (s', om)
  → ∀ msg : message,
      CompositeHasBeenObserved s' msg
      ↔ CompositeHasBeenObserved s msg
        ∨ (∃ m : message,
             (im = Some m ∨ om = Some m)
             ∧ (msg = m
                ∨ msg_dep_happens_before
                    message_dependencies msg m))
  intros * Ht msg; split.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
CompositeHasBeenObserved s' msg
→ CompositeHasBeenObserved s msg
  ∨ (∃ m : message,
       (im = Some m ∨ om = Some m)
       ∧ (msg = m
          ∨ msg_dep_happens_before
              message_dependencies msg m))
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
CompositeHasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) → CompositeHasBeenObserved s' msg
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
CompositeHasBeenObserved s' msg
→ CompositeHasBeenObserved s msg
  ∨ (∃ m : message,
       (im = Some m ∨ om = Some m)
       ∧ (msg = m
          ∨ msg_dep_happens_before
              message_dependencies msg m)) inversion 1 as [Hobs' | m' Hobs' Hdep];
      (eapply oracle_step_update in Hobs'; [| done]);
      destruct Hobs' as [Hnow | Hbefore].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
H10: CompositeHasBeenObserved s' msg
Hnow: item_sends_or_receives msg
  {|
    l := l;
    input := im;
    destination := s';
    output := om
  |}
CompositeHasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m))
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
H10: CompositeHasBeenObserved s' msg
Hbefore: composite_has_been_directly_observed IM s
  msg
CompositeHasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m))
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
H10: CompositeHasBeenObserved s' msg
m': message
Hdep: msg_dep_happens_before message_dependencies msg
  m'
Hnow: item_sends_or_receives m'
  {|
    l := l;
    input := im;
    destination := s';
    output := om
  |}
CompositeHasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m))
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
H10: CompositeHasBeenObserved s' msg
m': message
Hdep: msg_dep_happens_before message_dependencies msg
  m'
Hbefore: composite_has_been_directly_observed IM s m'
CompositeHasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m))
    +message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
H10: CompositeHasBeenObserved s' msg
Hnow: item_sends_or_receives msg
  {|
    l := l;
    input := im;
    destination := s';
    output := om
  |}
CompositeHasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) by right; exists msg; split; [| left].
    +message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
H10: CompositeHasBeenObserved s' msg
Hbefore: composite_has_been_directly_observed IM s
  msg
CompositeHasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) by left; constructor.
    +message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
H10: CompositeHasBeenObserved s' msg
m': message
Hdep: msg_dep_happens_before message_dependencies msg
  m'
Hnow: item_sends_or_receives m'
  {|
    l := l;
    input := im;
    destination := s';
    output := om
  |}
CompositeHasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) by right; exists m'; split; [| right].
    +message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
H10: CompositeHasBeenObserved s' msg
m': message
Hdep: msg_dep_happens_before message_dependencies msg
  m'
Hbefore: composite_has_been_directly_observed IM s m'
CompositeHasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) by left; econstructor 2.
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
CompositeHasBeenObserved s msg
∨ (∃ m : message,
     (im = Some m ∨ om = Some m)
     ∧ (msg = m
        ∨ msg_dep_happens_before message_dependencies
            msg m)) → CompositeHasBeenObserved s' msg intros [Hbefore | (m & Hnow & [<- | Hdep])].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
Hbefore: CompositeHasBeenObserved s msg
CompositeHasBeenObserved s' msg
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
Hnow: im = Some msg ∨ om = Some msg
CompositeHasBeenObserved s' msg
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg, m: message
Hnow: im = Some m ∨ om = Some m
Hdep: msg_dep_happens_before message_dependencies msg
  m
CompositeHasBeenObserved s' msg
    +message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
Hbefore: CompositeHasBeenObserved s msg
CompositeHasBeenObserved s' msg by eapply transition_preserves_CompositeHasBeenObserved.
    +message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg: message
Hnow: im = Some msg ∨ om = Some msg
CompositeHasBeenObserved s' msg by constructor; eapply oracle_step_update; [| left].
    +message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
oracle_no_inits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_has_been_directly_observed
          IM s m
oracle_step_update: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed
        IM s' msg
      ↔ item_sends_or_receives
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed
            IM s msg
l: label (preloaded_with_all_messages_vlsm Free)
s: state (preloaded_with_all_messages_vlsm Free)
im: option message
s': state (preloaded_with_all_messages_vlsm Free)
om: option message
Ht: input_constrained_transition Free l (
  s, im) (s', om)
msg, m: message
Hnow: im = Some m ∨ om = Some m
Hdep: msg_dep_happens_before message_dependencies msg
  m
CompositeHasBeenObserved s' msg by econstructor 2; [| done]; eapply oracle_step_update; [| left].
Qed.

Lifting DirectlyObservedBeforeSend to a composition. The advantage of this definition is that RHS can be emitted by any of the machines in the composition.

Record CompositeObservedBeforeSendTransition
  (s : composite_state IM) (item : composite_transition_item IM) (m1 m2 : message) : Prop :=
{
  cdobst_transition : input_constrained_transition_item Free s item;
  cdobst_output_m2 : output item = Some m2;
  cdobst_observed_m1 :
    ObservedBeforeStateOrMessage (IM (projT1 (l item))) message_dependencies m1
      (s (projT1 (l item))) (input item);
}.

Definition composite_observed_before_send (m1 m2 : message) : Prop :=
  exists s item, CompositeObservedBeforeSendTransition s item m1 m2.

Lemma composite_ObservedBeforeSendTransition_lift :
  forall (i : index) (s : state (IM i)) (item : transition_item (IM i))
    (m1 m2 : message),
  ObservedBeforeSendTransition (IM i) message_dependencies s item m1 m2 ->
  CompositeObservedBeforeSendTransition
    (lift_to_composite_state' IM i s)
    (lift_to_composite_transition_item' IM i item) m1 m2.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (i : index) (s : state (IM i)) (item : transition_item) 
  (m1 m2 : message),
  ObservedBeforeSendTransition (IM i)
    message_dependencies s item m1 m2
  → CompositeObservedBeforeSendTransition
      (lift_to_composite_state' IM i s)
      (lift_to_composite_transition_item' IM i item)
      m1 m2
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (i : index) (s : state (IM i)) (item : transition_item) 
  (m1 m2 : message),
  ObservedBeforeSendTransition (IM i)
    message_dependencies s item m1 m2
  → CompositeObservedBeforeSendTransition
      (lift_to_composite_state' IM i s)
      (lift_to_composite_transition_item' IM i item)
      m1 m2
  intros * []; constructor; [| done |].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
i: index
s: state (IM i)
item: transition_item
m1, m2: message
dobst_transition0: input_constrained_transition_item
  (IM i) s item
dobst_output_m3: output item = Some m2
dobst_observed_m2: ObservedBeforeStateOrMessage
  (IM i) message_dependencies m1 s
  (input item)
input_constrained_transition_item Free
  (lift_to_composite_state' IM i s)
  (lift_to_composite_transition_item' IM i item)
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
i: index
s: state (IM i)
item: transition_item
m1, m2: message
dobst_transition0: input_constrained_transition_item
  (IM i) s item
dobst_output_m3: output item = Some m2
dobst_observed_m2: ObservedBeforeStateOrMessage
  (IM i) message_dependencies m1 s
  (input item)
ObservedBeforeStateOrMessage
  (IM
     (projT1
        (l
           (lift_to_composite_transition_item' IM i
              item)))) message_dependencies m1
  (lift_to_composite_state' IM i s
     (projT1
        (l
           (lift_to_composite_transition_item' IM i
              item))))
  (input
     (lift_to_composite_transition_item' IM i item))
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
i: index
s: state (IM i)
item: transition_item
m1, m2: message
dobst_transition0: input_constrained_transition_item
  (IM i) s item
dobst_output_m3: output item = Some m2
dobst_observed_m2: ObservedBeforeStateOrMessage
  (IM i) message_dependencies m1 s
  (input item)
input_constrained_transition_item Free
  (lift_to_composite_state' IM i s)
  (lift_to_composite_transition_item' IM i item) by eapply VLSM_embedding_input_valid_transition in dobst_transition0;
      [| apply lift_to_composite_preloaded_VLSM_embedding].
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
i: index
s: state (IM i)
item: transition_item
m1, m2: message
dobst_transition0: input_constrained_transition_item
  (IM i) s item
dobst_output_m3: output item = Some m2
dobst_observed_m2: ObservedBeforeStateOrMessage
  (IM i) message_dependencies m1 s
  (input item)
ObservedBeforeStateOrMessage
  (IM
     (projT1
        (l
           (lift_to_composite_transition_item' IM i
              item)))) message_dependencies m1
  (lift_to_composite_state' IM i s
     (projT1
        (l
           (lift_to_composite_transition_item' IM i
              item))))
  (input
     (lift_to_composite_transition_item' IM i item)) by destruct item; cbn in *; state_update_simpl.
Qed.

Lemma composite_observed_before_send_lift :
  forall (i : index) (m1 m2 : message),
    observed_before_send (IM i) message_dependencies m1 m2 ->
    composite_observed_before_send m1 m2.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (i : index) (m1 m2 : message),
  observed_before_send (IM i) message_dependencies m1
    m2 → composite_observed_before_send m1 m2
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (i : index) (m1 m2 : message),
  observed_before_send (IM i) message_dependencies m1
    m2 → composite_observed_before_send m1 m2
  intros * (s & item & Hobs).message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
i: index
m1, m2: message
s: state (IM i)
item: transition_item
Hobs: ObservedBeforeSendTransition 
  (IM i) message_dependencies s item m1 m2
composite_observed_before_send m1 m2
  by eexists _, _; apply composite_ObservedBeforeSendTransition_lift.
Qed.

Lemma composite_ObservedBeforeSendTransition_project :
  forall (s : composite_state IM) (item : composite_transition_item IM)
    (m1 m2 : message) (i := projT1 (l item)),
  CompositeObservedBeforeSendTransition s item m1 m2 ->
  ObservedBeforeSendTransition (IM i) message_dependencies
    (s i) (composite_transition_item_projection IM item) m1 m2.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (item : composite_transition_item
                                     IM) (m1
                                          m2 : message),
  let i := projT1 (l item) in
  CompositeObservedBeforeSendTransition s item m1 m2
  → ObservedBeforeSendTransition (IM i)
      message_dependencies (s i)
      (composite_transition_item_projection IM item)
      m1 m2
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (item : composite_transition_item
                                     IM) (m1
                                          m2 : message),
  let i := projT1 (l item) in
  CompositeObservedBeforeSendTransition s item m1 m2
  → ObservedBeforeSendTransition (IM i)
      message_dependencies (s i)
      (composite_transition_item_projection IM item)
      m1 m2
  by intros * []; constructor;
    [eapply input_valid_transition_preloaded_project_active_free | ..].
Qed.

Lemma composite_observed_before_send_iff m1 m2 :
  composite_observed_before_send m1 m2
    <->
  exists i, observed_before_send (IM i) message_dependencies m1 m2.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
m1, m2: message
composite_observed_before_send m1 m2
↔ (∃ i : index,
     observed_before_send (IM i) message_dependencies
       m1 m2)
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
m1, m2: message
composite_observed_before_send m1 m2
↔ (∃ i : index,
     observed_before_send (IM i) message_dependencies
       m1 m2)
  split.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
m1, m2: message
composite_observed_before_send m1 m2
→ ∃ i : index,
    observed_before_send (IM i) message_dependencies
      m1 m2
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
m1, m2: message
(∃ i : index,
   observed_before_send 
     (IM i) message_dependencies m1 m2)
→ composite_observed_before_send m1 m2
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
m1, m2: message
composite_observed_before_send m1 m2
→ ∃ i : index,
    observed_before_send (IM i) message_dependencies
      m1 m2 intros (s & item & Hcomp); eexists (projT1 (l item)), _, _.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
m1, m2: message
s: composite_state IM
item: composite_transition_item IM
Hcomp: CompositeObservedBeforeSendTransition s item
  m1 m2
ObservedBeforeSendTransition (IM (projT1 (l item)))
  message_dependencies ?Goal0 ?Goal1 m1 m2
    by apply composite_ObservedBeforeSendTransition_project.
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
m1, m2: message
(∃ i : index,
   observed_before_send (IM i) message_dependencies m1
     m2) → composite_observed_before_send m1 m2 by intros []; eapply composite_observed_before_send_lift.
Qed.

Lemma composite_observed_before_send_subsumes_msg_dep_rel
  `{forall i, MessageDependencies (IM i) message_dependencies} :
  forall m, can_emit (preloaded_with_all_messages_vlsm Free) m ->
  forall dm, msg_dep_rel message_dependencies dm m ->
    composite_observed_before_send dm m.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
∀ m : message,
  can_emit (preloaded_with_all_messages_vlsm Free) m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → composite_observed_before_send dm m
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
∀ m : message,
  can_emit (preloaded_with_all_messages_vlsm Free) m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → composite_observed_before_send dm m
  intros m Hm dm Hdm.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
Hm: can_emit (preloaded_with_all_messages_vlsm Free)
  m
dm: message
Hdm: msg_dep_rel message_dependencies dm m
composite_observed_before_send dm m
  apply can_emit_free_composite_project in Hm as [j Hjm].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
j: index
Hjm: can_emit
  (preloaded_with_all_messages_vlsm (IM j)) m
dm: message
Hdm: msg_dep_rel message_dependencies dm m
composite_observed_before_send dm m
  by eapply composite_observed_before_send_lift,
    observed_before_send_subsumes_msg_dep_rel.
Qed.

Similarly to the msg_dep_happens_before, we define the transitive closure of the composite_observed_before_send relation.

Definition tc_composite_observed_before_send : relation message :=
  tc (composite_observed_before_send).

Lemma tc_composite_observed_before_send_subsumes_msg_dep_rel
  `{forall i, MessageDependencies (IM i) message_dependencies} :
  forall m, can_emit Free m ->
  forall dm, msg_dep_rel message_dependencies dm m ->
    tc_composite_observed_before_send dm m.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
∀ m : message,
  can_emit Free m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → tc_composite_observed_before_send dm m
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
∀ m : message,
  can_emit Free m
  → ∀ dm : message,
      msg_dep_rel message_dependencies dm m
      → tc_composite_observed_before_send dm m
  intros m Hm dm Hdm; constructor.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
Hm: can_emit Free m
dm: message
Hdm: msg_dep_rel message_dependencies dm m
composite_observed_before_send dm m
  eapply composite_observed_before_send_subsumes_msg_dep_rel; [| done].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
Hm: can_emit Free m
dm: message
Hdm: msg_dep_rel message_dependencies dm m
can_emit (preloaded_with_all_messages_vlsm Free) m
  eapply VLSM_incl_can_emit; [| done].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
Hm: can_emit Free m
dm: message
Hdm: msg_dep_rel message_dependencies dm m
VLSM_incl_part (free_composite_vlsm_machine IM)
  (preloaded_vlsm_machine Free (λ _ : message, True))
  by apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Lemma tc_composite_observed_before_send_subsumes_happens_before
  (no_initial_messages_in_IM : no_initial_messages_in_IM_prop IM)
  `{forall i, MessageDependencies (IM i) message_dependencies} :
  forall m, can_emit Free m ->
  forall dm, msg_dep_happens_before message_dependencies dm m ->
    tc_composite_observed_before_send dm m.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
∀ m : message,
  can_emit Free m
  → ∀ dm : message,
      msg_dep_happens_before message_dependencies dm m
      → tc_composite_observed_before_send dm m
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
∀ m : message,
  can_emit Free m
  → ∀ dm : message,
      msg_dep_happens_before message_dependencies dm m
      → tc_composite_observed_before_send dm m
  intros m Hm dm Hdm.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
m: message
Hm: can_emit Free m
dm: message
Hdm: msg_dep_happens_before message_dependencies dm m
tc_composite_observed_before_send dm m
  induction Hdm; [by eapply tc_composite_observed_before_send_subsumes_msg_dep_rel |].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
z: message
Hm: can_emit Free z
x, y: message
H11: msg_dep_rel message_dependencies x y
Hdm: tc (msg_dep_rel message_dependencies) y z
IHHdm: can_emit Free z
→ tc_composite_observed_before_send y z
tc_composite_observed_before_send x z
  transitivity y; [| by apply IHHdm].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
z: message
Hm: can_emit Free z
x, y: message
H11: msg_dep_rel message_dependencies x y
Hdm: tc (msg_dep_rel message_dependencies) y z
IHHdm: can_emit Free z
→ tc_composite_observed_before_send y z
tc_composite_observed_before_send x y
  eapply tc_composite_observed_before_send_subsumes_msg_dep_rel; [| done].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
z: message
Hm: can_emit Free z
x, y: message
H11: msg_dep_rel message_dependencies x y
Hdm: tc (msg_dep_rel message_dependencies) y z
IHHdm: can_emit Free z
→ tc_composite_observed_before_send y z
can_emit Free y
  by eapply emitted_messages_are_valid,
    msg_dep_reflects_happens_before_free_validity,
    emitted_messages_are_valid_iff
    in Hm as [(i & [] & <-) |]; [exfalso; eapply no_initial_messages_in_IM | ..].
Qed.

A messages constitutes a (global) evidence of equivocation for a validator v in a composite state s if the message has v as a sender, it has been (indirectly) observed in composite_state s, (see CompositeHasBeenObserved), but it wasn't observed as sent in s (see composite_has_been_sent).

Record MsgDepGlobalEquivocationEvidence
  (s : composite_state IM) (v : validator) (m : message) : Prop :=
{
  mdgee_sender : sender m = Some v;
  mdgee_rec_observed : CompositeHasBeenObserved s m;
  mdgee_not_sent : ~ composite_has_been_sent IM s m;
}.

Definition msg_dep_is_globally_equivocating
  (s : composite_state IM) (v : validator) : Prop :=
  exists m : message, MsgDepGlobalEquivocationEvidence s v m.

Under the full-node assumption, we can give a simpler alternative to MsgDepGlobalEquivocationEvidence which only requires that the message has been received in the composite_state (see composite_has_been_received) (due to the Lemma msg_dep_full_node_happens_before_reflects_has_been_directly_observed).

Record FullNodeGlobalEquivocationEvidence
  (s : composite_state IM) (v : validator) (m : message) : Prop :=
{
  fngee_sender : sender m = Some v;
  fngee_received : composite_has_been_received IM s m;
  fngee_not_sent : ~ composite_has_been_sent IM s m;
}.

Definition full_node_is_globally_equivocating
  (s : composite_state IM) (v : validator) : Prop :=
  exists m : message, FullNodeGlobalEquivocationEvidence s v m.

Lemma full_node_is_globally_equivocating_stronger s v :
  full_node_is_globally_equivocating s v ->
  msg_dep_is_globally_equivocating s v.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
v: validator
full_node_is_globally_equivocating s v
→ msg_dep_is_globally_equivocating s v
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
v: validator
full_node_is_globally_equivocating s v
→ msg_dep_is_globally_equivocating s v
  intros [m []]; exists m; constructor; [done | | done].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
v: validator
m: message
fngee_sender0: sender m = Some v
fngee_received0: composite_has_been_received IM s m
fngee_not_sent0: ¬ composite_has_been_sent IM s m
CompositeHasBeenObserved s m
  by constructor 1; apply composite_has_been_directly_observed_sent_received_iff; right.
Qed.

Lemma full_node_is_globally_equivocating_iff
  `{forall i, MessageDependencies (IM i) message_dependencies}
  (Hfull : forall i, message_dependencies_full_node_condition_prop (IM i) message_dependencies)
  : forall s, constrained_state_prop Free s ->
    forall v,
      msg_dep_is_globally_equivocating s v
        <->
      full_node_is_globally_equivocating s v.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
∀ s : state (preloaded_with_all_messages_vlsm Free),
  constrained_state_prop Free s
  → ∀ v : validator,
      msg_dep_is_globally_equivocating s v
      ↔ full_node_is_globally_equivocating s v
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
∀ s : state (preloaded_with_all_messages_vlsm Free),
  constrained_state_prop Free s
  → ∀ v : validator,
      msg_dep_is_globally_equivocating s v
      ↔ full_node_is_globally_equivocating s v
  intros s Hs v; split; [| apply full_node_is_globally_equivocating_stronger].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
v: validator
msg_dep_is_globally_equivocating s v
→ full_node_is_globally_equivocating s v
  intros [m [Hsender Hobs Hnsent]]; exists m; split; [done | | done].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
v: validator
m: message
Hsender: sender m = Some v
Hobs: CompositeHasBeenObserved s m
Hnsent: ¬ composite_has_been_sent IM s m
composite_has_been_received IM s m
  cut (composite_has_been_directly_observed IM s m).message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
v: validator
m: message
Hsender: sender m = Some v
Hobs: CompositeHasBeenObserved s m
Hnsent: ¬ composite_has_been_sent IM s m
composite_has_been_directly_observed IM s m
→ composite_has_been_received IM s m
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
v: validator
m: message
Hsender: sender m = Some v
Hobs: CompositeHasBeenObserved s m
Hnsent: ¬ composite_has_been_sent IM s m
composite_has_been_directly_observed IM s m
  {message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
v: validator
m: message
Hsender: sender m = Some v
Hobs: CompositeHasBeenObserved s m
Hnsent: ¬ composite_has_been_sent IM s m
composite_has_been_directly_observed IM s m
→ composite_has_been_received IM s m
    by rewrite composite_has_been_directly_observed_sent_received_iff; intros [].
  }message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
v: validator
m: message
Hsender: sender m = Some v
Hobs: CompositeHasBeenObserved s m
Hnsent: ¬ composite_has_been_sent IM s m
composite_has_been_directly_observed IM s m
  destruct Hobs as [Hobs | m' [i Hobs] Hhb]; [done | exists i].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
v: validator
m: message
Hsender: sender m = Some v
m': message
i: index
Hobs: has_been_directly_observed (IM i) (s i) m'
Hhb: msg_dep_happens_before message_dependencies m m'
Hnsent: ¬ composite_has_been_sent IM s m
has_been_directly_observed (IM i) (s i) m
  eapply msg_dep_full_node_happens_before_reflects_has_been_directly_observed;
    [done | done | | done..].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
H10: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hfull: ∀ i : index,
  message_dependencies_full_node_condition_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
v: validator
m: message
Hsender: sender m = Some v
m': message
i: index
Hobs: has_been_directly_observed (IM i) (s i) m'
Hhb: msg_dep_happens_before message_dependencies m m'
Hnsent: ¬ composite_has_been_sent IM s m
constrained_state_prop (IM i) (s i)
  by eapply composite_constrained_state_project.
Qed.

Lemma msg_dep_locally_is_globally_equivocating
  (A : validator -> index)
  (Hsafety : sender_safety_alt_prop IM A sender)
  (Hsent_comparable :
    forall i, has_been_sent_msg_dep_comparable_prop (IM i) message_dependencies)
  : forall s, constrained_state_prop Free s ->
    forall i v,
    msg_dep_is_locally_equivocating (IM i) message_dependencies sender (s i) v ->
    msg_dep_is_globally_equivocating s v.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
∀ s : state (preloaded_with_all_messages_vlsm Free),
  constrained_state_prop Free s
  → ∀ (i : index) (v : validator),
      msg_dep_is_locally_equivocating (IM i)
        message_dependencies sender (s i) v
      → msg_dep_is_globally_equivocating s v
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
∀ s : state (preloaded_with_all_messages_vlsm Free),
  constrained_state_prop Free s
  → ∀ (i : index) (v : validator),
      msg_dep_is_locally_equivocating (IM i)
        message_dependencies sender (s i) v
      → msg_dep_is_globally_equivocating s v
  intros s Hs i v (m1 & m2 & [Hsender1 Hsender2 Hobs1 Hobs2 Hncomp]).message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: HasBeenObserved (IM i) message_dependencies
  (s i) m1
Hobs2: HasBeenObserved (IM i) message_dependencies
  (s i) m2
Hncomp: ¬ comparable
    (msg_dep_happens_before
       message_dependencies) m1 m2
msg_dep_is_globally_equivocating s v
  apply valid_state_has_trace in Hs as Htr.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: HasBeenObserved (IM i) message_dependencies
  (s i) m1
Hobs2: HasBeenObserved (IM i) message_dependencies
  (s i) m2
Hncomp: ¬ comparable
    (msg_dep_happens_before
       message_dependencies) m1 m2
Htr: ∃ (is : state
          (preloaded_with_all_messages_vlsm Free)) 
  (tr : list transition_item),
  finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm Free) is s
    tr
msg_dep_is_globally_equivocating s v
  destruct Htr as (? & ? & ?).message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: HasBeenObserved (IM i) message_dependencies
  (s i) m1
Hobs2: HasBeenObserved (IM i) message_dependencies
  (s i) m2
Hncomp: ¬ comparable
    (msg_dep_happens_before
       message_dependencies) m1 m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
msg_dep_is_globally_equivocating s v
  destruct (decide (has_been_sent (IM (A v)) (s (A v)) m1));
    [destruct (decide (has_been_sent (IM (A v)) (s (A v)) m2)) |]; cycle 1.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: HasBeenObserved (IM i) message_dependencies
  (s i) m1
Hobs2: HasBeenObserved (IM i) message_dependencies
  (s i) m2
Hncomp: ¬ comparable
    (msg_dep_happens_before
       message_dependencies) m1 m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
h: has_been_sent (IM (A v)) (s (A v)) m1
n: ¬ has_been_sent (IM (A v)) (s (A v)) m2
msg_dep_is_globally_equivocating s v
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: HasBeenObserved (IM i) message_dependencies
  (s i) m1
Hobs2: HasBeenObserved (IM i) message_dependencies
  (s i) m2
Hncomp: ¬ comparable
    (msg_dep_happens_before
       message_dependencies) m1 m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
n: ¬ has_been_sent (IM (A v)) (s (A v)) m1
msg_dep_is_globally_equivocating s v
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: HasBeenObserved (IM i) message_dependencies
  (s i) m1
Hobs2: HasBeenObserved (IM i) message_dependencies
  (s i) m2
Hncomp: ¬ comparable
    (msg_dep_happens_before
       message_dependencies) m1 m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
h: has_been_sent (IM (A v)) (s (A v)) m1
h0: has_been_sent (IM (A v)) (s (A v)) m2
msg_dep_is_globally_equivocating s v
  1, 2: eexists; split;
      [.. | by contradict n; eapply has_been_sent_iff_by_sender];
      [done | by eapply composite_HasBeenObserved_lift].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: HasBeenObserved (IM i) message_dependencies
  (s i) m1
Hobs2: HasBeenObserved (IM i) message_dependencies
  (s i) m2
Hncomp: ¬ comparable
    (msg_dep_happens_before
       message_dependencies) m1 m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
h: has_been_sent (IM (A v)) (s (A v)) m1
h0: has_been_sent (IM (A v)) (s (A v)) m2
msg_dep_is_globally_equivocating s v
  contradict Hncomp; eapply tc_comparable, Hsent_comparable; [| done..].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: HasBeenObserved (IM i) message_dependencies
  (s i) m1
Hobs2: HasBeenObserved (IM i) message_dependencies
  (s i) m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
h: has_been_sent (IM (A v)) (s (A v)) m1
h0: has_been_sent (IM (A v)) (s (A v)) m2
constrained_state_prop (IM (A v)) (s (A v))
  by eapply composite_constrained_state_project.
Qed.

Lemma full_node_sent_locally_is_globally_equivocating
  (A : validator -> index)
  (Hsafety : sender_safety_alt_prop IM A sender)
  (Hsent_comparable :
    forall i, has_been_sent_msg_dep_comparable_prop (IM i) message_dependencies)
  : forall s, constrained_state_prop Free s ->
    forall i v,
    full_node_is_sent_locally_equivocating (IM i) message_dependencies sender (s i) v ->
    msg_dep_is_globally_equivocating s v.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
∀ s : state (preloaded_with_all_messages_vlsm Free),
  constrained_state_prop Free s
  → ∀ (i : index) (v : validator),
      full_node_is_sent_locally_equivocating (IM i)
        message_dependencies sender (s i) v
      → msg_dep_is_globally_equivocating s v
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
∀ s : state (preloaded_with_all_messages_vlsm Free),
  constrained_state_prop Free s
  → ∀ (i : index) (v : validator),
      full_node_is_sent_locally_equivocating (IM i)
        message_dependencies sender (s i) v
      → msg_dep_is_globally_equivocating s v
  intros s Hs i v (m1 & m2 & [Hsender1 Hsender2 Hobs1 Hobs2 Hncomp]).message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: has_been_directly_observed (IM i) (s i) m1
Hobs2: has_been_directly_observed (IM i) (s i) m2
Hncomp: ¬ comparable
    (msg_dep_rel message_dependencies) m1 m2
msg_dep_is_globally_equivocating s v
  apply valid_state_has_trace in Hs as Htr.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: has_been_directly_observed (IM i) (s i) m1
Hobs2: has_been_directly_observed (IM i) (s i) m2
Hncomp: ¬ comparable
    (msg_dep_rel message_dependencies) m1 m2
Htr: ∃ (is : state
          (preloaded_with_all_messages_vlsm Free)) 
  (tr : list transition_item),
  finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm Free) is s
    tr
msg_dep_is_globally_equivocating s v
  destruct Htr as (? & ? & ?).message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: has_been_directly_observed (IM i) (s i) m1
Hobs2: has_been_directly_observed (IM i) (s i) m2
Hncomp: ¬ comparable
    (msg_dep_rel message_dependencies) m1 m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
msg_dep_is_globally_equivocating s v
  destruct (decide (has_been_sent (IM (A v)) (s (A v)) m1));
    [destruct (decide (has_been_sent (IM (A v)) (s (A v)) m2)) |]; cycle 1.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: has_been_directly_observed (IM i) (s i) m1
Hobs2: has_been_directly_observed (IM i) (s i) m2
Hncomp: ¬ comparable
    (msg_dep_rel message_dependencies) m1 m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
h: has_been_sent (IM (A v)) (s (A v)) m1
n: ¬ has_been_sent (IM (A v)) (s (A v)) m2
msg_dep_is_globally_equivocating s v
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: has_been_directly_observed (IM i) (s i) m1
Hobs2: has_been_directly_observed (IM i) (s i) m2
Hncomp: ¬ comparable
    (msg_dep_rel message_dependencies) m1 m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
n: ¬ has_been_sent (IM (A v)) (s (A v)) m1
msg_dep_is_globally_equivocating s v
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: has_been_directly_observed (IM i) (s i) m1
Hobs2: has_been_directly_observed (IM i) (s i) m2
Hncomp: ¬ comparable
    (msg_dep_rel message_dependencies) m1 m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
h: has_been_sent (IM (A v)) (s (A v)) m1
h0: has_been_sent (IM (A v)) (s (A v)) m2
msg_dep_is_globally_equivocating s v
  1, 2: eexists; split; cycle 2;
      [by contradict n; eapply has_been_sent_iff_by_sender | done |];
      by constructor 1; eexists.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: has_been_directly_observed (IM i) (s i) m1
Hobs2: has_been_directly_observed (IM i) (s i) m2
Hncomp: ¬ comparable
    (msg_dep_rel message_dependencies) m1 m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
h: has_been_sent (IM (A v)) (s (A v)) m1
h0: has_been_sent (IM (A v)) (s (A v)) m2
msg_dep_is_globally_equivocating s v
  contradict Hncomp; eapply Hsent_comparable; [| done..].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
EqDecision1: EqDecision index
H7: finite.Finite index
H8: ∀ i : index, HasBeenSentCapability (IM i)
H9: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
Free:= free_composite_vlsm IM: VLSM message
A: validator → index
Hsafety: sender_safety_alt_prop IM A sender
Hsent_comparable: ∀ i : index,
  has_been_sent_msg_dep_comparable_prop
    (IM i) message_dependencies
s: state (preloaded_with_all_messages_vlsm Free)
Hs: constrained_state_prop Free s
i: index
v: validator
m1, m2: message
Hsender1: sender m1 = Some v
Hsender2: sender m2 = Some v
Hobs1: has_been_directly_observed (IM i) (s i) m1
Hobs2: has_been_directly_observed (IM i) (s i) m2
x: state (preloaded_with_all_messages_vlsm Free)
x0: list transition_item
H10: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) x s x0
h: has_been_sent (IM (A v)) (s (A v)) m1
h0: has_been_sent (IM (A v)) (s (A v)) m2
constrained_state_prop (IM (A v)) (s (A v))
  by eapply composite_constrained_state_project.
Qed.

End sec_composite_message_dependencies_equivocation.

Section sec_sub_composite_message_dependencies.

Context
  {message : Type}
  `(IM : index -> VLSM message)
  `{FinSet message Cm}
  (message_dependencies : message -> Cm)
  `{FinSet index Ci}
  (indices : Ci)
  `{forall i, HasBeenSentCapability (IM i)}
  `{forall i, HasBeenReceivedCapability (IM i)}
  `{!Irreflexive (msg_dep_happens_before message_dependencies)}
  `{forall i, MessageDependencies (IM i) message_dependencies}
  .

Lemma msg_dep_reflects_sub_free_validity
  (no_initial_messages_in_IM : no_initial_messages_in_IM_prop IM)
  (P : message -> Prop)
  (Hreflects : forall dm m, msg_dep_rel message_dependencies dm m -> P m -> P dm)
  (X := free_composite_vlsm (sub_IM IM (elements indices)))
  : forall dm m, msg_dep_rel message_dependencies dm m ->
    valid_message_prop (preloaded_vlsm X P) m ->
    valid_message_prop (preloaded_vlsm X P) dm.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
Ci: Type
H7: ElemOf index Ci
H8: Empty Ci
H9: Singleton index Ci
H10: Union Ci
H11: Intersection Ci
H12: Difference Ci
H13: Elements index Ci
EqDecision1: EqDecision index
H14: FinSet index Ci
indices: Ci
H15: ∀ i : index, HasBeenSentCapability (IM i)
H16: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H17: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
X:= free_composite_vlsm (sub_IM IM (elements indices)): VLSM message
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → valid_message_prop (preloaded_vlsm X P) m
    → valid_message_prop (preloaded_vlsm X P) dm
Proof.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
Ci: Type
H7: ElemOf index Ci
H8: Empty Ci
H9: Singleton index Ci
H10: Union Ci
H11: Intersection Ci
H12: Difference Ci
H13: Elements index Ci
EqDecision1: EqDecision index
H14: FinSet index Ci
indices: Ci
H15: ∀ i : index, HasBeenSentCapability (IM i)
H16: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H17: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
X:= free_composite_vlsm (sub_IM IM (elements indices)): VLSM message
∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → valid_message_prop (preloaded_vlsm X P) m
    → valid_message_prop (preloaded_vlsm X P) dm
  eapply msg_dep_reflects_validity; [| | done].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
Ci: Type
H7: ElemOf index Ci
H8: Empty Ci
H9: Singleton index Ci
H10: Union Ci
H11: Intersection Ci
H12: Difference Ci
H13: Elements index Ci
EqDecision1: EqDecision index
H14: FinSet index Ci
indices: Ci
H15: ∀ i : index, HasBeenSentCapability (IM i)
H16: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H17: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
X:= free_composite_vlsm (sub_IM IM (elements indices)): VLSM message
MessageDependencies X message_dependencies
message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
Ci: Type
H7: ElemOf index Ci
H8: Empty Ci
H9: Singleton index Ci
H10: Union Ci
H11: Intersection Ci
H12: Difference Ci
H13: Elements index Ci
EqDecision1: EqDecision index
H14: FinSet index Ci
indices: Ci
H15: ∀ i : index, HasBeenSentCapability (IM i)
H16: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H17: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
X:= free_composite_vlsm (sub_IM IM (elements indices)): VLSM message
∀ m : message, ¬ initial_message_prop m
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
Ci: Type
H7: ElemOf index Ci
H8: Empty Ci
H9: Singleton index Ci
H10: Union Ci
H11: Intersection Ci
H12: Difference Ci
H13: Elements index Ci
EqDecision1: EqDecision index
H14: FinSet index Ci
indices: Ci
H15: ∀ i : index, HasBeenSentCapability (IM i)
H16: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H17: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
X:= free_composite_vlsm (sub_IM IM (elements indices)): VLSM message
MessageDependencies X message_dependencies by typeclasses eauto.
  -message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
Ci: Type
H7: ElemOf index Ci
H8: Empty Ci
H9: Singleton index Ci
H10: Union Ci
H11: Intersection Ci
H12: Difference Ci
H13: Elements index Ci
EqDecision1: EqDecision index
H14: FinSet index Ci
indices: Ci
H15: ∀ i : index, HasBeenSentCapability (IM i)
H16: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H17: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
X:= free_composite_vlsm (sub_IM IM (elements indices)): VLSM message
∀ m : message, ¬ initial_message_prop m intros m [sub_i [[im Him] Heqm]].message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
Ci: Type
H7: ElemOf index Ci
H8: Empty Ci
H9: Singleton index Ci
H10: Union Ci
H11: Intersection Ci
H12: Difference Ci
H13: Elements index Ci
EqDecision1: EqDecision index
H14: FinSet index Ci
indices: Ci
H15: ∀ i : index, HasBeenSentCapability (IM i)
H16: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H17: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
X:= free_composite_vlsm (sub_IM IM (elements indices)): VLSM message
m: message
sub_i: sub_index (elements indices)
im: message
Him: initial_message_prop im
Heqm: `(im ↾ Him) = m
False
    destruct_dec_sig sub_i i Hi Heqsub_i; subst.message, index: Type
IM: index → VLSM message
Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies: message → Cm
Ci: Type
H7: ElemOf index Ci
H8: Empty Ci
H9: Singleton index Ci
H10: Union Ci
H11: Intersection Ci
H12: Difference Ci
H13: Elements index Ci
EqDecision1: EqDecision index
H14: FinSet index Ci
indices: Ci
H15: ∀ i : index, HasBeenSentCapability (IM i)
H16: ∀ i : index, HasBeenReceivedCapability (IM i)
Irreflexive0: Irreflexive
  (msg_dep_happens_before
     message_dependencies)
H17: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
P: message → Prop
Hreflects: ∀ dm m : message,
  msg_dep_rel message_dependencies dm m
  → P m → P dm
X:= free_composite_vlsm (sub_IM IM (elements indices)): VLSM message
im: message
i: index
Hi: sub_index_prop (elements indices) i
Him: initial_message_prop im
False
    by contradict Him; apply no_initial_messages_in_IM.
Qed.

End sec_sub_composite_message_dependencies.

Section sec_FullMessageDependencies.

Context
  {message : Type}
  `{FinSet message Cm}
  .

Class FullMessageDependencies
  (message_dependencies : message -> Cm)
  (full_message_dependencies : message -> Cm)
  : Prop :=
{
  full_message_dependencies_happens_before :
    forall dm m,
      dm ∈ full_message_dependencies m <->
      msg_dep_happens_before message_dependencies dm m;
  full_message_dependencies_irreflexive :
    forall m, m ∉ full_message_dependencies m;
}.

End sec_FullMessageDependencies.

(* given the message type, we can usually look up the functions for message dependencies *)
#[global] Hint Mode FullMessageDependencies ! - - - - - - - - - - - - : typeclass_instances.

Section sec_FullMessageDependencies_happens_before.

Context
  `{FinSet message Cm}
  (message_dependencies : message -> Cm)
  (full_message_dependencies : message -> Cm)
  (HFullMsgDep : FullMessageDependencies message_dependencies full_message_dependencies)
  .

#[export] Instance msg_dep_happens_before_dec :
 RelDecision (msg_dep_happens_before message_dependencies).message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
RelDecision
  (msg_dep_happens_before message_dependencies)
Proof.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
RelDecision
  (msg_dep_happens_before message_dependencies)
 refine
   (fun m1 m2 =>
      match decide (m1 ∈ full_message_dependencies m2) with
      | left Hdec => left _
      | right Hdec => right _
      end).message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
m1, m2: message
Hdec: m1 ∈ full_message_dependencies m2
msg_dep_happens_before message_dependencies m1 m2
message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
m1, m2: message
Hdec: m1 ∉ full_message_dependencies m2
¬ msg_dep_happens_before message_dependencies m1 m2
  -message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
m1, m2: message
Hdec: m1 ∈ full_message_dependencies m2
msg_dep_happens_before message_dependencies m1 m2 by rewrite <- full_message_dependencies_happens_before.
  -message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
m1, m2: message
Hdec: m1 ∉ full_message_dependencies m2
¬ msg_dep_happens_before message_dependencies m1 m2 by rewrite <- full_message_dependencies_happens_before.
Qed.

#[export] Instance msg_dep_happens_before_irrefl :
  Irreflexive (msg_dep_happens_before message_dependencies).message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
Irreflexive
  (msg_dep_happens_before message_dependencies)
Proof.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
Irreflexive
  (msg_dep_happens_before message_dependencies)
  intros m Hm.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
m: message
Hm: msg_dep_happens_before message_dependencies m m
False
  contradict Hm.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
m: message
¬ msg_dep_happens_before message_dependencies m m
  rewrite <- full_message_dependencies_happens_before.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
m: message
m ∉ full_message_dependencies m
  by apply full_message_dependencies_irreflexive.
Qed.

#[export] Instance msg_dep_happens_before_strict :
  StrictOrder (msg_dep_happens_before message_dependencies) := {}.

Lemma msg_dep_rel_full_message_dependecies_subset :
  forall x y : message, msg_dep_rel message_dependencies x y ->
    full_message_dependencies x ⊆ full_message_dependencies y.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
∀ x y : message,
  msg_dep_rel message_dependencies x y
  → full_message_dependencies x
    ⊆ full_message_dependencies y
Proof.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
∀ x y : message,
  msg_dep_rel message_dependencies x y
  → full_message_dependencies x
    ⊆ full_message_dependencies y
  intros; intros z Hz.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
z: message
Hz: z ∈ full_message_dependencies x
z ∈ full_message_dependencies y
  apply full_message_dependencies_happens_before.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
z: message
Hz: z ∈ full_message_dependencies x
msg_dep_happens_before message_dependencies z y
  transitivity x; [by apply full_message_dependencies_happens_before |].message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
z: message
Hz: z ∈ full_message_dependencies x
msg_dep_happens_before message_dependencies x y
  by constructor.
Qed.

Lemma msg_dep_happens_before_wf : well_founded (msg_dep_happens_before message_dependencies).message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
wf (msg_dep_happens_before message_dependencies)
Proof.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
wf (msg_dep_happens_before message_dependencies)
  apply tc_wf_projected with (<) (fun m => length (elements (full_message_dependencies m)));
    [by typeclasses eauto | | by apply Wf_nat.lt_wf].message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
∀ x y : message,
  msg_dep_rel message_dependencies x y
  → length (elements (full_message_dependencies x)) <
    length (elements (full_message_dependencies y))
  intros; unfold lt.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
S (length (elements (full_message_dependencies x)))
≤ length (elements (full_message_dependencies y))
  change (S _) with (length (x :: elements (full_message_dependencies x))).message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
length (x :: elements (full_message_dependencies x))
≤ length (elements (full_message_dependencies y))
  apply NoDup_subseteq_length.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
NoDup (x :: elements (full_message_dependencies x))
message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
x :: elements (full_message_dependencies x)
⊆ elements (full_message_dependencies y)
  -message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
NoDup (x :: elements (full_message_dependencies x)) constructor.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
x ∉ elements (full_message_dependencies x)
message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
NoDup (elements (full_message_dependencies x))
    +message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
x ∉ elements (full_message_dependencies x) by rewrite elem_of_elements; apply full_message_dependencies_irreflexive.
    +message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
NoDup (elements (full_message_dependencies x)) by apply NoDup_elements.
  -message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
x :: elements (full_message_dependencies x)
⊆ elements (full_message_dependencies y) intros z Hz; inversion Hz; subst; rewrite elem_of_elements in *.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
Hz: x ∈ x :: elements (full_message_dependencies x)
x ∈ full_message_dependencies y
message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
z: message
Hz: z ∈ x :: elements (full_message_dependencies x)
H10: z ∈ full_message_dependencies x
z ∈ full_message_dependencies y
    +message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
Hz: x ∈ x :: elements (full_message_dependencies x)
x ∈ full_message_dependencies y by apply full_message_dependencies_happens_before; constructor.
    +message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
x, y: message
H7: msg_dep_rel message_dependencies x y
z: message
Hz: z ∈ x :: elements (full_message_dependencies x)
H10: z ∈ full_message_dependencies x
z ∈ full_message_dependencies y by eapply msg_dep_rel_full_message_dependecies_subset.
Qed.

Lemma FullMessageDependencies_ind
  (P : message -> Prop)
  m
  (IHm : forall dm, dm ∈ full_message_dependencies m ->
    (forall dm0, dm0 ∈ full_message_dependencies dm -> P dm0) -> P dm)
  : forall dm, dm ∈ full_message_dependencies m -> P dm.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
P: message → Prop
m: message
IHm: ∀ dm : message,
  dm ∈ full_message_dependencies m
  → (∀ dm0 : message,
       dm0 ∈ full_message_dependencies dm
       → P dm0) → P dm
∀ dm : message,
  dm ∈ full_message_dependencies m → P dm
Proof.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
P: message → Prop
m: message
IHm: ∀ dm : message,
  dm ∈ full_message_dependencies m
  → (∀ dm0 : message,
       dm0 ∈ full_message_dependencies dm
       → P dm0) → P dm
∀ dm : message,
  dm ∈ full_message_dependencies m → P dm
  induction m  as (m & Hm) using (well_founded_ind msg_dep_happens_before_wf).message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
P: message → Prop
m: message
Hm: ∀ y : message,
  msg_dep_happens_before message_dependencies y m
  → (∀ dm : message,
       dm ∈ full_message_dependencies y
       → (∀ dm0 : message,
            dm0 ∈ full_message_dependencies dm
            → P dm0) → 
         P dm)
    → ∀ dm : message,
        dm ∈ full_message_dependencies y → P dm
IHm: ∀ dm : message,
  dm ∈ full_message_dependencies m
  → (∀ dm0 : message,
       dm0 ∈ full_message_dependencies dm
       → P dm0) → P dm
∀ dm : message,
  dm ∈ full_message_dependencies m → P dm
  intros dm Hdm.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
P: message → Prop
m: message
Hm: ∀ y : message,
  msg_dep_happens_before message_dependencies y m
  → (∀ dm : message,
       dm ∈ full_message_dependencies y
       → (∀ dm0 : message,
            dm0 ∈ full_message_dependencies dm
            → P dm0) → 
         P dm)
    → ∀ dm : message,
        dm ∈ full_message_dependencies y → P dm
IHm: ∀ dm : message,
  dm ∈ full_message_dependencies m
  → (∀ dm0 : message,
       dm0 ∈ full_message_dependencies dm
       → P dm0) → P dm
dm: message
Hdm: dm ∈ full_message_dependencies m
P dm
  apply IHm; [done |].message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
P: message → Prop
m: message
Hm: ∀ y : message,
  msg_dep_happens_before message_dependencies y m
  → (∀ dm : message,
       dm ∈ full_message_dependencies y
       → (∀ dm0 : message,
            dm0 ∈ full_message_dependencies dm
            → P dm0) → 
         P dm)
    → ∀ dm : message,
        dm ∈ full_message_dependencies y → P dm
IHm: ∀ dm : message,
  dm ∈ full_message_dependencies m
  → (∀ dm0 : message,
       dm0 ∈ full_message_dependencies dm
       → P dm0) → P dm
dm: message
Hdm: dm ∈ full_message_dependencies m
∀ dm0 : message,
  dm0 ∈ full_message_dependencies dm → P dm0
  apply Hm; [by apply full_message_dependencies_happens_before |].message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
P: message → Prop
m: message
Hm: ∀ y : message,
  msg_dep_happens_before message_dependencies y m
  → (∀ dm : message,
       dm ∈ full_message_dependencies y
       → (∀ dm0 : message,
            dm0 ∈ full_message_dependencies dm
            → P dm0) → 
         P dm)
    → ∀ dm : message,
        dm ∈ full_message_dependencies y → P dm
IHm: ∀ dm : message,
  dm ∈ full_message_dependencies m
  → (∀ dm0 : message,
       dm0 ∈ full_message_dependencies dm
       → P dm0) → P dm
dm: message
Hdm: dm ∈ full_message_dependencies m
∀ dm0 : message,
  dm0 ∈ full_message_dependencies dm
  → (∀ dm1 : message,
       dm1 ∈ full_message_dependencies dm0 → P dm1)
    → P dm0
  intros dm0 Hdm0.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
P: message → Prop
m: message
Hm: ∀ y : message,
  msg_dep_happens_before message_dependencies y m
  → (∀ dm : message,
       dm ∈ full_message_dependencies y
       → (∀ dm0 : message,
            dm0 ∈ full_message_dependencies dm
            → P dm0) → 
         P dm)
    → ∀ dm : message,
        dm ∈ full_message_dependencies y → P dm
IHm: ∀ dm : message,
  dm ∈ full_message_dependencies m
  → (∀ dm0 : message,
       dm0 ∈ full_message_dependencies dm
       → P dm0) → P dm
dm: message
Hdm: dm ∈ full_message_dependencies m
dm0: message
Hdm0: dm0 ∈ full_message_dependencies dm
(∀ dm1 : message,
   dm1 ∈ full_message_dependencies dm0 → P dm1)
→ P dm0
  apply IHm, full_message_dependencies_happens_before.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
message_dependencies, full_message_dependencies: message → Cm
HFullMsgDep: FullMessageDependencies
  message_dependencies
  full_message_dependencies
P: message → Prop
m: message
Hm: ∀ y : message,
  msg_dep_happens_before message_dependencies y m
  → (∀ dm : message,
       dm ∈ full_message_dependencies y
       → (∀ dm0 : message,
            dm0 ∈ full_message_dependencies dm
            → P dm0) → 
         P dm)
    → ∀ dm : message,
        dm ∈ full_message_dependencies y → P dm
IHm: ∀ dm : message,
  dm ∈ full_message_dependencies m
  → (∀ dm0 : message,
       dm0 ∈ full_message_dependencies dm
       → P dm0) → P dm
dm: message
Hdm: dm ∈ full_message_dependencies m
dm0: message
Hdm0: dm0 ∈ full_message_dependencies dm
msg_dep_happens_before message_dependencies dm0 m
  by transitivity dm; apply full_message_dependencies_happens_before.
Qed.

End sec_FullMessageDependencies_happens_before.

Basic validation condition for free composition

In this section we show (Lemma valid_free_validating_is_message_validating) that, under FullMessageDependencies assumptions, if the validity predicate ensures that message itself and all of its dependencies can be emitted using only its dependencies, then the input message is valid for the free composition. Thus, the component itself is a validator for the free composition.

Section sec_free_composition_validators.

Context
  {message : Type}
  `{finite.Finite index}
  (IM : index -> VLSM message)
  `{forall i, HasBeenSentCapability (IM i)}
  `{forall i, HasBeenReceivedCapability (IM i)}
  {validator : Type}
  (A : validator -> index)
  (sender : message -> option validator)
  `(message_dependencies : message -> Cm)
  `(full_message_dependencies : message -> Cm)
  `{FullMessageDependencies message Cm message_dependencies full_message_dependencies}
  .

The property of a message of having a sender and being emittable by the component corresponding to its sender preloaded with the dependencies of the message.

Inductive Emittable_from_dependencies_prop (m : message) : Prop :=
| efdp : forall (v : validator) (Hsender : sender m = Some v)
            (Hemittable : can_emit
              (preloaded_vlsm (IM (A v)) (fun dm => dm ∈ message_dependencies m))
              m),
             Emittable_from_dependencies_prop m.

Definition emittable_from_dependencies_prop (m : message) : Prop :=
  match sender m with
  | None => False
  | Some v => can_emit (preloaded_vlsm (IM (A v)) (fun dm => dm ∈ message_dependencies m)) m
  end.

Lemma emittable_from_dependencies_prop_iff m
  : Emittable_from_dependencies_prop m <-> emittable_from_dependencies_prop m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
Emittable_from_dependencies_prop m
↔ emittable_from_dependencies_prop m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
Emittable_from_dependencies_prop m
↔ emittable_from_dependencies_prop m
  unfold emittable_from_dependencies_prop; split.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
Emittable_from_dependencies_prop m
→ match sender m with
  | Some v =>
      can_emit
        (preloaded_vlsm (IM (A v))
           (λ dm : message,
              dm ∈ message_dependencies m)) m
  | None => False
  end
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
match sender m with
| Some v =>
    can_emit
      (preloaded_vlsm (IM (A v))
         (λ dm : message, dm ∈ message_dependencies m))
      m
| None => False
end → Emittable_from_dependencies_prop m
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
Emittable_from_dependencies_prop m
→ match sender m with
  | Some v =>
      can_emit
        (preloaded_vlsm (IM (A v))
           (λ dm : message,
              dm ∈ message_dependencies m)) m
  | None => False
  end by inversion 1; rewrite Hsender.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
match sender m with
| Some v =>
    can_emit
      (preloaded_vlsm (IM (A v))
         (λ dm : message, dm ∈ message_dependencies m))
      m
| None => False
end → Emittable_from_dependencies_prop m by destruct (sender m) eqn: Hsender; [exists v | inversion 1].
Qed.

The property of a message that both itself and all of its dependencies are emittable from their dependencies.

Definition all_dependencies_emittable_from_dependencies_prop (m : message) : Prop :=
  forall dm, dm ∈ m :: elements (full_message_dependencies m) -> Emittable_from_dependencies_prop dm.

The property of requiring that the validity predicate subsumes the all_dependencies_emittable_from_dependencies_property.

Definition valid_all_dependencies_emittable_from_dependencies_prop (i : index) : Prop :=
  forall l s m, input_constrained (IM i) l (s, Some m) ->
    all_dependencies_emittable_from_dependencies_prop m.

If a message can be emitted by a component preloaded with the message's direct dependencies, and if all the dependencies of the message are valid for the free composition, then the message itself is valid for the free composition.

Lemma free_valid_from_valid_dependencies
  m i
  (Hm : can_emit (preloaded_vlsm (IM i) (fun dm => dm ∈ message_dependencies m)) m)
  (Hdeps :
    forall dm, dm ∈ full_message_dependencies m ->
      valid_message_prop (free_composite_vlsm IM) dm)
  : valid_message_prop (free_composite_vlsm IM) m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
i: index
Hm: can_emit
  (preloaded_vlsm (IM i)
     (λ dm : message, dm ∈ message_dependencies m))
  m
Hdeps: ∀ dm : message,
  dm ∈ full_message_dependencies m
  → valid_message_prop
      (free_composite_vlsm IM) dm
valid_message_prop (free_composite_vlsm IM) m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
i: index
Hm: can_emit
  (preloaded_vlsm (IM i)
     (λ dm : message, dm ∈ message_dependencies m))
  m
Hdeps: ∀ dm : message,
  dm ∈ full_message_dependencies m
  → valid_message_prop
      (free_composite_vlsm IM) dm
valid_message_prop (free_composite_vlsm IM) m
  eapply emitted_messages_are_valid, free_valid_preloaded_lifts_can_be_emitted; [| done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
i: index
Hm: can_emit
  (preloaded_vlsm (IM i)
     (λ dm : message, dm ∈ message_dependencies m))
  m
Hdeps: ∀ dm : message,
  dm ∈ full_message_dependencies m
  → valid_message_prop
      (free_composite_vlsm IM) dm
∀ dm : message,
  (λ dm0 : message, dm0 ∈ message_dependencies m) dm
  → valid_message_prop (free_composite_vlsm IM) dm
  by intros; apply Hdeps, full_message_dependencies_happens_before, msg_dep_happens_before_iff_one;
    left.
Qed.

Any message with the all_dependencies_emittable_from_dependencies_property is valid for the free composition.

Lemma free_valid_from_all_dependencies_emitable_from_dependencies :
  forall m,
    all_dependencies_emittable_from_dependencies_prop m ->
      valid_message_prop (free_composite_vlsm IM) m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
∀ m : message,
  all_dependencies_emittable_from_dependencies_prop m
  → valid_message_prop (free_composite_vlsm IM) m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
∀ m : message,
  all_dependencies_emittable_from_dependencies_prop m
  → valid_message_prop (free_composite_vlsm IM) m
  intros m Hm.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
Hm: all_dependencies_emittable_from_dependencies_prop
  m
valid_message_prop (free_composite_vlsm IM) m
  specialize (Hm m) as Hemit; spec Hemit; [left |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
Hm: all_dependencies_emittable_from_dependencies_prop
  m
Hemit: Emittable_from_dependencies_prop m
valid_message_prop (free_composite_vlsm IM) m
  inversion Hemit as [v _ Hemit']; clear Hemit.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
Hm: all_dependencies_emittable_from_dependencies_prop
  m
v: validator
Hemit': can_emit
  (preloaded_vlsm (IM (A v))
     (λ dm : message,
        dm ∈ message_dependencies m)) m
valid_message_prop (free_composite_vlsm IM) m
  apply free_valid_from_valid_dependencies with (A v); [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
Hm: all_dependencies_emittable_from_dependencies_prop
  m
v: validator
Hemit': can_emit
  (preloaded_vlsm (IM (A v))
     (λ dm : message,
        dm ∈ message_dependencies m)) m
∀ dm : message,
  dm ∈ full_message_dependencies m
  → valid_message_prop (free_composite_vlsm IM) dm
  clear v Hemit'.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
Hm: all_dependencies_emittable_from_dependencies_prop
  m
∀ dm : message,
  dm ∈ full_message_dependencies m
  → valid_message_prop (free_composite_vlsm IM) dm
  eapply FullMessageDependencies_ind; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
Hm: all_dependencies_emittable_from_dependencies_prop
  m
∀ dm : message,
  dm ∈ full_message_dependencies m
  → (∀ dm0 : message,
       dm0 ∈ full_message_dependencies dm
       → valid_message_prop (free_composite_vlsm IM)
           dm0)
    → valid_message_prop (free_composite_vlsm IM) dm
  intros dm Hdm Hdeps.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m: message
Hm: all_dependencies_emittable_from_dependencies_prop
  m
dm: message
Hdm: dm ∈ full_message_dependencies m
Hdeps: ∀ dm0 : message,
  dm0 ∈ full_message_dependencies dm
  → valid_message_prop
      (free_composite_vlsm IM) dm0
valid_message_prop (free_composite_vlsm IM) dm
  specialize (Hm dm); spec Hm; [by right; apply elem_of_elements |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m, dm: message
Hdm: dm ∈ full_message_dependencies m
Hdeps: ∀ dm0 : message,
  dm0 ∈ full_message_dependencies dm
  → valid_message_prop
      (free_composite_vlsm IM) dm0
Hm: Emittable_from_dependencies_prop dm
valid_message_prop (free_composite_vlsm IM) dm
  inversion Hm as [v _ ?]; clear Hm.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
m, dm: message
Hdm: dm ∈ full_message_dependencies m
Hdeps: ∀ dm0 : message,
  dm0 ∈ full_message_dependencies dm
  → valid_message_prop
      (free_composite_vlsm IM) dm0
v: validator
Hemittable: can_emit
  (preloaded_vlsm (IM (A v))
     (λ dm0 : message,
        dm0 ∈ message_dependencies dm))
  dm
valid_message_prop (free_composite_vlsm IM) dm
  by apply free_valid_from_valid_dependencies with (A v).
Qed.

If a component in a composition satisfies the valid_all_dependencies_emittable_from_dependencies_property, then it also has the component_message_validator_property, that is, it is a validator for the free composition.

Lemma valid_free_validating_is_message_validating
  : forall i, valid_all_dependencies_emittable_from_dependencies_prop i ->
    component_message_validator_prop IM (free_constraint IM) i.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
∀ i : index,
  valid_all_dependencies_emittable_from_dependencies_prop
    i
  → component_message_validator_prop IM
      (free_constraint IM) i
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
∀ i : index,
  valid_all_dependencies_emittable_from_dependencies_prop
    i
  → component_message_validator_prop IM
      (free_constraint IM) i
  intros i Hvalidating l s im Hv.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
i: index
Hvalidating: valid_all_dependencies_emittable_from_dependencies_prop
  i
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
im: message
Hv: input_constrained (IM i) l (s, Some im)
valid_message_prop
  (composite_vlsm IM (free_constraint IM)) im
  eapply VLSM_incl_valid_message.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
i: index
Hvalidating: valid_all_dependencies_emittable_from_dependencies_prop
  i
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
im: message
Hv: input_constrained (IM i) l (s, Some im)
VLSM_incl_part ?MX
  (constrained_vlsm_machine (free_composite_vlsm IM)
     (free_constraint IM))
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
i: index
Hvalidating: valid_all_dependencies_emittable_from_dependencies_prop
  i
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
im: message
Hv: input_constrained (IM i) l (s, Some im)
strong_incl_initial_message_preservation 
  ?MX
  (constrained_vlsm_machine 
     (free_composite_vlsm IM) 
     (free_constraint IM))
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
i: index
Hvalidating: valid_all_dependencies_emittable_from_dependencies_prop
  i
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
im: message
Hv: input_constrained (IM i) l (s, Some im)
valid_message_prop
  {|
    vlsm_type := free_composite_vlsm IM;
    vlsm_machine := ?MX
  |} im
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
i: index
Hvalidating: valid_all_dependencies_emittable_from_dependencies_prop
  i
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
im: message
Hv: input_constrained (IM i) l (s, Some im)
VLSM_incl_part ?MX
  (constrained_vlsm_machine (free_composite_vlsm IM)
     (free_constraint IM)) by apply free_composite_vlsm_spec.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
i: index
Hvalidating: valid_all_dependencies_emittable_from_dependencies_prop
  i
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
im: message
Hv: input_constrained (IM i) l (s, Some im)
strong_incl_initial_message_preservation
  {|
    vlsm_type := free_composite_vlsm IM;
    vlsm_machine := free_composite_vlsm IM
  |}
  (constrained_vlsm_machine (free_composite_vlsm IM)
     (free_constraint IM)) by do 2 red.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
i: index
Hvalidating: valid_all_dependencies_emittable_from_dependencies_prop
  i
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
im: message
Hv: input_constrained (IM i) l (s, Some im)
valid_message_prop
  {|
    vlsm_type := free_composite_vlsm IM;
    vlsm_machine :=
      {|
        vlsm_type := free_composite_vlsm IM;
        vlsm_machine := free_composite_vlsm IM
      |}
  |} im by eapply free_valid_from_all_dependencies_emitable_from_dependencies, Hvalidating.
Qed.

Under several additional (but regularly used) assumptions, including the MessageDependencies assumptions, the channel_authentication_property and the no_initial_messages_in_IM_property, we can show that the component_message_validator_property is fully equivalent to the valid_all_dependencies_emittable_from_dependencies_property.

Lemma valid_free_validating_equiv_message_validating
  `{forall i, MessageDependencies (IM i) message_dependencies}
  (Hchannel : channel_authentication_prop IM A sender)
  (no_initial_messages_in_IM : no_initial_messages_in_IM_prop IM)
  : forall i, component_message_validator_prop IM (free_constraint IM) i <->
  valid_all_dependencies_emittable_from_dependencies_prop i.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
∀ i : index,
  component_message_validator_prop IM
    (free_constraint IM) i
  ↔ valid_all_dependencies_emittable_from_dependencies_prop
      i
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
∀ i : index,
  component_message_validator_prop IM
    (free_constraint IM) i
  ↔ valid_all_dependencies_emittable_from_dependencies_prop
      i
  intros i; split; [| apply valid_free_validating_is_message_validating].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
component_message_validator_prop IM
  (free_constraint IM) i
→ valid_all_dependencies_emittable_from_dependencies_prop
    i
  intros Hvalidator l s m Hv dm Hdm.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
Hvalidator: component_message_validator_prop IM
  (free_constraint IM) i
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
m: message
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
Emittable_from_dependencies_prop dm
  specialize (Hvalidator l s m Hv).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
Emittable_from_dependencies_prop dm
  inversion Hdm as [| ? ? ? Hin]; subst.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
Hdm: m ∈ m :: elements (full_message_dependencies m)
Emittable_from_dependencies_prop m
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
Hin: dm ∈ elements (full_message_dependencies m)
Emittable_from_dependencies_prop dm
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
Hdm: m ∈ m :: elements (full_message_dependencies m)
Emittable_from_dependencies_prop m eapply composite_no_initial_valid_messages_emitted_by_sender in Hvalidator
        as (v & Hsender & Hemit); [| done | done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
Hdm: m ∈ m :: elements (full_message_dependencies m)
v: validator
Hsender: sender m = Some v
Hemit: can_emit
  (preloaded_with_all_messages_vlsm (IM (A v)))
  m
Emittable_from_dependencies_prop m
    exists v; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
Hdm: m ∈ m :: elements (full_message_dependencies m)
v: validator
Hsender: sender m = Some v
Hemit: can_emit
  (preloaded_with_all_messages_vlsm (IM (A v)))
  m
can_emit
  (preloaded_vlsm (IM (A v))
     (λ dm : message, dm ∈ message_dependencies m)) m
    by eapply message_dependencies_are_sufficient.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
Hin: dm ∈ elements (full_message_dependencies m)
Emittable_from_dependencies_prop dm apply elem_of_elements, full_message_dependencies_happens_before in Hin.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
Hin: msg_dep_happens_before message_dependencies dm m
Emittable_from_dependencies_prop dm
    eapply msg_dep_happens_before_composite_no_initial_valid_messages_emitted_by_sender in Hin
        as (v & Hsender & Hemit); [| done.. |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
v: validator
Hsender: sender dm = Some v
Hemit: can_emit
  (preloaded_with_all_messages_vlsm (IM (A v)))
  dm
Emittable_from_dependencies_prop dm
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
Hin: msg_dep_happens_before message_dependencies dm m
valid_message_prop (free_composite_vlsm IM) m
    +message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
v: validator
Hsender: sender dm = Some v
Hemit: can_emit
  (preloaded_with_all_messages_vlsm (IM (A v)))
  dm
Emittable_from_dependencies_prop dm exists v; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
v: validator
Hsender: sender dm = Some v
Hemit: can_emit
  (preloaded_with_all_messages_vlsm (IM (A v)))
  dm
can_emit
  (preloaded_vlsm (IM (A v))
     (λ dm0 : message, dm0 ∈ message_dependencies dm))
  dm
      by eapply message_dependencies_are_sufficient.
    +message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
Hin: msg_dep_happens_before message_dependencies dm m
valid_message_prop (free_composite_vlsm IM) m eapply VLSM_incl_valid_message; [| | done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
Hin: msg_dep_happens_before message_dependencies dm m
VLSM_incl_part
  (constrained_vlsm_machine (free_composite_vlsm IM)
     (free_constraint IM))
  (free_composite_vlsm_machine IM)
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
Hin: msg_dep_happens_before message_dependencies dm m
strong_incl_initial_message_preservation
  (constrained_vlsm_machine 
     (free_composite_vlsm IM) 
     (free_constraint IM))
  (free_composite_vlsm_machine IM)
      *message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
Hin: msg_dep_happens_before message_dependencies dm m
VLSM_incl_part
  (constrained_vlsm_machine (free_composite_vlsm IM)
     (free_constraint IM))
  (free_composite_vlsm_machine IM) by apply free_composite_vlsm_spec.
      *message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
A: validator → index
sender: message → option validator
Cm: Type
message_dependencies, full_message_dependencies: message → Cm
H2: ElemOf message Cm
H3: Empty Cm
H4: Singleton message Cm
H5: Union Cm
H6: Intersection Cm
H7: Difference Cm
H8: Elements message Cm
EqDecision1: EqDecision message
H9: FinSet message Cm
H10: FullMessageDependencies message_dependencies
  full_message_dependencies
H11: ∀ i : index,
  MessageDependencies (IM i)
    message_dependencies
Hchannel: channel_authentication_prop IM A sender
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
  IM
i: index
m: message
Hvalidator: valid_message_prop
  (composite_vlsm IM (free_constraint IM))
  m
l: label (preloaded_with_all_messages_vlsm (IM i))
s: state (preloaded_with_all_messages_vlsm (IM i))
Hv: input_constrained (IM i) l (s, Some m)
dm: message
Hdm: dm ∈ m :: elements (full_message_dependencies m)
Hin: msg_dep_happens_before message_dependencies dm m
strong_incl_initial_message_preservation
  (constrained_vlsm_machine (free_composite_vlsm IM)
     (free_constraint IM))
  (free_composite_vlsm_machine IM) by do 2 red.
Qed.

End sec_free_composition_validators.

Section sec_CompositeHasBeenObserved_dec.

Context
  `{FinSet message Cm}
  `{finite.Finite index}
  (message_dependencies : message -> Cm)
  (IM : index -> VLSM message)
  `{forall i, ComputableSentMessages (IM i)}
  `{forall i, ComputableReceivedMessages (IM i)}
  .

#[export] Instance CompositeHasBeenObserved_dec
  `{FullMessageDependencies message Cm message_dependencies full_message_dependencies}
  : RelDecision (CompositeHasBeenObserved IM message_dependencies).message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
RelDecision
  (CompositeHasBeenObserved IM message_dependencies)
Proof.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
RelDecision
  (CompositeHasBeenObserved IM message_dependencies)
  intros s m.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
Decision
  (CompositeHasBeenObserved IM message_dependencies s
     m)
  destruct (decide (composite_has_been_directly_observed IM s m));
    [by left; constructor |].message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
Decision
  (CompositeHasBeenObserved IM message_dependencies s
     m)
  destruct (decide (Exists (fun m' => m ∈ elements (full_message_dependencies m'))
                      (composite_observed_messages_set IM s))).message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
e: Exists
  (λ m' : message,
     m ∈ elements (full_message_dependencies m'))
  (composite_observed_messages_set IM s)
Decision
  (CompositeHasBeenObserved IM message_dependencies s
     m)
message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
n0: ¬ Exists
    (λ m' : message,
       m
       ∈ elements (full_message_dependencies m'))
    (composite_observed_messages_set IM s)
Decision
  (CompositeHasBeenObserved IM message_dependencies s
     m)
  -message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
e: Exists
  (λ m' : message,
     m ∈ elements (full_message_dependencies m'))
  (composite_observed_messages_set IM s)
Decision
  (CompositeHasBeenObserved IM message_dependencies s
     m) left.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
e: Exists
  (λ m' : message,
     m ∈ elements (full_message_dependencies m'))
  (composite_observed_messages_set IM s)
CompositeHasBeenObserved IM message_dependencies s m
    apply Exists_exists in e as (m' & Hobsm' & Hmm').message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
m': message
Hobsm': m' ∈ composite_observed_messages_set IM s
Hmm': m ∈ elements (full_message_dependencies m')
CompositeHasBeenObserved IM message_dependencies s m
    constructor 2 with m'.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
m': message
Hobsm': m' ∈ composite_observed_messages_set IM s
Hmm': m ∈ elements (full_message_dependencies m')
composite_has_been_directly_observed IM s m'
message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
m': message
Hobsm': m' ∈ composite_observed_messages_set IM s
Hmm': m ∈ elements (full_message_dependencies m')
msg_dep_happens_before message_dependencies m m'
    +message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
m': message
Hobsm': m' ∈ composite_observed_messages_set IM s
Hmm': m ∈ elements (full_message_dependencies m')
composite_has_been_directly_observed IM s m' by apply elem_of_composite_observed_messages_set.
    +message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
m': message
Hobsm': m' ∈ composite_observed_messages_set IM s
Hmm': m ∈ elements (full_message_dependencies m')
msg_dep_happens_before message_dependencies m m' by apply full_message_dependencies_happens_before; apply elem_of_elements in Hmm'.
  -message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
n0: ¬ Exists
    (λ m' : message,
       m
       ∈ elements (full_message_dependencies m'))
    (composite_observed_messages_set IM s)
Decision
  (CompositeHasBeenObserved IM message_dependencies s
     m) right; inversion 1; [by contradict n |].message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
n0: ¬ Exists
    (λ m' : message,
       m
       ∈ elements (full_message_dependencies m'))
    (composite_observed_messages_set IM s)
H19: CompositeHasBeenObserved IM message_dependencies
  s m
m': message
H20: composite_has_been_directly_observed IM s m'
H21: msg_dep_happens_before message_dependencies m m'
False
    contradict n0; apply Exists_exists; exists m'; split.message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
H19: CompositeHasBeenObserved IM message_dependencies
  s m
m': message
H20: composite_has_been_directly_observed IM s m'
H21: msg_dep_happens_before message_dependencies m m'
m' ∈ composite_observed_messages_set IM s
message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
H19: CompositeHasBeenObserved IM message_dependencies
  s m
m': message
H20: composite_has_been_directly_observed IM s m'
H21: msg_dep_happens_before message_dependencies m m'
m ∈ elements (full_message_dependencies m')
    +message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
H19: CompositeHasBeenObserved IM message_dependencies
  s m
m': message
H20: composite_has_been_directly_observed IM s m'
H21: msg_dep_happens_before message_dependencies m m'
m' ∈ composite_observed_messages_set IM s by apply elem_of_composite_observed_messages_set.
    +message, Cm: Type
H: ElemOf message Cm
H0: Empty Cm
H1: Singleton message Cm
H2: Union Cm
H3: Intersection Cm
H4: Difference Cm
H5: Elements message Cm
EqDecision0: EqDecision message
H6: FinSet message Cm
index: Type
EqDecision1: EqDecision index
H7: finite.Finite index
message_dependencies: message → Cm
IM: index → VLSM message
H8: ∀ i : index, ComputableSentMessages (IM i)
H9: ∀ i : index, ComputableReceivedMessages (IM i)
H10: ElemOf message Cm
H11: Empty Cm
H12: Singleton message Cm
H13: Union Cm
H14: Intersection Cm
H15: Difference Cm
H16: Elements message Cm
EqDecision2: EqDecision message
H17: FinSet message Cm
full_message_dependencies: message → Cm
H18: FullMessageDependencies message_dependencies
  full_message_dependencies
s: composite_state IM
m: message
n: ¬ composite_has_been_directly_observed IM s m
H19: CompositeHasBeenObserved IM message_dependencies
  s m
m': message
H20: composite_has_been_directly_observed IM s m'
H21: msg_dep_happens_before message_dependencies m m'
m ∈ elements (full_message_dependencies m') by apply elem_of_elements; apply full_message_dependencies_happens_before.
Qed.

End sec_CompositeHasBeenObserved_dec.

Section sec_msg_dep_is_globally_equivocating_props.

Context
  {message : Type}
  `{EqDecision index}
  (IM : index -> VLSM message)
  `{forall i, HasBeenSentCapability (IM i)}
  `{forall i, HasBeenReceivedCapability (IM i)}
  `{FinSet message Cm}
  (message_dependencies : message -> Cm)
  `(sender : message -> option validator)
  (A : validator -> index)
  (Hauth : channel_authentication_prop IM A sender)
  (Hsender_safety := channel_authentication_sender_safety _ _ _ Hauth)
  (Free := free_composite_vlsm IM)
  .

Input valid transitions preserve (global) evidence of equivocation on components not touched by the transitions.

Lemma input_valid_transition_preserves_msg_dep_is_globally_equivocating :
  forall (s : composite_state IM) (item : composite_transition_item IM),
    input_constrained_transition_item Free s item ->
    forall j, destination item j = s j ->
    forall v, A v = j ->
      msg_dep_is_globally_equivocating IM message_dependencies sender s v ->
      msg_dep_is_globally_equivocating IM message_dependencies sender (destination item) v.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (item : composite_transition_item
                                     IM),
  input_constrained_transition_item Free s item
  → ∀ j : index,
      destination item j = s j
      → ∀ v : validator,
          A v = j
          → msg_dep_is_globally_equivocating IM
              message_dependencies sender s v
            → msg_dep_is_globally_equivocating IM
                message_dependencies sender
                (destination item) v
Proof.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (item : composite_transition_item
                                     IM),
  input_constrained_transition_item Free s item
  → ∀ j : index,
      destination item j = s j
      → ∀ v : validator,
          A v = j
          → msg_dep_is_globally_equivocating IM
              message_dependencies sender s v
            → msg_dep_is_globally_equivocating IM
                message_dependencies sender
                (destination item) v
  intros s item Ht j Hsj v Hv [m []].message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
item: composite_transition_item IM
Ht: input_constrained_transition_item Free s item
j: index
Hsj: destination item j = s j
v: validator
Hv: A v = j
m: message
mdgee_sender0: sender m = Some v
mdgee_rec_observed0: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent0: ¬ composite_has_been_sent IM s m
msg_dep_is_globally_equivocating IM
  message_dependencies sender (destination item) v
  exists m; constructor; [done | ..].message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
item: composite_transition_item IM
Ht: input_constrained_transition_item Free s item
j: index
Hsj: destination item j = s j
v: validator
Hv: A v = j
m: message
mdgee_sender0: sender m = Some v
mdgee_rec_observed0: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent0: ¬ composite_has_been_sent IM s m
CompositeHasBeenObserved IM message_dependencies
  (destination item) m
message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
item: composite_transition_item IM
Ht: input_constrained_transition_item Free s item
j: index
Hsj: destination item j = s j
v: validator
Hv: A v = j
m: message
mdgee_sender0: sender m = Some v
mdgee_rec_observed0: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent0: ¬ composite_has_been_sent IM s m
¬ composite_has_been_sent IM (destination item) m
  -message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
item: composite_transition_item IM
Ht: input_constrained_transition_item Free s item
j: index
Hsj: destination item j = s j
v: validator
Hv: A v = j
m: message
mdgee_sender0: sender m = Some v
mdgee_rec_observed0: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent0: ¬ composite_has_been_sent IM s m
CompositeHasBeenObserved IM message_dependencies
  (destination item) m by eapply transition_preserves_CompositeHasBeenObserved.
  -message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
item: composite_transition_item IM
Ht: input_constrained_transition_item Free s item
j: index
Hsj: destination item j = s j
v: validator
Hv: A v = j
m: message
mdgee_sender0: sender m = Some v
mdgee_rec_observed0: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent0: ¬ composite_has_been_sent IM s m
¬ composite_has_been_sent IM (destination item) m contradict mdgee_not_sent0.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
item: composite_transition_item IM
Ht: input_constrained_transition_item Free s item
j: index
Hsj: destination item j = s j
v: validator
Hv: A v = j
m: message
mdgee_sender0: sender m = Some v
mdgee_rec_observed0: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent0: composite_has_been_sent IM
  (destination item) m
composite_has_been_sent IM s m
    apply exists_right_finite_trace_from in Ht as (is & tr & Htr & _).message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
item: composite_transition_item IM
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is
  (destination item)
  (tr ++
   [{|
      l := l item;
      input := input item;
      destination := destination item;
      output := output item
    |}])
j: index
Hsj: destination item j = s j
v: validator
Hv: A v = j
m: message
mdgee_sender0: sender m = Some v
mdgee_rec_observed0: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent0: composite_has_been_sent IM
  (destination item) m
composite_has_been_sent IM s m
    eapply has_been_sent_iff_by_sender in mdgee_not_sent0; [| done..].message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
item: composite_transition_item IM
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is
  (destination item)
  (tr ++
   [{|
      l := l item;
      input := input item;
      destination := destination item;
      output := output item
    |}])
j: index
Hsj: destination item j = s j
v: validator
Hv: A v = j
m: message
mdgee_sender0: sender m = Some v
mdgee_rec_observed0: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent0: has_been_sent (IM (A v))
  (destination item (A v)) m
composite_has_been_sent IM s m
    rewrite Hv, Hsj in mdgee_not_sent0.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
item: composite_transition_item IM
is: state (preloaded_with_all_messages_vlsm Free)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Free) is
  (destination item)
  (tr ++
   [{|
      l := l item;
      input := input item;
      destination := destination item;
      output := output item
    |}])
j: index
Hsj: destination item j = s j
v: validator
Hv: A v = j
m: message
mdgee_sender0: sender m = Some v
mdgee_rec_observed0: CompositeHasBeenObserved IM
  message_dependencies s m
mdgee_not_sent0: has_been_sent (IM j) (s j) m
composite_has_been_sent IM s m
    by eexists.
Qed.

We also define the case in which a transition doesn't forget equivocation.

Definition transition_preserves_global_equivocation
  (s : composite_state IM) (item : composite_transition_item IM) : Prop :=
  forall (v : validator),
    msg_dep_is_globally_equivocating IM message_dependencies sender s v ->
    msg_dep_is_globally_equivocating IM message_dependencies sender (destination item) v.

Inductive TraceMonotoneGlobalEquivocation :
  composite_state IM -> list (composite_transition_item IM) -> Prop :=
| tpge_initial :
    forall (s : composite_state IM), TraceMonotoneGlobalEquivocation s []
| tpge_step :
    forall (s : composite_state IM) (item : composite_transition_item IM)
      (tr : list (composite_transition_item IM)),
      transition_preserves_global_equivocation s item ->
      TraceMonotoneGlobalEquivocation (destination item) tr ->
      TraceMonotoneGlobalEquivocation s (item :: tr).

Definition trace_monotone_global_equivocation
  (s : composite_state IM) (tr : list (composite_transition_item IM)) : Prop :=
    forall (pre suf : list (composite_transition_item IM)) (item : composite_transition_item IM),
      tr = pre ++ [item] ++ suf ->
      transition_preserves_global_equivocation (finite_trace_last s pre) item.

Lemma trace_monotone_global_equivocation_def_equiv :
  forall (s : composite_state IM) (tr : list (composite_transition_item IM)),
    trace_monotone_global_equivocation s tr
      <->
    TraceMonotoneGlobalEquivocation s tr.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (tr : list
                                   (composite_transition_item
                                      IM)),
  trace_monotone_global_equivocation s tr
  ↔ TraceMonotoneGlobalEquivocation s tr
Proof.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (tr : list
                                   (composite_transition_item
                                      IM)),
  trace_monotone_global_equivocation s tr
  ↔ TraceMonotoneGlobalEquivocation s tr
  split.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
tr: list (composite_transition_item IM)
trace_monotone_global_equivocation s tr
→ TraceMonotoneGlobalEquivocation s tr
message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
tr: list (composite_transition_item IM)
TraceMonotoneGlobalEquivocation s tr
→ trace_monotone_global_equivocation s tr
  -message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
tr: list (composite_transition_item IM)
trace_monotone_global_equivocation s tr
→ TraceMonotoneGlobalEquivocation s tr remember (length tr) as n; revert s tr Heqn.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
n: nat
∀ (s : composite_state IM) (tr : list
                                   (composite_transition_item
                                      IM)),
  n = length tr
  → trace_monotone_global_equivocation s tr
    → TraceMonotoneGlobalEquivocation s tr
    induction n as [n IHn] using (well_founded_ind lt_wf).message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
n: nat
IHn: ∀ y : nat,
  y < n
  → ∀ (s : composite_state IM) 
      (tr : list (composite_transition_item IM)),
      y = length tr
      → trace_monotone_global_equivocation s tr
        → TraceMonotoneGlobalEquivocation s tr
∀ (s : composite_state IM) (tr : list
                                   (composite_transition_item
                                      IM)),
  n = length tr
  → trace_monotone_global_equivocation s tr
    → TraceMonotoneGlobalEquivocation s tr
    intros s [| item tr]; [by constructor |].message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
n: nat
IHn: ∀ y : nat,
  y < n
  → ∀ (s : composite_state IM) 
      (tr : list (composite_transition_item IM)),
      y = length tr
      → trace_monotone_global_equivocation s tr
        → TraceMonotoneGlobalEquivocation s tr
s: composite_state IM
item: composite_transition_item IM
tr: list (composite_transition_item IM)
n = length (item :: tr)
→ trace_monotone_global_equivocation s (item :: tr)
  → TraceMonotoneGlobalEquivocation s (item :: tr)
    cbn; intros -> Hall; constructor; [by apply (Hall [] tr) |].message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
tr: list (composite_transition_item IM)
IHn: ∀ y : nat,
  y < S (length tr)
  → ∀ (s : composite_state IM) 
      (tr : list (composite_transition_item IM)),
      y = length tr
      → trace_monotone_global_equivocation s tr
        → TraceMonotoneGlobalEquivocation s tr
s: composite_state IM
item: composite_transition_item IM
Hall: trace_monotone_global_equivocation s
  (item :: tr)
TraceMonotoneGlobalEquivocation (destination item) tr
    eapply IHn; cycle 1; [done | | by lia].message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
tr: list (composite_transition_item IM)
IHn: ∀ y : nat,
  y < S (length tr)
  → ∀ (s : composite_state IM) 
      (tr : list (composite_transition_item IM)),
      y = length tr
      → trace_monotone_global_equivocation s tr
        → TraceMonotoneGlobalEquivocation s tr
s: composite_state IM
item: composite_transition_item IM
Hall: trace_monotone_global_equivocation s
  (item :: tr)
trace_monotone_global_equivocation (destination item)
  tr
    intros pre suf item' ->.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
pre, suf: list (composite_transition_item IM)
item': composite_transition_item IM
IHn: ∀ y : nat,
  y < S (length (pre ++ [item'] ++ suf))
  → ∀ (s : composite_state IM) 
      (tr : list (composite_transition_item IM)),
      y = length tr
      → trace_monotone_global_equivocation s tr
        → TraceMonotoneGlobalEquivocation s tr
s: composite_state IM
item: composite_transition_item IM
Hall: trace_monotone_global_equivocation s
  (item :: pre ++ [item'] ++ suf)
transition_preserves_global_equivocation
  (finite_trace_last (destination item) pre) item'
    specialize (Hall (item :: pre) suf item').message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
pre, suf: list (composite_transition_item IM)
item': composite_transition_item IM
IHn: ∀ y : nat,
  y < S (length (pre ++ [item'] ++ suf))
  → ∀ (s : composite_state IM) 
      (tr : list (composite_transition_item IM)),
      y = length tr
      → trace_monotone_global_equivocation s tr
        → TraceMonotoneGlobalEquivocation s tr
s: composite_state IM
item: composite_transition_item IM
Hall: item :: pre ++ [item'] ++ suf =
(item :: pre) ++ [item'] ++ suf
→ transition_preserves_global_equivocation
    (finite_trace_last s (item :: pre)) item'
transition_preserves_global_equivocation
  (finite_trace_last (destination item) pre) item'
    rewrite finite_trace_last_cons in Hall; apply Hall.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
pre, suf: list (composite_transition_item IM)
item': composite_transition_item IM
IHn: ∀ y : nat,
  y < S (length (pre ++ [item'] ++ suf))
  → ∀ (s : composite_state IM) 
      (tr : list (composite_transition_item IM)),
      y = length tr
      → trace_monotone_global_equivocation s tr
        → TraceMonotoneGlobalEquivocation s tr
s: composite_state IM
item: composite_transition_item IM
Hall: item :: pre ++ [item'] ++ suf =
(item :: pre) ++ [item'] ++ suf
→ transition_preserves_global_equivocation
    (finite_trace_last (destination item) pre)
    item'
item :: pre ++ [item'] ++ suf =
(item :: pre) ++ [item'] ++ suf
    by simplify_list_eq.
  -message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
tr: list (composite_transition_item IM)
TraceMonotoneGlobalEquivocation s tr
→ trace_monotone_global_equivocation s tr induction 1; intros pre suf item1 Heq; [by destruct pre |].message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
item: composite_transition_item IM
tr: list (composite_transition_item IM)
H9: transition_preserves_global_equivocation s item
H10: TraceMonotoneGlobalEquivocation
  (destination item) tr
IHTraceMonotoneGlobalEquivocation: trace_monotone_global_equivocation
  (destination
     item) tr
pre, suf: list (composite_transition_item IM)
item1: composite_transition_item IM
Heq: item :: tr = pre ++ [item1] ++ suf
transition_preserves_global_equivocation
  (finite_trace_last s pre) item1
    destruct pre as [| _item pre]; simplify_list_eq; [done |].message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
_item: composite_transition_item IM
H9: transition_preserves_global_equivocation s _item
pre, suf: list (composite_transition_item IM)
item1: composite_transition_item IM
H10: TraceMonotoneGlobalEquivocation
  (destination _item) (pre ++ item1 :: suf)
IHTraceMonotoneGlobalEquivocation: trace_monotone_global_equivocation
  (destination
     _item)
  (pre ++
   item1 :: suf)
transition_preserves_global_equivocation
  (finite_trace_last s (_item :: pre)) item1
    rewrite finite_trace_last_cons.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
Cm: Type
H1: ElemOf message Cm
H2: Empty Cm
H3: Singleton message Cm
H4: Union Cm
H5: Intersection Cm
H6: Difference Cm
H7: Elements message Cm
EqDecision1: EqDecision message
H8: FinSet message Cm
message_dependencies: message → Cm
validator: Type
sender: message → option validator
A: validator → index
Hauth: channel_authentication_prop IM A sender
Hsender_safety:= channel_authentication_sender_safety
  IM A sender Hauth: sender_safety_alt_prop IM A sender
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
_item: composite_transition_item IM
H9: transition_preserves_global_equivocation s _item
pre, suf: list (composite_transition_item IM)
item1: composite_transition_item IM
H10: TraceMonotoneGlobalEquivocation
  (destination _item) (pre ++ item1 :: suf)
IHTraceMonotoneGlobalEquivocation: trace_monotone_global_equivocation
  (destination
     _item)
  (pre ++
   item1 :: suf)
transition_preserves_global_equivocation
  (finite_trace_last (destination _item) pre) item1
    by eapply IHTraceMonotoneGlobalEquivocation.
Qed.

End sec_msg_dep_is_globally_equivocating_props.